Detailed FAQs about the information blocking rule

In March 2020, as the COVID-19 pandemic began to take hold in the United States, the Department of Health and Human Services (HHS’) Office of the National Coordinator for Health IT (ONC) issued a rule to give patients easier and quicker access to their digital health data (the rule).¹ The rule does so by prohibiting “information blocking” practices by providers and others that interfere with that access. Information blocking refers to technical, business, and administrative processes and systems that block the free flow of patients’ electronic health information (EHI) among health care entities and patients.

This FAQ provides a detailed analysis of the rule and its confusing overlap with Health Insurance Portability and Accountability Act (HIPAA) requirements. This FAQ addresses member questions concerning patient access to electronic health records—known as EHRs.² For more information about record keeping and complying with the information blocking rule, please see the presentation, “Recordkeeping, Patient Access, and Other Legal and Risk Management Issues.”

In general, information blocking is a practice by a psychologist (or other health care provider, health IT developer, health information network, or health information exchange) that is likely to interfere with access, exchange, or use of electronic health information (EHI) by the patient. There are exceptions to the rule (see “What are the key exceptions to information blocking?”).

Examples of potential information blocking, i.e., actions that would not be acceptable under this rule, include:

• EHR systems that put or allow an automatic hold on certain psychological records/mental health progress notes while psychologists determine what EHI is appropriate to include in the system (e.g., minor proxies and multiple patients).
• EHR systems that allow psychologists to simply classify that EHI is “sensitive” (without further justification) to limit access within the system.
• Practices that restrict access more than is legally justified (e.g., restricting patient access more than permitted under the HIPAA Privacy Rule and state law).
• Limiting the interoperability of health IT (e.g., disabling a capability that would allow sharing EHI with patients).

A. What is EHI?

EHI is similar to electronic PHI as defined under HIPAA, but it has a more technical definition. (EHI is limited to the data elements listed in the U.S. Core Data for Interoperability (USCDI) V1 standard, which is designed for interoperability and exchange of electronic health data.)

Our review of this standard indicates that it covers most data that a psychologist would keep in an EHR, including clinical notes, progress notes, assessment and treatment plan, health concerns. (Psychotherapy notes are not listed but they fall within the privacy exclusion discussed in FAQ 2.A below).

Psychological and neuropsychological testing data and reports. This type of information is the one exception to most psychological records fitting the definition of EHI. We’ve had some initial success with the argument that test data and reports are do not fit into the very medically-oriented USCDI data elements.

For example, psychological and neuropsychological test reports are essentially an expert psychologist’s analysis of psychological and neuropsychological test results. While the USCDI data elements include categories for experts’ interpretation of common medical test results, like imaging, blood, and other lab tests and pathology tests, there is no parallel category for the interpretation of psychological or neuropsychological tests. The argument that test reports are not EHI has allowed psychologists at one hospital to continue a practice of withholding them from the hospital’s EHR until a psychologist is able to discuss the report with the patient—and not have that withholding be considered information blocking.

The rule has eight exceptions to information blocking. If an exception applies, the practice does not constitute information blocking and is OK.

Here we discuss the four exceptions most likely to be relevant to psychologists. Some of these align with HIPAA Privacy Rule limitations on patient access, including access by a patient’s personal representatives. Many of the exceptions or sub-exceptions have specific conditions; we share some of the most important ones.

For additional details about all eight groups of exceptions including sub-exceptions, see the ONC’s information blocking fact sheet (PDF, 566KB).

A. Privacy exception

Denial of a patient’s request for access consistent with HIPAA patient access limitations

This exception mirrors the HIPAA Privacy Rule provisions on what Protected Health Information (PHI) patients have access to, and the unreviewable grounds for denying access. Denying access to the following types of information does not constitute information blocking:

• Psychotherapy notes as defined by HIPAA.⁴
• Forensic EHI. In other words, EHI prepared in anticipation of litigation or administrative proceedings.
• EHI that was obtained from someone other than a health care provider under a promise of confidentiality, where the requested access would be reasonably likely to reveal the source of the information.

Potential applications

Most of these are obvious, but as discussed in “What strategies might help psychologists adapt to direct patient access?” below, the psychotherapy notes exception may be an option for temporarily holding patient information while you figure out how to treat it or segment it.

Consent, verifying authority, and other legal preconditions⁵

This sub-exception applies if you are required by a state or federal law to satisfy a precondition prior to providing access to EHI. Examples include verifying the authority of a personal representative or obtaining a patient’s signed written consent.⁶

Potential applications

This exception should apply to requests for access by a patient’s personal representative. Generally, HIPAA and/or state law require that you verify the representative’s legal authority and scope of authority to act on behalf of the patient before giving them access to the patient’s PHI. In divorce/custody situations, you typically need to determine whether the requesting parent has legal authority under the custody order.

