• Home
  • >
  • Blog
  • >
  • Is the Violation Right of Access or Information Blocking? Part 1 of 2

March 14, 2023

Is the Violation Right of Access or Information Blocking? Part 1 of 2

Written by: A. Michi McClure, J.D. an AIHC member and Volunteer on the CEU Education Committee   

The right of access and information blocking are both related to the access and exchange of health information, but they are different in several key ways. HIPAA Privacy/Security and Compliance Officers and Health Information Management professionals need to know the difference. 

 

Right of Access Initiative 

Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524

This initiative helps to empower individuals to take control of their own health information, allowing them to better manage their healthcare and make informed decisions about their health. By ensuring that individuals have access to their own health information, this initiative also helps to improve the quality and continuity of care, while also protecting the privacy and security of that information.

The right of access is a requirement under HIPAA that individuals have the right to access and obtain a copy of their protected health information (PHI) that is maintained by covered entities, such as healthcare providers and health plans. This includes electronic protected health information (ePHI).

ePHI is defined in HIPAA regulation as any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format or media. The right of access also includes the right to request that their PHI be transmitted to another entity, such as another healthcare provider or a personal health record (PHR). Covered entities must provide individuals with timely access to their PHI and may only deny access under certain limited circumstances.

Information Blocking

The exact regulatory definition of Information Blocking can be found in the Code of Federal Regulations in 45 CFR 171.103

Information blocking is a practice in which a healthcare provider, health plan, or other covered entity intentionally interferes with the access, exchange, or use of electronic health information. The information blocking rule, which was established under the 21st Century Cures Act, requires covered entities to make EHI available for access and exchange in a way that is secure, timely, and appropriate to the circumstances.

The ultimate goal of the Information Blocking Act is to promote greater collaboration and coordination among healthcare providers and other stakeholders, which can lead to improved quality of care, better patient outcomes, and more efficient use of healthcare resources. By breaking down barriers to the exchange of health information, this legislation aims to facilitate the development and implementation of innovative healthcare solutions that can improve the overall health of the population.

On October 6, 2022, the definition of electronic health information (EHI) expanded to include all of the digital components of an organization’s designated record set (DRS). Prior to this date the definition of EHI was limited to the data elements represented in the United States Core Data for Interoperability (USCDI) v1.

Covered entities may not use information blocking practices to prevent or interfere with access, exchange, or use of EHI, except in certain limited circumstances.

Confused?

While both the right of access and information blocking are designed to promote the access and exchange of health information, the right of access focuses on individuals' access to their own PHI, while information blocking focuses on the sharing of EHI between covered entities.

Additionally, the right of access is a long-standing requirement under HIPAA, while information blocking is a more recent requirement under the 21st Century Cures Act.

It is important to differentiate between Right of Access and Information Blocking to ensure your organization is compliant to both rules as well as any applicable State privacy regulations.  The charts below are provided as a comparison of similarities and differences between the two.

Aspect

Right of Access

Information Blocking

What it is:

The HIPAA requirement to provide individuals with access to their own PHI contained in one or more designated record sets maintained by a covered entity.

A provision in the 21st Century Cures Act intended to minimize the interference of the ability of authorized persons to access, exchange, or use Electronic Health Information.

Enforcement date:

The HIPAA Privacy Rule was first enforced in the United States on April 14, 2003. The Office for Civil Rights (OCR) began an enforcement initiative in 2019.

First enforced in the United States on September 1, 2023.

Goal:

To give individuals greater control over their own health information. This initiative:

  • Ensures individuals the right to access their own medical records and to receive copies of those records in a timely manner, without undue delay or cost.
  • Provides individuals the right to request access to their health information held by covered entities, such as healthcare providers, health plans, and healthcare clearinghouses.
    • These entities must provide individuals with their requested information in the format and manner requested by the individual if it is readily producible in that format. This information can include medical and billing records, as well as other health information such as test results and imaging reports.

The goal of the Information Blocking Act, also known as the 21st Century Cures Act, is:

  • To improve the interoperability of electronic health records (EHRs) and other health information technology (HIT) systems in the United States.
  • Aims to promote the secure and efficient sharing of health information among healthcare providers, patients, and other stakeholders in the healthcare system.
  • Prohibits healthcare providers, health IT developers, and health information exchanges from engaging in practices that prevent or discourage the access, exchange, or use of electronic health information. This includes actions such as charging excessive fees for access to health information, creating technical barriers to the sharing of health information, and imposing unreasonable delays on the release of health information.

When must records be provided:

Covered entities, such as healthcare providers and health plans, are generally required to provide patients with access to their protected health information (PHI) upon request, unless an exception applies.

