The CURES Act Information Blocking Rule: 5 Practices to Avoid
By Dean McConnell
As of April 5, 2021, all health care providers are required to comply with the 21st Century Cures Act Information Blocking Rule. This Rule is intended to enhance patients’ rights to access, to promote communication and sharing of information between medical providers and with health information technology companies, and to debunk myths and practices that had arisen under the HIPAA privacy regulations that were causing roadblocks in the efficient communication of medical information.
To assist in your compliance with this complex regulation, here are five practices to avoid. These examples are taken from U.S. Department of Health and Human Services (HHS) commentary and guidance as potential information blocking related to Electronic Health Information (EHI).
Routinely delaying the posting of lab or test results until after speaking with the patient. HHS guidance repeatedly emphasizes that this practice is prohibited and that the Preventing Harm Exception will not justify a policy of withholding or delaying access to lab or test results until after the provider has had a chance to review the results and speak with the patient, except in rare and special circumstances pertaining to a particularly susceptible, individual patient.
Failing to provide same-day access to available EHI in a form and format requested by a patient or by a provider, and takes several days to respond. The records do not have to be provided unless requested. But once requested, the records are to be provided “immediately.” Immediately is not defined, however HHS commentary suggests that the provider should respond to an information request usually within a day or two—more quickly if the situation is more urgent. The HIPAA 30-day response time does not apply to the Information Blocking Rule.
Not enabling patient portal features that allow patients to directly transmit or request direct transmission of their EHI to a third party. The Information Blocking Rule involves more than just promptly posting a patient’s medical records to the patient portal or timely responding to a patient’s request for access, exchange, or use of EHI. Any policy, practice, or contract provision that interferes with a patient’s access may constitute information blocking.
Like this content? Want more like it?
Sign up to get your regional medical community news delivered to your Inbox 2X a month!
Requiring an individual’s written consent or authorization before sharing EHI with unaffiliated providers for treatment purposes when not required by state or federal law, or incorrectly claiming that the HIPAA Rules or other laws preclude a provider from exchanging EHI with unaffiliated providers. HIPAA is not as restrictive as most health care providers may think. Under HIPAA, it is permissible, but not required, to share medical records without an authorization or release of records form signed by the patient with another health care provider for treatment purposes. Requiring a patient to sign a consent or authorization when not required, or claiming it does require an authorization, is information blocking. HIPAA sets forth many other circumstances where providers are permitted, but not required, to disclose medical information without an authorization from the patient.
Failing to report required conditions, illnesses, or injuries as required by state law or failing to respond to public health or health oversight requests. As noted in guidance, if a health care provider is permitted to provide access under HIPAA, then the Information Blocking Rule would require that access so long as the provider is not otherwise prohibited by law from doing so. HIPAA sets forth many circumstances where providers are permitted, but not required, to disclose medical information without an authorization from the patient. The Information Blocking Rule would apply to requests for access from patients or their personal representatives, other health care providers (HIPAA Treatment Exception), health oversight entities such as medical boards or Medicare (HIPAA Health Oversight Exception), public health authorities (HIPAA Public Health Activities Exception), and others who may properly obtain access under HIPAA (See HIPAA Law Enforcement Exception, Judicial and Administrative Proceedings Exception, etc.).
More information may be obtained on the Office of the National Coordinator’s website at
www.healthit.gov/topic/information-blocking
This article is for informational purposes only. It is not intended as legal advice, or as a substitute for the advice of an attorney or other professional. It does not address all possible legal and other issues that may arise regarding information blocking and interoperability. Each health care provider should consult legal counsel for specific legal advice if an issue arises.