Covered entities beware: a timing pitfall lurks within the recently adopted rules prohibiting information blocking. We have posted about OCR’s “Right to Access Initiative” and numerous enforcement actions taken to make sure that covered entities respond to patient access requests in a timely manner. The HIPAA Privacy Rule requires covered entities to respond to access requests within 30 days, but OCR has emphasized that this is an “outer limit and covered entities are encouraged to respond as soon as possible.”
Soon, when compliance with the rules adopted by the U.S. Department of Health and Human Services (HHS), Office of the National Coordinator for Health Information Technology (ONC) is required, covered entity health care providers will have another outer limit to contend with when responding to patient access requests. These rules implement certain provisions of the 21st Century Cures Act and are often referred to as the “Information Blocking rules”, though they also address interoperability of electronic health information and the ONC IT Certification Program.
The Information Blocking rule incorporates and cross-references many of the HIPAA Privacy Rules, including the rule giving individuals the right to access their PHI (45 C.F.R. 164.524). The Information Blocking rule also provides specific exceptions for activities that will not be considered information blocking. The exceptions generally align with (and cross-reference) provisions in the HIPAA Privacy Rule. For example, the “preventing harm” exception aligns with the HIPAA access right exception that allows a covered entity to deny an access request when a licensed health care professional determines, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to the individual or another person.
Only one exception, however, includes an “outer limit” for response, and the outer limit is much shorter than the 30-day limit for responding to HIPAA access requests.
The “infeasibility exception” applies when certain events or circumstances prevent the health care provider from responding to an access request. These include “uncontrollable events” such as (among others specified in the rule) public health emergencies, internet service interruptions, and labor strikes; the inability to segment the requested information from certain types of other electronic health information, such as information that cannot be made available by law; or where specified circumstances exist that make responding to the request infeasible. However, if a health care provider denies an individual’s access request under the infeasibility exception, the provider must respond, in writing, to the individual within ten business days of receipt of the request, explaining why providing the requested access is infeasible.
HHS recently extended the date for compliance with the Information Blocking rule from November 2, 2020 to April 5, 2021, but covered entity health care providers may want to take steps now to account for the shortened response time for access requests that may meet the “infeasibility exception”. Reviewing and amending business associate agreements and HIPAA policies and procedures to incorporate faster turn-around times are good places to start. Training personnel about the changes and documenting all activities undertaken by the covered entity to comply are other good ways to demonstrate serious compliance efforts.