The Long & Winding Road to the Information Blocking Rule
Electronic Health Information Sharing and Patient Portals
Download this White Paper for future reading…
Hailed as Data Liberation Day by the government, the Information Blocking Rule (IBR) went into effect on October 6, 2022. This health policy is really about information sharing and empowering the patient to take ownership of their health data. It’s no longer in the provider’s control to decide when to release a patient’s information. Electronic Health Record (EHR) vendors are also required to support ease of access to a patient’s data. If providers, EHR vendors, or Health Information Exchanges (HIE) block access or interfere with the flow of a patient’s health data, they are subject to financial penalties for each occurrence. While the IBR is the most recent health policy to address a patient’s right to access their health information, it is predicated on a 25-year series of broader health policies that laid the foundation for where we are today. It essentially started under The Health Insurance and Accountability Act of 1996 (HIPAA), specifically the Privacy Rule. Some components of the Privacy Rule were written for paper-based medical records, not digital records (Dworkowitz, 2022). The IBR amends some of the antiquated pieces of HIPAA that are oriented to paper and modernizes them for a more advanced era of EHRs and interoperability. This white paper will reflect on the layers of health policy that enabled the healthcare industry to evolve and support information sharing under the IBR.
HIPAA & The Privacy Rule
When HIPAA was enacted, many American families were purchasing their first home computer and connecting to the internet through dial up land lines. During that time, most providers were not using EHRs, they were using paper. If you were a provider that had an EHR, it had a fraction of the functionality that today’s EHRs offer. While HIPAA centers on protecting the privacy and security of an individual’s identifiable health information, the Privacy Rule mandates that covered entities provide individuals with access to their Protected Health Information (PHI) upon request. Individual right of access requests, as defined within the Privacy Rule, specifies the right of a patient to obtain access to PHI within a covered entity’s Designated Record Sets (DRS). Components of a provider’s DRS include medical records, billing data, and health insurance information. Furthermore, the Privacy Rule requires a covered entity to fulfill individual access requests within 30 days of receiving the request, 60 days is permittable if the provider needs an extension. The idea was that the provider would be making copies of records that could be mailed, faxed, or made available for the patient to pick up, hence the lengthy time requirement. Patient right of access requests as written under the Privacy Rule were for paper records, not EHRs.
HIPAA Transactions & Code Set Standards
In addition to privacy and security, HIPAA also established standards for transactions and code sets. Many of the transaction standards are oriented to Electronic Data Interchange (EDI) for billing and claims adjudication purposes. Other code sets are oriented to clinical documentation standards. Code sets are “used to encode data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes (Hartley, 2004).” Code set standards and Health Level 7’s (HL7) Clinical Document Architecture (CDA) are the building blocks for interoperability standards that are later introduced under Meaningful Use.
The American Recovery & Reinvestment Act of 2009 (ARRA) was an $800 billion stimulus to aid in the economic recovery of the 2008 financial crisis. The Health Information Technology for Economic and Clinical Health Act (HITECH) was a $35 billion provision under ARRA to incentivize providers to adopt and use EHRs (Miliard, 2019). The HITECH Act later became formally known as the Medicare & Medicaid Incentive Program or more commonly referred to as Meaningful Use. Payments were made over a 5-year period and began in 2011. In order to qualify for the Meaningful Use incentive, providers had to attest to successfully using an EHR certified by the Office of the National Coordinator for Health Information Technology (ONC). The ONC was established in 2004 as a division within the U.S. Department of Health & Human Services (HHS) to provide oversight of EHRs and related technology adoption under Meaningful Use. By the end of 2013, 87% of U.S. hospitals had taken a Meaningful Use payment.
Interoperability & Continuity of Care Document Standard
The Continuity of Care Document (CCD) was introduced in Meaningful Use Stage 1 as the standard format for clinical care summaries. For EHR vendors to maintain their ONC certification, EHR systems were required to be able to generate a CCD (Murphy, 2015). Under Meaningful Use Stage 2, EHR systems needed to be able to exchange CCDs with other EHR systems, thereby establishing a clinical interoperability framework. Essentially, the Common Meaningful Use Data Set overlaps with most of the data elements found within a CCD. Many of these data elements are derived from code set standards that were established with HIPAA.
