We tend to focus internally when we think about information blocking compliance. What do WE need to do to comply? What IT policies and systems are required? How do we protect ourselves from regulatory missteps? But we can be so much more effective when we remember the WHY behind the CURES Act: It is innately patient centric. It aims to make it easy for patients to access their health information. It makes sure we design our systems from the patients’ point of view, rather than from our own. It rewards us for patient-centric design and punishes us only when we design our systems in a way that prevents – or makes it hard for – patients to access their own data.
Let’s explore this a little more.
The CURES Act: The patient is in charge
Under this Act, patients have the right to timely access information from their patient portal in the electronic medical record (EMR). This includes provider treatment notes and treatment records including patients’ laboratory and diagnostic results.
Related: Information Blocking Rule Deep Dive
Jan Elezian, MS, RHIA, CHC, CHPS and Director at SunHawk Consulting, LLC told me that, “The CURES Act final rule, effective April 5, 2021, prohibits healthcare providers, technology vendors, health information exchanges (HIEs), and health information networks from preventing, or interfering with the digital exchange, use, or access of ePHI. Such prevention is known as information blocking.”
As a matter of fact, the Information Blocking Rule is intended to work in sync with HIPAA’s regulatory “right of access” provisions. Together, they ensure that all patients should have access to their personal health information which is housed or documented in the organization’s EMR. According to Elezian, “The Information Blocking prevention rule offers a seamless user experience and allows patients to be in charge of their own health records.”
Some compliance professionals view the “ownership” of the medical record from the perspective of the organization, but the information in the record belongs to the patient. The organization is just housing the patient’s information in the EMR.
Here’s an example: a woman was involved in a car accident and wants to hire an attorney to sue the driver of the other car. She has the right to receive a copy of their entire medical record to give to her attorney. What’s more, if she discovers a mistake in her EMR, she has the right to request a change. As Elezian illustrated, patients are in charge of their own medical information.
Patients also have the right to timely access of diagnostic or laboratory results. Generally, if a person who has blood drawn for a thyroid level should be able to see those results in the patient portal as soon as they are available. The patient should not have to wait two weeks to get those results. Similarly, a patient who has a normal mammogram and the results should be able to review those results or the mammogram letter in a matter of days, not weeks.
Information blocking regulations do provide some patient-centric exceptions:
- Preventing patient harm: There are cases where a provider will believe the information in the EMR could cause the patient harm. I mentioned normal mammogram results above – which absolutely should flow to the portal immediately. But what about an abnormal mammogram result? In that case, the provider should absolutely be the one to deliver the news and next steps to the patient. It could cause psychological harm to deliver a possible cancer diagnosis through an EMR portal. Similarly, a psychiatrist’s notes may cause undue stress or harm to the patient. The psychiatrist may choose not to share the notes with the patient in the EHR and may even redact the notes from the printed medical record.
- Protect patient privacy: Providers may withhold genetic testing and other sensitive data to protect a patient’s privacy. This issue comes up with a patient’s employer requests the EMR as part of a workers’ compensation claim or other instances of litigation.
How patients experience information blocking
HealthIT.gov describes some practices that could be considered information blocking under section 4004 of the CURES Act. For instance, if you implement your portal or EMR access in a nonstandard way, you may create too much burden for the patient. This would constitute information blocking.
Then there’s this scenario:
- Requiring a password and a texted security code to a cell phone to access the EMR or patient portal would not be considered overly restrictive or nonstandard. Requiring these steps before granting access to the patient portal would be considered appropriate security measures to protect patient information.
- However, requiring a computer instead of a mobile phone to access the information in the portal could be considered overly restrictive. This is not permitted because it would not allow patients to be in charge of their own health records.
Portals are obviously a critical element of information-blocking compliance – they deliver the EMR to patients and allow them to communicate with their provider through messaging. Don’t overlook translations in the patient experience: portals should deliver the information in the patient’s primary language, such as Spanish.
Health organizations are committed to delivering excellent patient care. The best (and most compliant) ones take that a step further by including the EMR experience in the overall patient care design. They make patients understand how their record works and how they can take control of their own data.
Information blocking regulations can be confusing and touch many different parts of your organization. YouCompli can help you decide which regulations apply to you and handle the regulatory change management process with your colleagues. Learn more.
Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.
Subscribe to get the latest articles about healthcare regulatory changes.
Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.