Respecting a patient’s request not to share information

This exception applies if the patient has requested limitations on sharing their EHI; honoring that request would not constitute information blocking. You must not “improperly” encourage or induce the patient’s request for limitations. ONC’s comments to the rule indicate that improper behavior would include misleading a patient about the nature of the consent to be provided, and imposing onerous requirements to effectuate consent that were unnecessary and not required by law.

B. Harm exception

This exception applies where in your professional judgment, you determine that denying access will substantially reduce a risk of harm to a patient or another person. Actions include:

• Refusing to disclose EHI where that would endanger the life or physical safety of a patient or another person (and your determination is based on a current or prior psychologist-patient relationship).
• Not sharing EHI that is corrupt, inaccurate, or erroneous.

C. Infeasibility exception

This exception recognizes that legitimate practical challenges may limit your ability to provide access to EHI. For example, you may not have—and may be unable to obtain—the requisite technological capabilities, legal rights, or other means necessary to enable access. To qualify under this exception, one of the following conditions must apply:

Infeasible under the circumstances

This sub-exception will be critical for psychologists using EHR vendors that have not yet provided instant access capability for patients, in other words vendors of uncertified EHRs. You must demonstrate that your consideration of the following factors supports your determination that complying with the request would be infeasible under the circumstances. The factors are:

• the type of EHI sought and the purposes for which it may be needed;
• your cost of complying with the request in the manner requested;
• your available financial and technical resources;
• whether your practice is nondiscriminatory; and
• why you were unable to provide access, exchange, or use of EHI consistent with the content and manner exception.

Additional requirements

You must demonstrate your analysis prior to responding to the request, through a contemporaneous written record or other documentation—see the end of this section. (This demonstrates that you didn’t deny access and then figure out how to justify the denial later.) Your consideration must be consistent and nondiscriminatory; in other words, you apply the factors evenly to all patients seeking access.

Potential applications

As noted above, this exception should apply if your EHR vendor has not yet developed the changes necessary to allow direct patient access (and have a certified EHR), and it would be unduly expensive and burdensome, given your practice’s economic means, to shift over to an EHR vendor that offers that capability immediately. Going forward, as long as your EHR vendor has not made the necessary updates, or updates are prohibitively expensive/burdensome, this exception should apply. (Because CMS requires the use of certified health IT under its Promoting Interoperability Programs, more EHR vendors may seek ONC certification in the future. Nonetheless, some predict that common EHR platforms used by psychologists will not add this capacity because it is very expensive.) Conversely, however, this exception may be hard to rely upon either if your EHR vendor makes instant access capability available at an affordable price, or if competing vendors provide an affordable alternative and switching EHR systems is not unduly burdensome.

Update: If you start receiving patient request for immediate direct access to your uncertified EHR (and your vendor has not offered an affordable option for you to upgrade to a certified EHR), it would be advisable to document that your analysis of the 5 bulleted factors listed above has led to your determination that switching to a certified EHR to enable such access for all patients is unfeasible under the circumstances.

Segmentation

You are unable to fulfill the request for access to EHI because you cannot unambiguously segment (separate) the requested EHI from EHI that:

• cannot be made available either due to patient’s preference or because the EHI cannot be made available by law; or
• may be withheld under with Harm exception.

Potential applications

This exception would apply if records involve multiple patients, e.g., family or couples therapy; where part of the EHI creates patient harm concerns; and potentially for test protocols and responses that are electronically comingled. In other words, the test is set up digitally so that the test questions cannot be electronically separated from the test answers. (We have not yet heard examples of such comingled protocols and responses.)

Potential applications for the harm exception might be where a patient’s personal representative would normally have access the EHI, there is an isolated reference to potential abuse, and you do not have the option to put that reference in the psychotherapy notes.

Uncontrollable events exception

You cannot fulfill the request for access to EHI for events beyond your control like natural or man-made disaster, public health emergency, public safety incident, civil insurrection, labor strike, telecommunication or internet service interruption, or act of a regulatory authority.

Potential applications

These applications are mostly obvious. We note, however, that “public health emergency” is specifically listed. It may be hard to claim that the current COVID-19 public health emergency is an excuse because it will have been ongoing for almost a year when this rule becomes effective. However, this might be a viable exception if your area has recently seen a spike in cases that is overwhelming health care systems and impacting the ability of your facility or practice to focus on EHI access for patients.

