The rule has eight exceptions to information blocking. If an exception applies, the practice does not constitute information blocking and is OK.
Here we discuss the four exceptions most likely to be relevant to psychologists. Some of these align with HIPAA Privacy Rule limitations on patient access, including access by a patient’s personal representatives. Many of the exceptions or sub-exceptions have specific conditions; we share some of the most important ones.
For additional details about all eight groups of exceptions including sub-exceptions, see the ONC’s information blocking fact sheet (PDF, 566KB).
A. Privacy exception
Denial of a patient’s request for access consistent with HIPAA patient access limitations
This exception mirrors the HIPAA Privacy Rule provisions on what Protected Health Information (PHI) patients have access to, and the unreviewable grounds for denying access. Denying access to the following types of information does not constitute information blocking:
- Psychotherapy notes as defined by HIPAA.4
- Forensic EHI. In other words, EHI prepared in anticipation of litigation or administrative proceedings.
- EHI that was obtained from someone other than a health care provider under a promise of confidentiality, where the requested access would be reasonably likely to reveal the source of the information.
Potential applications
Most of these are obvious, but as discussed in “What strategies might help psychologists adapt to direct patient access?” below, the psychotherapy notes exception may be an option for temporarily holding patient information while you figure out how to treat it or segment it.
Consent, verifying authority, and other legal preconditions5
This sub-exception applies if you are required by a state or federal law to satisfy a precondition prior to providing access to EHI. Examples include verifying the authority of a personal representative or obtaining a patient’s signed written consent.6
Potential applications
This exception should apply to requests for access by a patient’s personal representative. Generally, HIPAA and/or state law require that you verify the representative’s legal authority and scope of authority to act on behalf of the patient before giving them access to the patient’s PHI. In divorce/custody situations, you typically need to determine whether the requesting parent has legal authority under the custody order.
Respecting a patient’s request not to share information
This exception applies if the patient has requested limitations on sharing their EHI; honoring that request would not constitute information blocking. You must not “improperly” encourage or induce the patient’s request for limitations. ONC’s comments to the rule indicate that improper behavior would include misleading a patient about the nature of the consent to be provided, and imposing onerous requirements to effectuate consent that were unnecessary and not required by law.
B. Harm exception
This exception applies where in your professional judgment, you determine that denying access will substantially reduce a risk of harm to a patient or another person. Actions include:
- Refusing to disclose EHI where that would endanger the life or physical safety of a patient or another person (and your determination is based on a current or prior psychologist-patient relationship).
- Not sharing EHI that is corrupt, inaccurate, or erroneous.
C. Infeasibility exception
This exception recognizes that legitimate practical challenges may limit your ability to provide access to EHI. For example, you may not have—and may be unable to obtain—the requisite technological capabilities, legal rights, or other means necessary to enable access. To qualify under this exception, one of the following conditions must apply:
Infeasible under the circumstances
This sub-exception will be critical for psychologists using EHR vendors that have not yet provided instant access capability for patients, in other words vendors of uncertified EHRs. You must demonstrate that your consideration of the following factors supports your determination that complying with the request would be infeasible under the circumstances. The factors are:
- the type of EHI sought and the purposes for which it may be needed;
- your cost of complying with the request in the manner requested;
- your available financial and technical resources;
- whether your practice is nondiscriminatory; and
- why you were unable to provide access, exchange, or use of EHI consistent with the content and manner exception.
Additional requirements
You must demonstrate your analysis prior to responding to the request, through a contemporaneous written record or other documentation—see the end of this section. (This demonstrates that you didn’t deny access and then figure out how to justify the denial later.) Your consideration must be consistent and nondiscriminatory; in other words, you apply the factors evenly to all patients seeking access.
Potential applications
As noted above, this exception should apply if your EHR vendor has not yet developed the changes necessary to allow direct patient access (and have a certified EHR), and it would be unduly expensive and burdensome, given your practice’s economic means, to shift over to an EHR vendor that offers that capability immediately. Going forward, as long as your EHR vendor has not made the necessary updates, or updates are prohibitively expensive/burdensome, this exception should apply. (Because CMS requires the use of certified health IT under its Promoting Interoperability Programs, more EHR vendors may seek ONC certification in the future. Nonetheless, some predict that common EHR platforms used by psychologists will not add this capacity because it is very expensive.) Conversely, however, this exception may be hard to rely upon either if your EHR vendor makes instant access capability available at an affordable price, or if competing vendors provide an affordable alternative and switching EHR systems is not unduly burdensome.
Update: If you start receiving patient request for immediate direct access to your uncertified EHR (and your vendor has not offered an affordable option for you to upgrade to a certified EHR), it would be advisable to document that your analysis of the 5 bulleted factors listed above has led to your determination that switching to a certified EHR to enable such access for all patients is unfeasible under the circumstances.
Segmentation
You are unable to fulfill the request for access to EHI because you cannot unambiguously segment (separate) the requested EHI from EHI that:
- cannot be made available either due to patient’s preference or because the EHI cannot be made available by law; or
- may be withheld under with Harm exception.
Potential applications
This exception would apply if records involve multiple patients, e.g., family or couples therapy; where part of the EHI creates patient harm concerns; and potentially for test protocols and responses that are electronically comingled. In other words, the test is set up digitally so that the test questions cannot be electronically separated from the test answers. (We have not yet heard examples of such comingled protocols and responses.)
Potential applications for the harm exception might be where a patient’s personal representative would normally have access the EHI, there is an isolated reference to potential abuse, and you do not have the option to put that reference in the psychotherapy notes.
Uncontrollable events exception
You cannot fulfill the request for access to EHI for events beyond your control like natural or man-made disaster, public health emergency, public safety incident, civil insurrection, labor strike, telecommunication or internet service interruption, or act of a regulatory authority.
Potential applications
These applications are mostly obvious. We note, however, that “public health emergency” is specifically listed. It may be hard to claim that the current COVID-19 public health emergency is an excuse because it will have been ongoing for almost a year when this rule becomes effective. However, this might be a viable exception if your area has recently seen a spike in cases that is overwhelming health care systems and impacting the ability of your facility or practice to focus on EHI access for patients.
D. Fees exception
It will not be information blocking for you to charge fees for accessing, exchanging, or using EHI, provided certain conditions are met. The purpose of this exception is to enable you to charge fees related to the development of technologies and provision of services that enhance interoperability, while not protecting certain opportunistic fees, and exclusionary practices that interfere with access, exchange, or use of EHI.
Conditions include that your fees must:
- be based on objective and verifiable criteria that are uniformly applied for all similarly situated classes of persons or entities and requests, e.g., you charge the same fees to all patients; and
- be reasonably related to your costs of providing that type of access.
For the purposes of this information blocking exception, a provider may include fees that result in a reasonable profit margin. But this FAQ focuses on patient access, and HIPAA prohibits charging patients anything more than cost-based fees for accessing their records.