Changes related to the 21st Century Cures Act – more descriptively referred to as the Information Blocking Rule – occurred on October 6th, 2022 when the “final rule” went into effect. Specifically, the limitations on the definition of electronic health information (EHI) that were in place since the Information Blocking Rule went into effect on April 5th, 2021 have been lifted. What does that mean to you, as a mental health care provider and “IB actor”? We’ll break down the key points.
What do you need to know?
What Is Information Blocking and to Whom Does It Apply?
“Information blocking is a [prohibited] practice by an “actor” that is likely to interfere with the access, exchange, or use of electronic health information (EHI), except as required by law or specified in an information blocking exception. The Cures Act applied the law to healthcare providers, health IT developers of certified health IT, and health information exchanges (HIEs)/health information networks (HINs).” (Cures act final rule: Changes and clarifications from the proposed rule …)
What is the expanded definition of EHI? And what is the relationship between EHI and ePHI?
Under the Final Rule, EHI is no longer distinct from and more limited in scope than ePHI. Electronic Health Information (EHI) is now, as of October 6th, 2022, not limited to the data elements in the United States Core Data for Interoperability version 1 (USCDI v1) that must be contained in a designated record set:
EHI now has the expanded definition of “electronic protected health information (ePHI) as the term is defined for HIPAA in 45 CFR 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR 164.501 (other than psychotherapy notes as defined in 45 CFR 164.501 or information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding), regardless of whether the group of records are used or maintained by or for a covered entity as defined in 45 CFR 160.103.” (Cures act final rule: Changes and clarifications from the proposed rule … emphasis added)
With EHI and ePHI now being synonymous, it is an **excellent time** for a good refresher of what constitutes PHI, ePHI, and, therefore, EHI:
ePHI = individually identifiable health information (PHI) that is transmitted or maintained in electronic media
PHI = Personally Identifiable Information (PII) + Health Information (HI)
The Privacy Rule defines PHI as individually identifiable health information, held or maintained by a covered entity or its business associates acting for the covered entity, that is transmitted or maintained in any form or medium… This includes identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse. (HIPAA privacy rule and its impacts on research. Emphasis added.)
What’s an “IB actor”?
There are three categories of ‘actors’ that are regulated from information blocking under the ONC Cures Act Final Rule: healthcare providers (you!,) a Health Information Network or Health Information Exchange, and Health IT Developer of Certified Health IT.
As a mental health care provider, regardless of HIPAA covered entity status, you are an “IB actor” and are prohibited from conducting information blocking of EHI. You are subject to the Information Blocking Rule regardless of whether you utilize an ONC certified electronic health record (EHR) system. If you utilize an ONC certified EHR, then the Health IT Developers of your EHR are also subject to the Information Blocking Rule – and are mandated to provide functionality that facilitates the access, use, and exchange of EHI.
Our free, informative articles are brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.
Roy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure web forms that accept e-signatures, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.
Does the Information Blocking Rule confer new Rights of Access to clients? And, what’s the relationship between HIPAA and the Information Blocking Rule?
Rights of Access that were established under the HIPAA Privacy Rule have not been changed or expanded by the Information Blocking Rule. However, the Information Blocking Rule applies to all healthcare providers, regardless of HIPAA covered entity status – meaning that if you are not a HIPAA covered entity but are a healthcare provider then you must comply with the Rights of Access as established by the HIPAA Privacy Rule. Furthermore, the definition of EHI (what must not be blocked from the use, exchange, or access of the individual who’s EHI it is) is now synonymous with ePHI as defined by the HIPAA Privacy Rule.
As the good folks at HealthIT.gov state:
To put it simply, the same electronic protected health information (ePHI) that an individual has a right to access (and request an amendment to) under the HIPAA Privacy Rule is the same ePHI that IB actors can’t “block… An IB actor’s existing efforts to meet HIPAA Privacy Rule requirements puts them on solid ground when it comes to understanding what EHI is, where it may reside, and whether and how complicated it may be to make it available for access, exchange, or use for purposes of the information blocking regulations. (Information blocking: Eight regulatory reminders for October 6th 2022)
What do you need to do?
First and foremost, understand Rights of Access and what constitutes EHI/ePHI. Know that you must not commit Information Blocking, regardless of whether you’re a HIPAA covered entity and regardless of whether you use an ONC certified EHR.
That means: do not delay, or fail to provide, access to EHI/ePHI to those with Rights of Access to that EHI/ePHI.
For details on the conceptual framework and practical application of these concepts and parameters that are crucial in understanding and following the Cures Act Final Rule, we offer two expert-presented supportive on-demand continuing education trainings:
- How We Need to Give Clients Access to Their Records, Now and in the Future (2 legal-ethical CE credit hours), presented by Eric Ström, JD PhD LMHC, and Roy Huggins, LPC NCC
- The “Open Notes” Rule and Your EHR Choice: Legal Compliance and Client Safety Now and in The Future (2 legal-ethical CE credit hours), presented by Eric Ström, JD PhD LMHC, Rob Reinhardt, LCHMCS, M.Ed., NCC, and Roy Huggins, LPC NCC
References:
Cures act final rule: Changes and clarifications from the proposed rule … (n.d.). Retrieved October 13, 2022, from https://www.healthit.gov/sites/default/files/page2/2020-03/NPRMvsFinalRule.pdf
Information blocking: Eight regulatory reminders for October 6th. Health IT Buzz. (2022, September 30). Retrieved October 13, 2022, from https://www.healthit.gov/buzz-blog/information-blocking/information-blocking-eight-regulatory-reminders-for-october-6th
U.S. Department of Health and Human Services. (n.d.). HIPAA privacy rule and its impacts on research. National Institutes of Health. Retrieved October 13, 2022, from https://privacyruleandresearch.nih.gov/pr_07.asp