CURES Act - Information Blocking
Recently we have received several questions on how the CURES Act will impact how we handle things in MacPractice. Understandably, everyone wishes to ensure they are compliant with new laws. This article will contain a synopsis of the requirements of the CURES Act, and best recommended practices to ensure you are compliant.
As a reminder, these rules will go into effect on April 5th, 2021.
Note: This article has been updated with additional information on the October 6 Content and Manner exception. To be fully compliant, you will need to update to either Build 14.5.5 or Build 15.5.1 of MacPractice. Please review this linked article here for more detail.
Do I have to share all of a patient's information, or only specific incidents?
Is there an exemption for psychotherapy notes or clinical information regarding court cases?
Can I exclude information if it would constitute patient harm?
What is Information Blocking?
The CURES Act restricts Information Blocking and defines possible civil penalties. So what is Information Blocking?
Information Blocking is essentially restricting the kinds of EHI that a patient is entitled to. A Provider is required to share any requested information with a patient or a patient's provider.
“The information blocking provision defines and creates possible penalties and disincentives for information blocking in broad terms, while working to deter the entire spectrum of practices that unnecessarily impede the flow of EHI or its use to improve health and the delivery of care.”21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program
Are health care providers subject to the information blocking regulation even if they do not use any certified practice management software?
Yes. Regardless of the practice management software solution used, you will be required to comply with the Information Blocking rules in the CURES act.
“Yes, any individual or entity that meets the definition of at least one category of actor—“health care provider,” “health IT developer of certified health IT,” or “health information network or health information exchange” —as defined in 45 CFR 171.102 is subject to the information blocking regulation in 45 CFR part 171. The information blocking regulation in 45 CFR part 171 apply to a health care provider, as defined in the Public Health Service Act and incorporated in 45 C.F.R 171.102, regardless of whether any of the health IT the provider uses is certified under the ONC Health IT Certification Program.”https://www.healthit.gov/curesrule/resources/information-blocking-faqs
When do I have to comply?
These rules went into effect on April 5, 2021.
There is also an additional component of the rules that go into effect on October 6, 2022. These new rules will require that EHI is not limited to the data elements represented in the USCDI standard, but there are still questions regarding what data this will cover.
We at MacPractice have already created a design for the software which would allow additional information such as narrative data to be pulled in anticipation of these changes, but rest assured we are closely monitoring the situation and will update this article accordingly with guidance once a conclusion has been reached on what data this will eventually require you to provide.
What do I have to do when there is a request for access?
The main thing to keep in mind is that any time a patient requests access to their data, you can export their Clinical Summary CCDA records to the Patient Portal in the Clinical Ability. You can do this by selecting a patient, navigating to the Clinical Ability, then you can use the Incident drop down to select an Incident to export. Once the Incident is selected, you can use the Export Incident... drop down and select "To Patient" to export this Incident to the Patient Portal.
You can also control the kinds of information that are provided by clicking the "Included Sections..." button, which may be useful if there is a need to limit certain types of health information.
You will also be prompted whether to print a paper copy of the CCDA record. From this window, you can also save the CCDA record as an .xml file by clicking the Save As... button in the lower left corner.
Can a patient generate their own Clinical Summary?
Yes! We have an article that describes this process here. As long as the patient has access to the Patient Portal, they can request a new Clinical Summary.
Do I have to share all of a patient’s information or only specific incidents?
It depends on the request. If the patient requests their full record, you may have to export each incident to ensure everything is shared. There are also exceptions to the Information Blocking regulation which you can review further down in this article.
In terms of fulfilling requests for EHI, it is important to remember that the requirement to fulfill requests for access, exchange, and use of EHI is in any case limited to what the actor may, under applicable law, permissibly disclose in response to a particular request. Under the information blocking regulation in 45 CFR part 171, the actor is only required to fulfill a request with the requested EHI that they have and that can be permissibly disclosed to the requestor under applicable federal and state law. However, for protected health information they have, but do not maintain electronically, all HIPAA requirements would still be applicable, including the right of access.”
https://www.healthit.gov/curesrule/resources/information-blocking-faqs
What about Third Party Application requirements?