Patient Portals have been around since the early 2000s. They started becoming popular because of HIPAA, and the need for secure direct messaging between a patient and provider. Prior to Meaningful Use, patient portals were an optional feature, but most EHR vendors offered portals to remain competitive in the market. Under Meaningful Use Stage 2, patient portals were mandated, and there was an additional requirement that patients should have access to their EHR data through the patient portal. The standard format for the patient’s copy of EHR data was the CCD.
The Problem with Patient Portals under Meaningful Use
While roughly 90% of hospitals and medical groups had implemented a patient portal by the end of Meaningful Use in 2018, actual provider and patient usage was lackluster at best. From the provider perspective, the implementation of a portal was driven by compliance with Meaningful Use. According to David Harse, vice president and general manager of Consumer & Patient Engagement at Cerner Corporation, “The meaningful use portal, I hate to say it, but it was a check the box activity. The metrics and therefore, the solutions, weren’t built with the true customer in mind. The patient portal was built for the buyer, the health system.” (Healy, 2020) Consequently, patient adoption and use of portals was low because there was a general lack of awareness. Compared to digital consumer technologies used in other industries, portals introduced in the Meaningful Use era were not as robust and fostered very little patient engagement. In a nutshell, patient portals simply were not relevant to patients or providers in the Meaningful Use era.
Patient Engagement Trends During Meaningful Use
While Meaningful Use was in full swing, the movement toward value-based care accelerated patient engagement strategies. For example, employer-sponsored health insurance was shifting from first dollar coverage to high-deductible health plans (HDHPs) during this time. As the trend with HDHPs continued to gain momentum, there was further innovation around employer-sponsored health benefits to ease the financial burden for employees and enable wise health services decision making. Telehealth services were introduced into benefit plans, and these were typically subsidized by the employer and frequently provided at no cost to the employee. As a patient engagement tool, the logic was to incentivize using telehealth instead of more expensive health services such as the emergency room or urgent care. The growth of Medicare Advantage during this period is another example of value-based care. These plans drove innovation with patient engagement strategies to support population health initiatives and fostered provider collaboration to improve quality. Patient engagement was at the forefront of aligning incentives that corresponded with emerging payment models and the underlying quality measures in value-based contracts.
COVID & Patient Portals
EHR vendors were paying close attention to the trends with patient engagement, and many began to focus on improving their patient portals to harness these trends before the COVID-19 pandemic started. “All areas of healthcare have had to catch up with other consumer-facing sectors, like the restaurant business with OpenTable or the airline industry with its virtual flight check-ins. Although slow and steady, healthcare—the patient portal included—has caught up,” said Paul Brient, chief product officer at athenahealth (Healy, 2020). When the pandemic forced providers to shut down, patient portals became a lifeline to patients and providers. Telehealth utilization exploded during COVID, and many EHRs, like Epic, began to offer access to video consults within the patient portal. Fortunately, Epic had a substantial head start in telehealth via its relationship with Twilio and began offering video consults through MyChart, Epic’s patient portal, early in 2020 (Twilio, 2020). COVID testing, results and vaccine status were also available within patient portals and drove high levels of awareness. Basically, the pandemic made the patient portal relevant because the value to patients and providers was vital for the first time.
Current State of Patient Portal
While portal utilization exploded in 2020 with COVID, awareness and use remained high in 2021 with overall use of portals, up 17% per Medical Group Management Association (MGMA, 2022). Portals continue to be the recommended option for fulfilling individual right of access requests for obtaining medical record data, and this functionality is frequently addressed in ONC provider educational materials to explain the IBR.
