I believe that the “Preventing Harm Exception” under the Information Blocking Rule is the most challenging exception to decipher and apply. This is particularly so because some of the standards do not precisely track HIPAA, and yet other standards appear to be inconsistent in how they are applied. In this post, I will attempt to distill the Preventing Harm Exception down to its basic elements, as well as point out issues to be aware of as Actors work to implement these new requirements into their compliance processes.
The Preventing Harm Exception can be found at 45 C.F.R. §171.201. Under the exception, an “Actor” (i.e., health care provider, HIE/HIN, or developer of certified Health IT) may be permitted to “interfere with” a request for access to EHI in order to “prevent harm,” but only if the following conditions are met:
> The Actor has a reasonable belief that the interference with access to EHI would substantially reduce a risk of harm to a patient or another natural person that would otherwise occur if the requested EHI is allowed to be accessed, exchanged, or used;
> Interference must be no broader than necessary to substantially reduce the risk of harm;
> The risk of harm must be either:
- determined on an individualized basis in the exercise of professional judgment by a licensed health care professional who has a current or prior clinician-patient relationship with the patient;
- one that arises from data that is known or reasonably suspected to be misidentified or mismatched, corrupt due to technical failure, or erroneous for another reason.
> The type of harm must meet one of two potential standards:
Harm Standard #1: Reasonably likely to endanger the life or physical safety of the individual or another person.
Harm Standard #2: Reasonably likely to cause substantial harm of the individual or another person.
These required criteria would be applied to only four (4) potential “request” scenarios:
1. A “legal representative” (which includes a HIPAA personal representative) requests access, exchange or use of an Individual’s EHI form whom the legal representative represents;
2. The Individual or his/her legal representative requests access, exchange or use of the Individual’s EHI, however such EHI references another person;
3. The Individual requests access, exchange or use of his/her EHI; or
4. Any other request for “legally permissible” access, exchange or use EHI that is not described in 1-3.
In response to each of the four possible types of requests for EHI that an Actor might receive, ONC “mapped” the required Harm Standard to be applied by cross-referencing regulatory subsections in the HIPAA Privacy Rule section governing patient access. In doing so, the regulatory language governing “type of harm” in the Preventing Harm Exception looks like this (highlights are mine):
After one hunts down the applicable HIPAA Privacy Rule sub-section to ascertain which Harm Standard applies to a particular type of request under the Preventing Harm Exception, we can finally summarize the conclusions as follows:
However, ONC’s own attempt at “mapping” the types of requests for EHI to HIPAA’s Privacy Rule standards creates some confusion. On page 25828 of the Preamble to the Final Rule for Information Blocking (see 85 Fed Reg. 25642, 25828 (May 1, 2020), ONC offered the following “summary chart” in an attempt to help Actors understand how the Prevention Harm Exception cross-walks with HIPAA’s patient access requirements (again, the highlighting is mine):
As one can see, the last “request scenario” presented in ONC’s “mapping” identifies only scenarios where the patient’s “legal representative” is making an otherwise “legally permissible” request for access, exchange, or use of the patient’s EHI. But, this does not track the language found in §171.201(d)(4), which instead says the following:
“[the harm to life or physical safety standard applies] where the practice is likely to, or in fact does, interfere with a legally permissible access, exchange, or use (as these terms are defined in §171.102) of electronic health information not described in paragraph (d)(1), (2), or (3) of this section . . .”
Therefore, the language in the rule itself appears to allow for a much broader category of potential requests that just those coming from a “legal representative.” In fact, on page 25827 of the Preamble to the Final Rule, ONC recognized this as well when it states:
“Because the circumstances to which the finalized §171.201(d)(4) applies include access, exchange, or use of the patient’s EHI by health care providers furnishing services to the patient, we believe it is most appropriate to apply under §171.201(d)(4) the same standard of harm that would apply to denying a patient access to the patient’s EHI.”
Is ONC suggesting here that health care providers are “legal representatives” of the patient? (note: “legal representative” is not a defined term in the Information Blocking Rule, but ONC suggests multiple times in the Preamble that there are persons who would qualify as a “legal representative” but might not qualify as a “personal representative” under HIPAA)? Or, more likely, does ONC’s “mapping chart” inadvertently limit the types of requestors who/that could have a “legally-permissible” right to access, exchange, or use a patient’s EHI? I believe it is the latter, but its worth keeping an eye out for further clarification on this point from ONC.
Another ambiguity in the Preventing Harm Exception is with regard to which Harm Standard should be applied when EHI references another natural person (not the patient), but the request is not received from the patient or his/her legal representative. Section 171.201(d)(2) is clear that when the patient or legal representative makes such a request, then all that is needed is a determination by the patient’s health care professional that release of the EHI could cause “substantial harm” to that other person referenced in the patient’s EHI. However, no such distinction is made in §171.201(d)(4) where any other legally permissible request for access, exchange and use of EHI is received. Under §171.201(d)(4) requests, the “danger to life or physical safety” standard applies, regardless. As a result, any other natural person who might be referenced in the EHI would potentially be afforded less protection than by the substantial harm standard, which applies when the request is received by the patient or his/her legal representative. This does not seem to make sense, but ONC offered no further clarification about this discrepancy in the Preamble. Therefore, for now Actors will need to follow the express regulatory language.
The final “discrepancy” I will point out is the standard applied by the Information Blocking Rule versus HIPAA with regard to determinations of “risk of harm” made by licensed health care professionals. Under HIPAA, the risk of harm to a patient or another person was permitted to be made by a licensed health care professional who is exercising his/her professional judgement. This allowed for such professionals to develop potential policies for specific scenarios, provided that they reflect professional judgement and a prevailing standard of care. At a minimum, it would allow for potential consultation with any health care professional if needed to obtain a risk of harm determination. The Information Blocking Rule curtails this approach taken by HIPAA, significantly. Under the Preventing Harm Exception, the health care professional must have a “current or prior clinician-patient relationship” with the patient, and each risk of harm determination must be made on an individualized basis. Neither of these two criteria were expressly required by HIPAA. As a result, organizational policies governing the right-of-access under HIPAA will need to be updated to address this new standard under the Preventing Harm Exception.
In sum, despite ONC’s noted attempt to align the Preventing Harm Exception with HIPAA’s right to access requirements, there remain discrepancies and differences that organizations will need to vet, address and implement as the April 5th compliance deadline nears. These efforts must also include education and training of health care professionals who will be responsible for making these individualized risk of harm determinations. This will ensure that such decisions are being made within the new parameters and standards set forth in the Information Blocking Rule.
Towards the end of February, I will be offering a 1-hour Webinar exclusively on how to operationalize the Preventing Harm Exception — so keep an eye out in future posts on how to register!