Clarifying sharing, blocking health information in HIPAA

How do information blocking regulations work in tandem with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules? On April 12, the Office for Civil Rights published a proposed rule that detailed potential changes to the HIPAA Privacy Rule. The Office of the National Coordinator for Health Information Technology (ONC) then published three related FAQs to clarify how information blocking regulations and the HIPAA Privacy Rule would work together through this newly proposed rule. For background, let's define some key terms:

Information blocking. A practice by an “actor” that interferes with access, exchange, or use of electronic health information (EHI), except as required by law (federal statutes, regulations, court orders, and binding administrative decisions or settlements, as well as state and tribal laws where applicable) or specified in an information blocking exception.

Information blocking actors. Health care clinician, health information network or health information exchange, or developer of certified health IT.

EHI. Information included in a designated record set regardless of whether the group of records is used or maintained by or for a HIPAA-covered entity.

Here is a brief summary of the ONC FAQs related to the Privacy Exception.

Q: If an individual requests that their EHI not be disclosed, is it information blocking if an actor does not disclose the EHI based on the individual's request?

A: No. If the actor's conduct satisfies the requirements for exceptions to the information blocking regulations, such as the Privacy Exception (45 CFR 171.202), this would not be considered information blocking.

Q: Would it be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to comply with federal privacy laws that require certain conditions to have been met prior to disclosure?

A: No, it would not be information blocking if the actor's practice of not fulfilling a request in such circumstances meets the Privacy Exception (45 CFR 171.202). All actors are responsible for disclosing EHI only when the disclosure is allowed under all applicable federal laws.

Q: If an actor, such as a health care clinician, operates in more than one state, is it consistent with the information blocking regulations for the clinician to implement practices to uniformly follow the state law that is the most privacy protective (more restrictive) across all the other states in which it operates?

A: Yes, if the actor satisfies the requirements of the information blocking regulations, such as the Precondition Not Satisfied sub-exception of the Privacy Exception (45 CFR 171.202(b)). Health care clinicians and other information blocking actors operating under multiple state laws with incompatible legal requirements for EHI disclosures may choose to adopt uniform policies and procedures so that the actor only makes disclosures of EHI that meet requirements of the state law providing the most protection to the individual's privacy.

On April 12, the ONC's blog, Health IT Buzz, published an overview of three aspects of the information blocking rule to remember when reading through the HIPAA Privacy Rule:

1. If another law that applies to the actor prohibits sharing EHI in a particular circumstance, such as for a particular purpose, then not sharing EHI in the particular circumstance is not information blocking.

The information blocking definition excludes practices likely to interfere with access, exchange, or use of EHI when practices are required by law, the authors explained. This includes federal statutes, regulations, court orders, and binding administrative decisions or settlements. Any information blocking actor subject to another provision of federal law (or a provision of a state or tribal law) that distinctly prohibits a certain access, exchange, or use of EHI must comply with that other law, they said.

2. If another law that applies to an actor permits the actor to share EHI only if specific requirements are met first, then information blocking regulations allow for the actor to take reasonable and necessary steps to ensure the actor shares EHI only when those requirements are met.

Health information privacy laws are framed in a way that allow access, exchange, or use of health information if only specific preconditions are satisfied and do not expressly prohibit access, exchange, or use of EHI for most purposes, according to the blog authors. The Precondition Not Satisfied (45 CFR 171.202(b)) section of the Privacy Exception provides a framework actors can follow when not fulfilling requests to access, exchange, or use EHI that the actor has determined would not be considered information blocking due to a precondition of applicable law not being satisfied, they said.

3. If federal or state laws restricting or prohibiting the sharing of EHI change, the information blocking regulations are built to automatically accommodate actors' need to comply with those other laws as soon as changes are effective.

The information blocking regulations accommodate actors' compliance with the HIPAA Privacy Rule to add, remove, or modify restrictions, prohibitions, or requirements for using or disclosing EHI, the authors explained. “The information blocking regulations likewise accommodate actors' compliance with other laws as these laws' restrictions, prohibitions, or preconditions on sharing individuals' health information evolve over time alongside the policy and technology landscape,” they wrote.

To learn more about health information technology, including information blocking, visit ACP's Health Information Technology page.