There are no requirements on providers to "proactively make available any EHI to patients or others who have not requested the EHI." We have implemented the ability to utilize our Patient Portal to generate CCDAs for your patients, as mentioned previously in this article. If this requirement changes in the future, we will be happy to address it.
However, one of the requirements of the 2015 Edition Certification program is that our developer APIs for pulling information from our Patient Portals be available upon request should a provider wish to pursue developing an app to facilitate this.
Our PHI Portal API Documentation is available at this link.
Link to Dedicated Page on HealthIT.gov
Is there an exemption for psychotherapy notes or clinical information regarding court cases?
Yes. These types of notes are exempt from information blocking.
“We have defined EHI (§ 171.102) to mean electronic protected health information (ePHI) as the term is defined for HIPAA in 45 CFR 160.103 to the extent that the ePHI would be included in a designated record set as defined in 45 CFR 164.501 (other than psychotherapy notes as defined in 45 CFR 164.501 or information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding), regardless of whether the group of records are used or maintained by or for a covered entity as defined in 45 CFR 160.103.”
“In addition, we noted that two categories of information are expressly excluded from the HIPAA Privacy Rule individual right of access: (1) Psychotherapy notes, which are the notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session and that are maintained separate from the rest of the patient's medical record; and (2) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.”
Can I exclude information if it would constitute patient harm?
Yes. In MacPractice you can exclude sections from the CCDA per patient by clicking the “Included sections...” button, or globally in Preferences > Clinical > Default CDA Sections.
“It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.”
https://www.healthit.gov/cures/sites/default/files/cures/2020-03/InformationBlockingExceptions.pdf
Are there other exceptions to Information Blocking?
Yes. In addition to the Preventing Harm exception, there are a total of 8 exceptions. You can read them below. Many of these exceptions have conditions for use, which are covered in the link below. We STRONGLY encourage you to review the conditions in the link below to ensure you remain in compliance before relying on one of these exceptions!
https://www.healthit.gov/sites/default/files/cures/2020-03/InformationBlockingExceptions.pdf
Preventing Harm Exception: It will not be information blocking for a provider to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.
Privacy Exception: It will not be information blocking if a provider does not fulfill a request for access or exchanging of Electronic Health Information in order to protect an individual's privacy.
Security Exception: It will not be information blocking for a provider to interfere with the access, exchange, or use of Electronic Health Information in order to protect the security of that information, provided certain conditions are met.
Infeasibility Exception: It will not be information blocking if a provider does not fulfill a request to access, exchange, or use Electronic Health Information due to the infeasibility of the request, provided certain conditions are met.
Health IT Performance Exception: It will not be information blocking for a provider to take reasonable and necessary measures to make health information technology (such as the Patient Portal or the MacPractice Server) temporarily unavailable or to degrade the health information technology's performance for the benefit of the overall performance of the tech, provided certain conditions are met.
Content and Manner Exception: It will not be information blocking for a provider to limit the content of its response to a request to access, exchange, or use of EHI or the manner in which it fulfills a request for access, exchange, or use of EHI, provided certain conditions are met.
The important takeaway here is that an office is able to utilize this exception until October 6, 2022, as this date represents two years after the publication date of these rules.
A very shorthand explanation is that after October 6, 2022, CCDAs exported must meet certain requirements.
MacPractice developers are finalizing the changes to our CCDAs as required by § 171.102 in the United States Core Data for Interoperability (USCDI) standard
MacPractice has released Build 14.5.5 and Build 15.5.1. These builds are in compliance with the new USCDI requirements. You can read more about these builds here.
Fees Exception: It will not be information blocking for a provider to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.
Licensing Exception: It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.
Relevant Links with Official Information
ONC Interim Final Rule: Information Blocking and the ONC Health IT Certification Program
New Applicability Dates included in ONC Interim Final Rule: Information Blocking