Written by: A. Michi McClure, J.D. an AIHC member and Volunteer on the CEU Education Committee
The right of access and information blocking are both related to the access and exchange of health information, but they are different in several key ways. HIPAA Privacy/Security and Compliance Officers and Health Information Management professionals need to know the difference.
Right of Access Initiative
Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524
This initiative helps to empower individuals to take control of their own health information, allowing them to better manage their healthcare and make informed decisions about their health. By ensuring that individuals have access to their own health information, this initiative also helps to improve the quality and continuity of care, while also protecting the privacy and security of that information.
The right of access is a requirement under HIPAA that individuals have the right to access and obtain a copy of their protected health information (PHI) that is maintained by covered entities, such as healthcare providers and health plans. This includes electronic protected health information (ePHI).
ePHI is defined in HIPAA regulation as any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format or media. The right of access also includes the right to request that their PHI be transmitted to another entity, such as another healthcare provider or a personal health record (PHR). Covered entities must provide individuals with timely access to their PHI and may only deny access under certain limited circumstances.
The exact regulatory definition of Information Blocking can be found in the Code of Federal Regulations in 45 CFR 171.103
Information blocking is a practice in which a healthcare provider, health plan, or other covered entity intentionally interferes with the access, exchange, or use of electronic health information. The information blocking rule, which was established under the 21st Century Cures Act, requires covered entities to make EHI available for access and exchange in a way that is secure, timely, and appropriate to the circumstances.
The ultimate goal of the Information Blocking Act is to promote greater collaboration and coordination among healthcare providers and other stakeholders, which can lead to improved quality of care, better patient outcomes, and more efficient use of healthcare resources. By breaking down barriers to the exchange of health information, this legislation aims to facilitate the development and implementation of innovative healthcare solutions that can improve the overall health of the population.
On October 6, 2022, the definition of electronic health information (EHI) expanded to include all of the digital components of an organization’s designated record set (DRS). Prior to this date the definition of EHI was limited to the data elements represented in the United States Core Data for Interoperability (USCDI) v1.
Covered entities may not use information blocking practices to prevent or interfere with access, exchange, or use of EHI, except in certain limited circumstances.
While both the right of access and information blocking are designed to promote the access and exchange of health information, the right of access focuses on individuals' access to their own PHI, while information blocking focuses on the sharing of EHI between covered entities.
Additionally, the right of access is a long-standing requirement under HIPAA, while information blocking is a more recent requirement under the 21st Century Cures Act.
It is important to differentiate between Right of Access and Information Blocking to ensure your organization is compliant to both rules as well as any applicable State privacy regulations. The charts below are provided as a comparison of similarities and differences between the two.
Right of Access
What it is:
The HIPAA requirement to provide individuals with access to their own PHI contained in one or more designated record sets maintained by a covered entity.
A provision in the 21st Century Cures Act intended to minimize the interference of the ability of authorized persons to access, exchange, or use Electronic Health Information.
The HIPAA Privacy Rule was first enforced in the United States on April 14, 2003. The Office for Civil Rights (OCR) began an enforcement initiative in 2019.
First enforced in the United States on April 5, 2021.
To give individuals greater control over their own health information. This initiative:
The goal of the Information Blocking Act, also known as the 21st Century Cures Act, is:
When must records be provided:
Covered entities, such as healthcare providers and health plans, are generally required to provide patients with access to their protected health information (PHI) upon request, unless an exception applies.
Specifically, a covered entity must provide access to PHI within 30 days of receiving a request from the individual, unless the covered entity provides a written explanation of the delay and the reason for the delay and extends the time-period by an additional 30 days.
Under the information blocking rule, EHI must be made accessible to individuals, their personal representatives, and other authorized parties, without unreasonable delay and in the manner requested by the individual, except in certain limited circumstances. These circumstances are listed below in the following chart.
It's important to note that a healthcare provider must provide a clear explanation for any limitations on access to EHI and must make a good faith effort to provide access to as much EHI as possible.
Healthcare providers are also required to make available any information blocking policies or procedures that they have in place, and to provide patients with information on how to file a complaint if they believe that their access to EHI has been improperly limited or blocked.
What information is subject to?
Under HIPAA, individuals have the right to access and obtain a copy of their protected health information (PHI) that is maintained by covered entities, such as healthcare providers and health plans. PHI is broadly defined as any information, including demographic information, that:
Some examples of PHI that are subject to the right of access include:
Under the information blocking rule, electronic health information (EHI) is subject to the right of access and exchange. EHI is defined as:
Some examples of EHI that are subject to the information blocking rule include:
The right of access initiative is enforced by the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS). OCR can investigate complaints of noncompliance and may take enforcement actions against covered entities that violate the right of access requirements.
In addition to civil monetary penalties, OCR may require the covered entity to develop a corrective action plan and to monitor the covered entity's compliance.
It's important to note that individuals also have the right to file a complaint with OCR if they believe that a covered entity has violated their right of access. OCR may investigate complaints and take enforcement actions as appropriate.
There are penalties for violating the information blocking rule which is enforced by the Office of the National Coordinator for Health Information Technology (ONC) and the Department of Health and Human Services (HHS). Covered entities that engage in information blocking practices may be subject to enforcement actions, which can include:
It is important to respect patient access to information while protecting confidential information. This can be a daunting task for any size organization. After reviewing the information above and you still have questions, consider additional training in HIPAA and release of information.
Additional and important aspects of this topic not covered in this article is information excluded from both Right of Access and Information Blocking rules, when the request may be denied, to whom the information can be released and allowable (and unallowable) fees a patient can be charged. These topics will be covered in Part 2.
We also encourage consulting with your malpractice Risk Attorney. Your insurance company WANTS your organization to seek advice BEFORE an incident or investigation from a complaint occurs. If consulting with your malpractice company isn’t an option, it is highly advised to seek legal advice from a HIPAA privacy expert.
This short article is a snippet from AIHC’s short course HIPAA, Release of Information and Right of Access training course.
Copyright © 2023 American Institute of Healthcare Compliance All Rights Reserved