By Catherine Lightfoot, CPA, CHBC, Director of Healthcare at EEPB
Overview
The 21st– Century Cures Act was originally signed into law way back in December 2016. Now we face some very important updates in 2022. The following summary includes the main information and changes that are worth noting:
- The Office of the National Coordinator for Health Information Technology (ONC) has been made responsible for defining the policies related to information blocking and establishing a complaint process.
- The Health and Human Services (HHS) Office of Inspector General (OIG) is responsible for investigating complaints and assessing any necessary penalties. Those processes and compliance rules have all been finalized and already went into effect this month.
- Starting October 6, 2022, Actors must make all requested electronic health information (EHI) available, not just the subset that was allowed when the compliance rules were first published in April 2021.
What is information blocking?
Information blocking is more than just an individual’s access to EHI; it involves other healthcare networks. Information blocking restrictions apply to a group called “Actors,” who are defined as providers (e.g., hospitals and physicians), health IT developers, and health information exchanges or networks. This article focuses on specific details that may be helpful for hospitals and providers.
Be aware that the ONC does post information-blocking exceptions. These are extensive and should be followed in their entirety. Therefore, I refer you to this website for the full details: www.healthit.gov/topic/information-blocking. I encourage you to review the exceptions for your particular circumstances and refer back regularly to the website for changes and clarifications. Rather than discussing the exceptions, let’s look at some key areas that I believe every provider should make sure their employees are trained to handle, to ensure compliance with the information-blocking rules under the Cures ACT.
Frequently asked questions
Below are a few common questions and answers that may help you navigate the Cures Act ruling and avoid associated penalties:
- Can we charge fees for making PHI copies?
The answer is not simple. While the Privacy Rule permits a reasonable, cost-based fee if an individual requests a copy of the protected health information (PHI), there are several caveats. The fee must only include costs related to: 1) labor for copying the information requested; 2) supplies for creating the paper copy or electronic media; 3) postage, when the individual has requested that the copy be mailed; and 4) the cost of preparing an explanation or summary of the PHI, if agreed to by the individual making the request. If you do not want to go through the process of calculating these direct costs per request, HHS is allowing a flat fee, not to exceed $6.50 per request. You may go over this amount, as long as your calculation only has the aforementioned items. However, if access to PHI is available through the provider’s electronic health record (EHR) technology, you may not request a fee. You must inform the individual of the fees in advance, and you cannot withhold or deny access if the fee is not collect
2. Is a Health Care Provider permitted to deny an individual’s request for access because the individual has not paid for health care services provided to the individual?
The answer is quite simple, No. A covered entity may only charge a reasonable, cost-based fee for the copy. They may not withhold or deny access based on any outstanding bills that the individual may have with the provider. An important distinction is made in the rules with regard to medical products. A physician can withhold purchased items from the patient for nonpayment. These medical products are not considered part of the PHI, even though the prescription or report that accompanied that item is part of the PHI record. An example would be custom orthotics prescribed by a podiatrist.
3. What is considered timely action by the covered entity?
Unless you meet one of the exceptions, you must act on a request within 30 days. If the covered entity grants the request, it must inform the individual of the acceptance of the request. If the covered entity denies the request, it must provide the individual with a written denial. This is key to preventing penalties. Even if you meet an exception, you must notify the individual of the denial in a timely manner. All of the examples I reviewed for penalties in 2022 that were imposed for information blocking cited “untimely access” as the alleged violation. Fines ranged from $22,500 to over $200,000, and some were right here in Texas – all for failure to meet the timely access rule, and all avoidable.
It’s not optional
Final rules on information blocking are now enacted into law, and as of October 6, 2022, penalties and full enforcement are published. All staff and providers should, therefore, understand the policies and how they pertain to your hospital or practice. I recommend setting up a structured system, which includes putting these measures in place:
- Carefully date and document the request for access to PHI.
- Establish clear procedures on how to keep and record accurate documentation of any instance in which you have grounds to refuse to share requested information.
- Create a sample checklist of clear procedures.
- Set up compliance logs to document when requests came in and by whom, with your organization’s response date.
- Designate supervisors to monitor these reports for timeliness and compliance.
- Train your team to follow the rules to avoid information-blocking penalties.
Conclusion
An important aspect of this process is to prepare yourself against unwarranted complaints by frustrated record seekers. A well-thought-out compliance process to evaluate and respond to each specific request could establish your defense against unwarranted complaints filed with the ONC.