Info Blocking

From an attorney’s perspective, how should organizations prepare to comply with the info blocking rule?


By Meghan Franklin
March 18, 2021


As an attorney who predominantly practices in the health care space, Helen Oscislawski, Esq. is working to help prepare organizations to comply with the Information Blocking Rule (IBR).

As health care organizations across the country prepare to comply, one of Oscislawski’s concerns is that “Actors” that are required to comply with the IBR don’t fully understand the complexities of the IBR exceptions and haven’t worked through enough use cases to determine what they would do in various scenarios.

“I’ve come across situations where electronic medical record (EMR) vendors are telling organizations, ‘We’ve got this; don’t worry about it,’” Oscislawski said. “Information blocking, however, is not completely a technological issue.”

Yes, EMRs are going through a certification process with updated criteria also set forth in the IBR, but Oscislawski said that this certification and its technological requirements will lag behind what Actors like health care organizations are required to do to comply with the IBR.

In addition to helping Actors see that IBR compliance requires a heavy lift from the operational, not just technological, side of things, Oscislawski ensures they appreciate that application of HIPAA doesn’t necessarily translate into compliance with the IBR.


Tackling information blocking compliance at your organization


If you haven’t already, Oscislawski recommends assembling an information blocking “task force” comprised of members from a variety of areas, including representatives from your EMR vendor; and members from your information technology/security, privacy, legal/compliance, health information management and clinician teams.

Oscislawski recommends the task force work through various scenarios where information blocking compliance might be an issue, like requests and release of information through the patient portal.

The release of lab results is one example of a common scenario for which organizations may need to revisit their current policies and procedures in order to comply with the IBR.

“Historically, many providers have delayed lab results until the ordering physician reviewed the results. In some cases, they waited to review the results until the patient’s next appointment,” Oscislawski said.

The Office of the National Coordinator for Health Information Technology (ONC) has been explicit, however, that lab results cannot be withheld from patients as the default, Oscislawski said.

Results can be withheld on a case-by-case basis, but the reason for withholding must meet the very specific criteria laid out in the information blocking exceptions.

In the past, your organization may have had a policy that said if lab results show a diagnosis of X, Y or Z, they should not be released to the patient and, instead, the provider should communicate the results.

Under the IBR, this policy won’t fly. Instead, a “preventing harm” exception to releasing lab results to the patient can only be claimed if the provision of those lab results is “reasonably likely to endanger the life or physical safety of the patient or another person.”

To further complicate things, when a patient requests lab results, the provider directly involved in the patient’s care must make the determination that releasing the results to the patient would put the patient’s or another person’s life or physical safety in jeopardy. If the requestor, however, is a legal representative or the requested electronic health information (EHI) references a person apart from the patient requestor, a provider can claim the preventing harm exception based on a different “substantial harm” standard.

Oscislawski wrote an excellent blog post, “How the Preventing Harm Exception Changes HIPAA,” on her Legal Health information exchange blog that further details the nuances between preventing harm under HIPAA and the new info blocking regulations.

In Table 1, Oscislawski provides a summary of when the preventing harm exception can be claimed based on requestor and if the requested EHI references another person.

Table 1 Differing preventing harm standards

© 2021 Legal HIE.

Essentially, Oscislawski said that there appears to be an inconsistency with how HIPAA has historically been interpreted and how the IBR treats the same standards.

A task force, she said, should delve into those inconsistencies and determine where clarification, guidance and perhaps new policies and procedures are needed.

Oscislawski recommends developing basic information blocking policies for each of the IBR exceptions and then implementing compliant practices.

For the preventing harm exception, for example, she recommends implementing the following compliant practices:

  • Use a harm “Decision Tree” for determinations.
  • Educate your practitioners on how to make “harm” determinations.
  • Make determinations based on written organizational policy or episodic determinations.

Oscislawski provides more suggestions on how your organization can implement compliant practices in her blog post, “Checklist for Info Blocking Compliance.”


An information blocking compliance forecast


As an attorney, Oscislawski knows the role that precedent plays in helping actors comply with regulations. “I do think that the information blocking exceptions will become clearer as complaints are brought and cases are reviewed,” she said.

“The way this (info blocking) rule applies reminds me of the Stark law,” Oscislawski said. The Stark law is the more common name for the Medicare physician self-referral law that aims to protect patients from physicians steering them to less convenient, lower quality, or more expensive services because of financial self-interest.

“Like with Stark, I think there will remain a sense of complexity with the info blocking rule for the foreseeable future,” Oscislawski said. “Things will be evolving at lightning speed, and I think there will always remain scenarios that will remain nuanced and challenging—things like when parents can and cannot access minors’ information.”

Oscislawski said that a lack of current defined penalties for providers who fail to comply with the IBR will likely not help with the compliance rate, initially.

“With HIPAA, we saw that many were not compliant until enforcement began,” Oscislawski said.

Still, she urges all health care organizations to proactively establish strategies and the framework to help them become and stay compliant.

“The more organizations can discuss information blocking’s complexities and various scenarios where they may face compliance challenges, the better,” Oscislawski said.


About the expert: Helen Oscislawski, Esq. has over 20 years of experience working with a variety of healthcare clients, including multi-system and single-system health information exchanges (HIEs), hospitals, health care systems, ambulatory care facilities, and the pharmaceutical industry. She’s an expert at helping clients navigate legal issues related to the implementation and use of health information technology. She also frequently advises clients on how to comply with rapidly evolving federal and state standards governing data use, access and sharing. She is the Founder of Attorneys at Oscislawski LLC and the Co-founder of the Legal Health information exchange blog, a popular go-to resource to readers looking for the latest and greatest information about legal developments affecting the electronic exchange of health information.

About the writer: Meghan Franklin is a writer and strategic communicator with an M.A. in Rhetoric and a deep background in healthcare. As a former healthcare IT project manager and communications specialist at one of the nation’s leading children’s hospitals, she loves delving into healthcare topics. She values working with individuals and organizations on a mission to do something good.


← Back to blog



Subscribe for updates



Are you prepared for the info blocking rule? Take our free compliance assessment