D. Fees exception

It will not be information blocking for you to charge fees for accessing, exchanging, or using EHI, provided certain conditions are met. The purpose of this exception is to enable you to charge fees related to the development of technologies and provision of services that enhance interoperability, while not protecting certain opportunistic fees, and exclusionary practices that interfere with access, exchange, or use of EHI.

Conditions include that your fees must:

• be based on objective and verifiable criteria that are uniformly applied for all similarly situated classes of persons or entities and requests, e.g., you charge the same fees to all patients; and
• be reasonably related to your costs of providing that type of access.

For the purposes of this information blocking exception, a provider may include fees that result in a reasonable profit margin. But this FAQ focuses on patient access, and HIPAA prohibits charging patients anything more than cost-based fees for accessing their records.

Enforcement is by the Office of the Inspector General (OIG) of HHS. For psychologists and other providers, OIG would have to show that the provider had knowledge and intent to interfere with access. However, it would not have to show that the provider understood that they were violating the information blocking rules; therefore, ignorance of the rules would not be an excuse. Nor would OIG have to show that the information blocking caused actual damage. OIG has, however, indicated that it does not plan to take enforcement action regarding innocent mistakes.

OIG lacks authority to impose civil money penalties on providers for violating the rule.⁷ OIG currently only has power to refer providers to the appropriate agency for appropriate disincentives. Those disincentives are likely to be outlined in future proposed rules from HHS.

However, there are noncompliance consequences for providers in Medicare, Medicare Advantage, Medicaid and CHIP, and all of those eligible providers who participate in the Merit-based Incentive Payment System (MIPS). For example, CMS plans to publish a list of providers who cannot attest that they are in compliance with information blocking requirements.⁸

The following are practical steps to take based on our initial information from members. This guidance may be refined as we continue to consult with members about implementation issues, including whether their hospital/health care system and/or their EHR can accommodate potential solutions or develop guidance specific to mental health/psychological records.

These suggested strategies depend on the nature of your particular setting, practice, and patients.

• Keep lean records with the minimum information that you are required to document, or that is required for other purposes like establishing medical necessity. More extensive documentation means that you have more to review and edit for patient consumption, and there is more in the record that the patient may find confusing or disturbing.
• Write your documentation with the expectation that your patients may be able to review their records without your knowledge or ability to provide further explanation. In the past, a patient would have to submit a written request for records, giving you the opportunity to review that patient’s record for potential problems before providing access. With instantaneous access under the rule, any patient might access his/her record at any time without you having any notice.
• For situations involving minor proxy issues or multiple patients, have a clear written agreement upfront about what information will be available to whom, and develop a simple system for segregating that EHI as you enter it. It may also be helpful to ask minors or multiple patients in advance if they want to request restrictions on access. For example, in cases of multiple patients, each patient might agree to only have access records for sessions in which he/she participated.
• Where patients have particularly sensitive information or positions (e.g., celebrities or hospital executives), asking them if they want to request restrictions on access to their EHR may be a solution.
• Psychotherapy notes may be an option for therapy information where you need time to figure out what to put in accessible part of EHR and what to redact or place elsewhere, e.g., minor proxy, multiple patients, substance use information protected under 42 CFR Part 2. This will only work if your EHR and practice/institution allows for psychotherapy notes and you can meet the HIPAA definition of psychotherapy notes.⁹

What to tell patients will depend on your practice and your patient (e.g., their tech capabilities and privacy concerns), but here are some points you may want to cover:

• The rule doesn’t give patients access to all of their data. Nor does it expand what in their record they have the right to access under HIPAA and state law. Rather, it seeks to ensure health IT developers and health care systems are creating EHR systems that make it easier and faster for patients to access their data electronically.
• Ideally, patients should talk with you before accessing their EHI. But if they do access it without talking with you, they should come to you with any questions or concerns about what is said in the EHI because records are not primarily written for the patient.
• Note also that records must include many elements to establish medical necessity, and meet state, payer, or other recordkeeping requirements. Regarding medical necessity, it is important for patients to understand that insurers or government payers may refuse to cover their care if you do not accurately report the extent of their diagnosis, symptoms, problems, and lack of progress.
• You may also want to warn patients not to rely on any apps that may promise to translate medical/mental health terms into plain English for them. You can’t be certain that any app will accurately translate psychological terms, so it is better for the patient to just read the actual record and ask you to explain anything they don’t understand.

Finally, you should remind patients that you (like many other providers subject to the new rule) are trying your best to shift to documentation that is more readable and accessible to patient, but it’s a process.