The Cures Act and Information Blocking Rule
The 21st Century Cures Act was signed into law in 2016 by Barack Obama, but the final rule was not effective until June 2020. The primary objectives of this legislation were to:
- Advance interoperability,
- Support the access, exchange, and use of electronic health information (EHI),
- Address occurrences of information blocking.
EHI was defined by HHS as electronic PHI, and the overarching theme of the Cures Act was to enable patients to easily access their EHI. The IBR was a component of the Cures Act intended to prevent interference with the flow of EHI. As defined by Congress, information blocking is a practice that is “likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.”
EHR vendors and HIEs are subject to civil penalties for information blocking up to a maximum of $1 million per violation. ONC has yet to provide specific penalties to provider violations of information blocking but has stated these could be in the form of reductions to Medicare and Medicaid reimbursement.
Opposition to IBR
The main reason it took six years to implement the IBR is because it was opposed by nearly every corner of the healthcare industry. In January 2020 before the Cures Act final rule was introduced, the American Medical Association (AMA) and College of Healthcare Information Management Executives (CHIME) wrote members of Congress suggesting the definition of EHI was “complex and confusing.” During this same period, Judy Faulkner, CEO of Epic Systems, threatened to sue HHS over the IBR but later changed her mind (Drees, 2020). However, Faulkner did email the presidents and CEOs of Epic’s customer base urging health system leaders to sign her letter to oppose the proposed draft of the legislation. About 60 of Epic’s customers signed Faulkner’s letter to Alex Azar, head of HHS, at the time (Farr, 2020). In August 2022 weeks before IBR went into effect, several leading healthcare industry trade associations co-authored a letter to HHS urging for the delay of the IBR (Muoio, 2022).
Patient Portals and Right of Access to EHI
It has been over 25 years since HIPAA, and even though most providers are using ONC-certified EHRs, there are over 9 billion fax pages exchanged each year in healthcare (Feldman, 2019). This clearly does not align with the government’s objectives for interoperability under the Cures Act. Printing, copying, and faxing all pertain to paper, not EHI. The primary method of electronic data exchange with paper is by a fax machine. The government’s intention, as demonstrated through Meaningful Use incentive payments to providers, is to use today’s technologies to exchange electronic data. Further demonstration of the government’s intention is also conveyed through the punitive aspects of not complying with the IBR.
“Recognize and plan for the fact that a HIPAA-defined individual access request could come to the Actor, based on patient direction, from third party apps, legal counsel, etc., in addition to coming from the patient (Sequoia Project).”
Applying the IBR to EHI provides a framework for a modern era of EHRs and health information exchange. The intention with EHI is to allow the data to flow between providers for treatment, payment, and operations. Additionally, there was clear intention that the government wanted to enable patients to access and share their EHI whenever or wherever it was needed. Patient portals were designed to support self-fulfillment of EHI via an individual access request. The IBR facilitates a contemporary approach to right of access requests using EHRs and patient portals, not paper. The 30 (or 60 day) right of access under the Privacy Rule is still applicable to PHI and paper records. Under the IBR, the timeliness requirement for right of access requests is not clearly defined, but ONC has offered guidance on examples of interference that suggest providers need to assure their patient portals are operational. Earlier this summer in an Information Blocking webinar to educate providers, ONC suggested to “engage your colleagues and patients—has your organization informed your patients what EHI is available to them in their portal?”
ONC Examples of Provider Interference with EHI
“I have implemented a patient portal that includes the capability to directly transmit or request direct transmission of their EHI to a third party, but I choose not to enable the capability.”
“I have the capability to provide same-day access to EHI in the manner requested by a patient or a patient’s health care provider but choose to take several days to respond.”
“I have implemented a FHIR API that supports patients’ access to their EHI via app but refuse to allow publication of the ‘FHIR service base URL’ (sometimes also referenced as ‘FHIR endpoint’).”
