Eight Information Blocking Exceptions You Need to Know

The Information Blocking Rule became effective April 5, 2021, requiring Covered Entities to develop and implement policies and procedures consistent with the rule. In this article, we take a deeper dive into the eight exceptions. You can use this information to help develop your policy.

Practices or activities that satisfy one or more of these eight exceptions, as applicable, will not be considered Information Blocking if all the relevant exception(s) criteria are strictly met. The requirements for each exception are detailed and comprehensive, and all conditions must be met for the applicable exception(s) to apply.

Five exceptions allow not fulfilling requests to Access, Exchange, or Use EHI

It is not considered Information Blocking if:

1. Preventing Harm Exception: Covered Entity engages in practices that are reasonable and necessary to prevent harm to a patient or another person, provided conditions as defined by 45 CFR § 171.201 are met:

a. Reasonable belief that the practice will reduce a risk of harm and

b. No broader than necessary and

c. At least one of the following

i. Type of risk

ii. Type of harm

iii. Practice is based on organizational policy

d. Practice must also be consistent with any rights to review denial.

2. Privacy Exception: Covered Entity does not fulfill a request to Access, Exchange, or Use EHI (electronic health information) in order to protect an individual’s privacy, provided certain conditions are met as defined in 45 CFR § 171.202. Actor must meet all requirements for at least one of the sub-exceptions below:

a. Precondition not satisfied.

b. Health IT developer of Certified Health IT not covered by HIPAA.

c. Denial of Individual Right of Access consistent with HIPAA

d. Respecting Individual’s Request to Not Share EHI

3. Security Exception: Covered Entity interferes with the Access, Exchange, or Use of EHI in order to protect the security of EHI, provided certain conditions are met as defined by 45 CFR § 171.203:

a. Must meet all:

i. Practice must be directly related to safeguarding the confidentiality, integrity, and availability of EHI

ii. Practice must be directly tailored to the specific security risk

iii. Practice must be consistent and non-discriminatory

b. And, in addition, meets either

i. If the practice implements an organization security policy, the policy must

1. Be in writing.

2. Have been prepared on basis of security risks identified.

3. Align with one or more applicable standards or best practices.

4. Provided objective timeframes.

ii. Or, if the practice does not implement an organizational security policy, actor must make determination based on particular facts and circumstances, that:

1. The practice is necessary to mitigate the security risk; and

2. There are no reasonable appropriate alternatives.

4. Infeasibility Exception: Covered Entity does not fulfill a request to Access, Exchange, or Use EHI due to the infeasibility of the request, provided certain conditions are met as defined by 45 CFR § 171.204:

a. Must meet one

i. Uncontrollable events.

ii. Segmentation.

iii. Infeasible under the circumstances.

b. And, if an actor does not fulfill a request, the actor must provide the reason why within 10 business days.

5. Health IT Performance Exception: Covered Entity takes reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT, provided certain conditions are met as defined by 45 CFR § 171.205:

a. Must meet one

i. Maintenance and improvement to health IT.

ii. Assured level of performance.

iii. Practices that prevent harm.

iv. Security related practices.

Three exceptions involve procedures for fulfilling requests to Access, Exchange, or Use EHI.

It is not considered Information Blocking if:

1. Content and Manner Exception: Covered Entity fulfills a request to Access, Exchange, or Use EHI in any manner requested or in an alternative manner, provided certain conditions are met, using: (i) certified health IT specified by the requestor; (ii) content and transport standards specified by the requestor and published by the federal government or a standards-developing organization accredited by the American National Standards Institute; or (iii) an alternative machine-readable format, including the means to interpret the EHI, agreed upon with the requestor (45 CFR §171.301). This exception both establishes the content Covered Entity must provide in response to a request to Access, Exchange, or Use EHI in order to satisfy the exception, and establishes the manner in which Covered Entity must fulfill a request to Access, Exchange, or Use EHI in order to satisfy this exception.

2. Fees Exception: Covered Entity charges fees, including fees that result in a reasonable profit margin, for Accessing, Exchanging, or Using EHI, provided certain conditions are met as defined by 45 CFR §171.302:

a. Meets basis for fees condition.

b. Does not meet excluded fees condition.

c. If applicable meets compliance with the Conditions of Certification condition.

3. Licensing Exception: Covered Entity licenses interoperability element for EHI to be Accessed, Exchanged, or used, provided certain conditions are met as defined by 45 CFR §171.303:

a. Must meet all

i. Negotiating a license condition.

ii. Licensing conditions.

1. Scope of rights.

2. Reasonable royalty.

3. Non-discriminatory terms.

4. Collateral terms.

5. Non-disclosure agreement.

iii. Additional conditions relating to the provision of interoperability elements.

The Final Rule in the Federal Register, 85 Fed Reg. 25642 Section VIII(D), provides a more detailed explanation of the Information Blocking exceptions and their requirements. You will find the exceptions on pages 25820-25900.

DeAnn Tucker, MHA, RHIA, CHPS, CHPC, CCS, Coker Group, 2400 Lakeview Parkway, Suite 400, Alpharetta, GA 30009; phone: 409-877-5040; email: dtucker@cokergroup.com.

This article appeared in the September/October 2021 issue of The Journal of Medical Practice Management.