Specifically, a covered entity must provide access to PHI within 30 days of receiving a request from the individual, unless the covered entity provides a written explanation of the delay and the reason for the delay and extends the time-period by an additional 30 days.

Under the information blocking rule, EHI must be made accessible to individuals, their personal representatives, and other authorized parties, without unreasonable delay and in the manner requested by the individual, except in certain limited circumstances. These circumstances are listed below in the following chart.

It's important to note that a healthcare provider must provide a clear explanation for any limitations on access to EHI and must make a good faith effort to provide access to as much EHI as possible.

Healthcare providers are also required to make available any information blocking policies or procedures that they have in place, and to provide patients with information on how to file a complaint if they believe that their access to EHI has been improperly limited or blocked.

What information is subject to?

Under HIPAA, individuals have the right to access and obtain a copy of their protected health information (PHI) that is maintained by covered entities, such as healthcare providers and health plans. PHI is broadly defined as any information, including demographic information, that:

  1. Relates to the individual's past, present, or future physical or mental health or condition;
  2. Relates to the provision of healthcare to the individual; or
  3. Identifies the individual or could reasonably be used to identify the individual.

Some examples of PHI that are subject to the right of access include:

  • Medical and clinical records, including diagnoses, test results, and treatment plans;
  • Billing and insurance information;
  • Prescription and medication records;
  • Immunization records;
  • Lab reports;
  • Radiology images;
  • Health insurance enrollment and coverage information; and
  • Personal demographic information, such as name, address, and social security number, if it is included in the individual's health record.

Under the information blocking rule, electronic health information (EHI) is subject to the right of access and exchange. EHI is defined as:

  • Electronic protected health information (ePHI) that is created, stored, transmitted, or received by a covered entity or business associate that is subject to HIPAA.

Some examples of EHI that are subject to the information blocking rule include:

  1. Clinical notes, including progress notes and operative notes;
  2. Diagnostic imaging, including X-rays, MRIs, and CT scans;
  3. Laboratory test results;
  4. Pathology reports;
  5. Medication lists and prescription histories;
  6. Immunization records;
  7. Vital signs and other clinical measurements;
  8. Patient demographic information, such as name, address, and social security number, if it is included in the EHI.

Penalties?

YES

The right of access initiative is enforced by the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS). OCR can investigate complaints of noncompliance and may take enforcement actions against covered entities that violate the right of access requirements.

  • If OCR determines that a covered entity has violated the right of access requirements, the covered entity may be subject to civil monetary penalties, which can range from $100 to $50,000 per violation, depending on the severity of the violation.
  • The maximum annual penalty for all violations of an identical requirement or prohibition is $1.5 million.

In addition to civil monetary penalties, OCR may require the covered entity to develop a corrective action plan and to monitor the covered entity's compliance.

It's important to note that individuals also have the right to file a complaint with OCR if they believe that a covered entity has violated their right of access. OCR may investigate complaints and take enforcement actions as appropriate.

YES

There are penalties for violating the information blocking rule which is enforced by the Office of the National Coordinator for Health Information Technology (ONC) and the Department of Health and Human Services (HHS). Covered entities that engage in information blocking practices may be subject to enforcement actions, which can include:

  1. Civil monetary penalties: The HHS may impose civil monetary penalties of up to $1 million per violation for each instance of information blocking.
  2. The maximum annual penalty for all violations of an identical requirement or prohibition is $5 million.
  3. Disincentives for health information exchange: The HHS may also take steps to limit or restrict a covered entity's participation in certain health information exchange programs or to exclude the entity from certain government healthcare programs.
  4. Publication of violators: The ONC may publish the names of covered entities that have engaged in information blocking practices, which can harm the entity's reputation and public image.

In Summary 


It is important to respect patient access to information while protecting confidential information. This can be a daunting task for any size organization. After reviewing the information above and you still have questions, consider additional training in HIPAA and release of information.

Additional and important aspects of this topic not covered in this article is information excluded from both Right of Access and Information Blocking rules, when the request may be denied, to whom the information can be released and allowable (and unallowable) fees a patient can be charged. These topics will be covered in Part 2.

We also encourage consulting with your malpractice Risk Attorney. Your insurance company WANTS your organization to seek advice BEFORE an incident or investigation from a complaint occurs. If consulting with your malpractice company isn’t an option, it is highly advised to seek legal advice from a HIPAA privacy expert.

Share 0
Post 0
Share 0

Copyright © 2023 American Institute of Healthcare Compliance All Rights Reserved

TAGS

Information Blacking, Privacy, Right of Access
Verified by MonsterInsights