Patient Rights Grow Teeth
In April 2021, the ONC, on behalf of HHS, announced more details on the Information Blocking Rule, a component of the 21st Century Cures Act. This announcement stated that covered entities — healthcare providers, health information technology (HIT) companies, and health information exchanges (HIEs) — would be required to provide patients the ability to access and download all of their electronic health information (EHI) by no later than October 6th, 2022.
This rule seeks to help patients obtain or send copies of their medical records – something with which many of us are familiar – without undue burden. It stipulates that patients have the right to access all data stored related to their care, in electronic format. This includes but is not limited to imaging, basic vitals, pathology reports, medication lists, current diagnoses, and even provider notes entered during an encounter.
Previously, there was no clear course of remedy in the event that a patient felt they had been inappropriately denied access to some or all of their EHI in a timely manner. The rule establishes a recourse process for patients to submit claims of violations through an online portal, so that they may be investigated and, if found guilty, be subjected to regulatory penalties (fines).
Patient recourse, however, is only one part of the broader scope of impact. Clearly, there is a gain for patients who now have the right to readily access all of their EHI.
However, to provide perspective, imagine you download a health app on your phone to track your sleep and then scroll down and agree to the terms and conditions. If you are like most of us, you rarely read the full text of these terms and condition, click accept and start using the app. Later you realize that the app provider has the right to request all your health data and use that data for secondary purposes, (e.g., sell your EHI), without consent as you already signed that away when agreeing to use the app.
Many health app developers have good intentions, but there are likely quite a few that are not so well-intentioned. There is also the issue of privacy and security. In a study by Beth Israel Deaconess on behavioral health apps, only about five percent of the apps they reviewed had the most basic of privacy and security protocols. Caveat emptor is the rule here.
Ambiguity Here, Ambiguity There
Ambiguity seems to be rife in this new rule. This is despite this new law going through a typical rulemaking process wherein there is always a long period for public comment after a proposed rule is posted in the Federal Register.
However, this rule has not been as positively received by the covered entities to whom it applies. These entities tasked with compliance have expressed concerns about the burden imposed upon them by this rule, but also, that the rule in its current form has left many ambiguities regarding what constitutes full compliance. The groups pushing back have organized into an informal coalition, spearheaded by some of the largest players in the healthcare sector; there are twenty-eight organizations in total, including Epic, Ascension and the Mayo Clinic.
In a joint letter to HHS Secretary Xavier Becerra dated August 18th 2022, the group expressed concern that many practices will fall short on compliance requirements, due to “significant knowledge gaps”, that have left many practices “extremely underinformed” on the facilitation, timing, and distinction among different “actor” types for whom different penalties can apply within the rule. They request additional clarification on what constitutes full compliance as far as the health data information provision. They also list a number of possible scenarios that present unclear courses of action to be in compliance with the law.
There are requests for technical assistance, and suggestions of a more standardized distribution process for new information and changes to the law through webinars, newsletters, and support groups. Finally, the letter suggests that all changes and clarifications that are made to this law at any time be accompanied by a six-month grace period, prior to the enforcement of any non-compliance penalties.
Interestingly, the penalties for non-compliance differ depending on how the entity, or “actor” as used in the law, is categorized – another area of ambiguity pointed out within the aforementioned letter. If a health IT company or an HIE violates the rule, they are subject to fines as high as $1 million per incident. In the case of a healthcare provider, there is no such monetary penalty; rather, physicians for whom a complaint has been submitted will be subject to OIG investigation, and the provider “may be subject to appropriate disincentives” – the details of which are pending.
To Ambiguity, Add Exemptions
There are eight exceptions listed within the Information Blocking Rule that will exempt an actor otherwise subject to penalty for non-compliance. These eight exceptions can be divided into two general categories; the first five exceptions, which pertain to the fulfillment of the request itself; and the last three exceptions, which pertain to the procedures utilized in fulfillment of the request.
Those five exceptions are if the fulfillment of the request has risk to:
- Cause harm
- Compromise privacy
- Compromise security
- IT-originating problems
The last three exceptions are more technical in nature and specific to fulfillment procedures; those three exceptions are:
- Content and manner exception
- Fees exception
- Licensing exception
Consideration of whether an exception is appropriately justifiable also takes into account the categorization of the actor against whom a complaint has been lodged; it is unclear on exactly how. The pushback from the group that penned this letter seems especially justified when reading the specific guidance on the exceptions, which – while verbose – remain frustratingly unclear for a wide range of likely scenarios to be encountered.
October 6th has passed; the law is in place, but it will only be a matter of time before it is challenged. HHS is certainly aware of the feedback received to date and it is puzzling that this rule went forward as it did.
However, there is an exceedingly long history of providers being loathe to give patients their EHI for countless reasons, from paternalism, to fear that notes may bring forth lawsuits, to — most importantly — concern that a patient will take their EHI and their healthcare needs down the street to a competing provider.
Therefore, after providers have dragged their feet for so long on this issue, maybe it is just better to get something out there on the table that providers and their vendors are forced to respond to. Certainly, full access to one’s EHI is in the best interests of the patient and of the U.S. citizen; would this not also be best for the nation as a whole?