Cures Act Information Blocking Rule explained

A customer recently emailed us asking for confirmation of our ability to comply with the Cures Act Information Blocking rule.

This post will cover what the Information Blocking rule is and how we comply with it.

What is the Cures Act Information Blocking rule?

The 21st Century Cures Act (Cures Act) was established in 2016 as part of a bipartisan effort to promote data sharing and interoperability in the healthcare industry, with the ultimate goal of improving patient care and outcomes.

Key to the Cures Act was making the sharing of electronic health information (EHI) the expected norm in healthcare by prohibiting "Actors" - healthcare providers, health IT developers of certified health IT, and Health Information Networks (HINs) or HIE's - from engaging in practices that knowingly and unreasonably interfere with, prevent, or limit the access, exchange, or use of EHI.

The 2020 Cures Act Final Rule established exceptions to information blocking in order to fully implement the law.

The final rule was published to the Federal Register on May 1, 2020 and went into effect on 5 April 2021.

The eight exceptions to Information Blocking

The Cures Act Final Rule established several exceptions, which are situations in which Actors may engage in practices that would otherwise be considered information blocking.

These exceptions include:

1. Privacy. Covered entities are allowed to protect the privacy of individuals, including withholding information that would reveal sensitive personal information such as HIV status or mental health diagnosis.
2. Security. Covered entities are allowed to protect the security of electronic health information (EHI) and prevent unauthorized access, use, or disclosure of EHI.
3. Infeasibility. Covered entities are allowed to not act if doing so would be infeasible, such as if the requested information is not maintained in a format that can be shared electronically.
4. Fees. Covered entities can charge a reasonable, cost-based fee for access, exchange, or use of electronic health information (EHI).
5. Health IT Performance. Covered entities are allowed to limit or restrict access to EHI if doing so is necessary to maintain the performance of their health IT systems.
6. Licensing. Covered entities can limit the access, exchange, or use of EHI if necessary to comply with applicable laws and regulations regarding the licensing of healthcare providers or other regulated entities.
7. Emergency. In case of emergency treatment, covered entities can use their discretion to provide EHI to other providers as needed to ensure continuity of care and protect the patient's health.

It's important to note that these exceptions are not absolute and that the entity that wants to use them must be able to demonstrate and document they meet the criteria of the exception.

What's the difference between the Information Blocking Rule and the HIPAA Right of Access provision?

Launched in 2019, the OCR HIPAA Right of Access Initiative is designed to, “to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.” This investigation marked the 42nd case to be settled under the initiative.

The right of access provision states that a covered entity must provide access to protected health information (PHI) no later than 30 days from receiving the request.

White the Cures Act Information Blocking Rule is focused on promoting interoperability and the free flow of electronic health information by prohibiting certain types of information blocking, the HIPAA Right of Access provision gives individuals the right to access their own protected health information held by covered entities.

How does Paubox comply with the Cures Act Information Blocking Rule?

Although Paubox does is not a healthcare provider, developer of certified health it, or HIN/HIE, we do comply with the Cures Act in regards to information blocking, as we do not impede the flow of information.

Rather, the opposite is true. By using Paubox, customers gain increased information flow with secure, HIPAA compliant email solutions.

We believe compliance with the Cures Act is crucial to achieving our mission of becoming the market leader for HIPAA compliant communication.