Over the past 25 years, the government has used a series of health policies to build a foundation that was intentionally designed to replace paper-based medical records and support electronic data exchange. These health policies used a combination of incentives and penalties to move the healthcare industry forward. Meaningful Use paid providers to use EHRs and patient portals. The IBR reinforces the government’s intentions under Meaningful Use to assure that EHRs and patient portals continue to be used by providers. The IBR indirectly amends the HIPAA Privacy Rule and expands individual right of access to EHI – putting the patient in control of access and information sharing. Patient portals are a core component to fulfilling individual right of access requests to EHI, especially timeliness of access, whenever it is needed. When a patient desires access to their EHI and its not available, this is interference and an Information Blocking violation. The IBR is new, and it has the teeth to assure providers and EHR vendors are playing by the rules.
When your health records are needed somewhere else, like at a new physician, to support a claim, or join a patient community, you discover how antiquated the process is. Your health information doesn’t easily move with you. Instead, the process still relies on paper and fax. It’s slow, time consuming, expensive, and annoying.
Greenlight is the secure digital answer to automated medical records retrieval and delivery. Greenlight allows the patient to authorize and digitally move their health records to their destination with ease, speed and security. Greenlight makes sharing medical records as simple as it ought to be.
Dworkowitz, A. (2022). “Provider obligations for patient portals under the 21st Century Cures Act”, Health Affairs Forefront, May 16, 2022. https://www.healthaffairs.org/do/10.1377/forefront.20220513.923426/
Hartley, C. and Jones, E. (2004). HIPAA plain and simple: a compliance guide for health care professionals. United States. American Medical Association.
Miliard, M. (2019). “10 years on from meaningful use, major progress despite the challenges”, HealthcareITNews, December 30, 2019. https://www.healthcareitnews.com/news/10-years-meaningful-use-major-progress-despite-challenges
Murphy, K. (2015). “How do data exchange standards of meaningful use differ”, EHR Intelligence, March 30, 2015. https://ehrintelligence.com/news/how-do-data-exchange-standards-of-meaningful-use-differ
Healy, S. (2020). “Was COVID 19 healthcare’s use case for the patient portal?”, Patient Engagement HIT, September 18, 2020. https://patientengagementhit.com/features/was-covid-19-healthcares-use-case-for-the-patient-portal
Twilio. (April 30, 2020). Twilio to power Epic’s new telehealth video offering [Press Release]. https://www.twilio.com/press/releases/twilio-to-power-epics-new-telehealth-video-offering
MGMA. (August 2022). “Patient access and value-based outcomes amid the great attrition”, MGMA Datadive Practice Operations. https://www.mgma.com/getmedia/ea981abd-f004-49f3-bfe4-09606d88b0c8/PracticeOperations-DataReport-August2022-FINAL.pdf.aspx
Drees, J. (2020). “Epic may sue HHS over interoperability rules concerns, Judy Faulkner says”, Becker’s Health IT, January 24, 2020. https://www.beckershospitalreview.com/ehrs/epic-may-sue-hhs-over-interoperability-rules-concerns-judy-faulkner-says.html
Farr, C. (2020). “Epic and about 60 hospital chains come out against rules that would make it easier to share medical info”, CNBC, February 5, 2020. https://www.cnbc.com/2020/02/05/epic-about-60-hospitals-sign-letter-opposing-hhs-proposed-data-rules.html?&qsearchterm=judy%20faulkner
Muoio, D. (2022). “Providers say they need an extra year, clearer guidance to meet HHS’ looming info blocking requirements”, Fierce Healthcare, September 27, 2022 https://www.fiercehealthcare.com/providers/providers-say-they-need-extra-year-clearer-guidance-meet-hhs-looming-info-blocking
Feldman, T. (2019). “How healthcare can stop faxing”, DirectTrust, September 23, 2019. https://directtrust.org/blog/how-healthcare-can-stop-faxing/%E2%80%8B
Sequoia Project. (September 19, 2022). “Good practices for information sharing and information blocking compliance”. https://sequoiaproject.org/interoperability-matters/information-blocking-compliance-workgroup/information-blocking-compliance-workgroup-resources/