Since last year, Husch Blackwell’s privacy attorneys have been working with various healthcare providers—from hospitals to hospices, to independent physician groups—to comply with the information blocking rule implemented by the Office of the National Coordinator for Health Information Technology (ONC) as part of the 21st Century Cures Act. Recently, education clients have been asking, “We’re a university – does the information blocking rule apply to our student health center?” We discuss the answer to that question, along with practice tips, in this blog post.
Does the Rule Apply to University Health Centers?
The rule prohibits “information blocking,” which is defined as a practice that, except as required by law or covered by an exception, is likely to interfere with access, exchange, or use of electronic health information (EHI), if the requisite knowledge is present.
In order to determine whether the rule applies to college and university health centers two questions must be answered: (1) do they meet the rule’s definition of “actors” and, (2) if so, do they hold EHI?
First, the “actors” under the rule include healthcare providers, health IT developers of certified health IT, health information exchanges, and health information networks. A university student health center may not be a health IT developer of certified health IT, a health information exchange, or a health information network. However, many college or university health centers qualify as “healthcare providers.” “Healthcare provider” is defined broadly in the rule to include nearly any entity rendering healthcare, including physicians, practitioners, group practices, hospitals, academic medical centers, long term care facilities, clinics, ambulatory surgery centers, and other entities determined appropriate by the U.S. Department of Health and Human Services (HHS). Because university student health centers provide healthcare, they may be covered by the rule.
Second, we must look to what, if any information, held by them is “EHI.” The definition of “EHI” is, derived from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations and means electronic protected health information (ePHI) as is “defined in 45 CFR 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR 164.501, regardless of whether the group of records are used or maintained by or for a [HIPAA] covered entity. . .,” but does not include: (1) psychotherapy notes as defined in 45 CFR 164.501; or (2) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. Accordingly, whether a college or university is a HIPAA covered entity, or a business associate is not dispositive; rather whether the institution possess ePHI pursuant to the definition above matters.
Significantly however, “education records” or “treatment records” as defined by the Family Educational Rights and Privacy Act (“FERPA”) are specifically excluded from the definition of PHI (including ePHI), and accordingly, these records would not fall within the definition of EHI under the rule. Notwithstanding, those medical records held by student health centers that are not covered under by FERPA are likely subject to the rule. Moreover, where university students are referred to affiliated hospitals for care outside of purely student health settings—for example, to the university’s affiliated academic medical center hospital—those records will be subject to the rule.
If Information Blocking Applies to Us, What Exceptions Are the Most Applicable?
There are eight exceptions to the rule. The exceptions that will likely be used most frequently for college or university student health centers covered by the rule are:
A1. Preventing Harm Exception. It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met. This exception aligns with existing HIPAA rules regarding the reasons for denial of access as a result of a risk of harm to the individual subject of the EHI or another person.
A2. Privacy Exception. It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met. For example, this exception allows actors to not fulfill a request if the patient has requested that the information not be disclosed (under certain circumstances) or if a pre-condition in the law is not met, such as where written authorization is required under 42 C.F.R. Part 2 (regarding substance use disorder information).
B1. Content and Manner Exception. It will not be information blocking for an actor to limit the content of its response to requests to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI provided certain conditions are met. This exception is meant to address those situations when an actor is “technically unable” to fulfill a request for EHI but fulfills the request in an alternative manner agreed upon with the requestor. For example, if an individual requested their EHI via an application programming interface (“API”) and the actor does not have an API, and the requestor thereafter requested the EHI via secured email, the actor could fulfill the request in that alternative manner.
We recommend that institutions of higher education and their student health centers understand the exceptions, when they can be used, how the use of the exceptions will be documented.
We Know the Rule Applies to Us. How Do We Implement the Rule?
The rule went into effect on April 5, 2021, and actors are only required to provide EHI represented by the data elements identified by the United States Core Data for Interoperability (“USCDI”) standard until October 6, 2022. Beginning October 6, 2022, actors will need to provide all EHI upon request. To implement the rule, consider the following:
- Understand your student health center’s electronic medical record (EMR) system’s capabilities and whether functionality changes have been offered due to the rule. Note that ONC has provided that the rule does not require EHI be held in or shared using specific technology or particular technical standards; however, not utilizing capabilities that would increase access, use or exchange of EHI could be considered information blocking. For example, if an actor has the capability of providing same-day access via a patient portal, actors should use such functionality to promptly provide access upon request to prevent any interference with the access, use, or exchange of EHI.
- Track the source of EHI requests, who typically processes those requests, and in what manner those requests can processed. This will provide valuable information in developing an effective plan for complying with the rule.
- Adopt policies and procedures related to the rule. For colleges and universities that comprise multiple entities, such as academic medical centers, these policies and procedures should specify to which components they apply (e.g., to a university-affiliated hospital, to the university itself, to research operations), and be broad enough to cover the various operational differences. In addition, as best practice, these policies should address the following questions:
- How will complaints by patients be investigated?
- Who approves the use of an exception? Is it a committee or an individual?
- How are staff going to be updated regarding what information is being automatically sent to patients?
- How are minors’ records handled? May their parents automatically have access to all their records?
- What disciplinary actions are appropriate for providers who are consistently information blocking without justification?
- Train and educate staff about the rule and their role in staying compliant. Training may focus on how to determine when a practice may constitute information blocking, when an exception applies and the conditions of applicable exceptions, what will be provided to patients and other authorized requestors from the medical record that was not previously provided, and what steps to take if a staff member suspects information blocking is occurring. Each organization will have differing needs, but with a structured plan in place, organizations will be well-prepared to prevent information blocking.
Wakaba Tessier is a Kansas City-based partner with the law firm Husch Blackwell LLP focusing on healthcare law and regulations.
Kelsey Toledo is an attorney in Husch Blackwell LLP’s Milwaukee office where she focuses on healthcare law and regulations.
Anne D. Cartwright is a Kansas City-based partner with the law firm Husch Blackwell LLP where she provides compliance audits, policy development, investigations, customized training and general counsel services to public, private, nonprofit and proprietary educational institutions.
