Frequently Asked Questions
Yes, any individual or entity that meets the definition of at least one category of actor—“health care provider,” “health IT developer of certified health IT,” or “health information network or health information exchange” —as defined in 45 CFR 171.102 is subject to the information blocking regulations in 45 CFR part 171. The information blocking regulations in 45 CFR part 171 apply to a health care provider, as defined in the Public Health Service Act and incorporated in 45 CFR 171.102, regardless of whether any of the health IT the provider uses is certified under the ONC Health IT Certification Program.
Yes, any individual or entity that meets the definition of at least one category of actor —“health care provider,” “health IT developer of certified health IT,” or “health information network or health information exchange” — as defined in 45 CFR 171.102 is subject to the information blocking regulation in 45 CFR part 171. The information blocking regulations in 45 CFR part 171 apply to an entity that meets the HIN or HIE definition regardless of whether any of the health IT the HIN or HIE uses is certified under the ONC Health IT Certification Program.
The definition of “health information network (HIN) or health information exchange (HIE)” in 45 CFR 171.102 is a single, functional definition. We did not specifically exclude any particular entities from the definition, nor did we specifically identify particular entities in the definition. In order to determine whether your organization is a HIN/HIE for information blocking purposes, you should assess whether your organization’s functional activity meets the HIN/HIE definition in 45 CFR 171.102. The Information Blocking Actors fact sheet on HealthIT.gov presents the actor definitions in an easy-to-use format.
The answer depends on whether your company or organization meets the definition of “health IT developer of certified health IT” in 45 CFR 171.102. Under the definition, an individual or entity that develops or offers health IT is a “health IT developer of certified health IT” so long as that individual or entity develops or offers at least one Health IT Module certified under the ONC Health IT Certification Program. However, the definition explicitly excludes a health care provider that self-develops Health IT that is not offered to others. The Information Blocking Actors fact sheet on HealthIT.gov presents the actor definitions in an easy-to-use format.
Updated:
This FAQ has been updated to reflect the effective date of the HTI-1 Final Rule.
Yes. For purposes of the information blocking regulation, a “health IT developer of certified health IT” is defined in 45 CFR 171.102. With the sole exception of a health care provider that self-develops certified health IT that is not offered to others, this definition is met by any individual or entity that develops or offers health IT certified under the ONC Health IT Certification Program. If an individual or entity offers certified health IT for any period of time on or after the applicability date of 45 CFR part 171, then they would be considered to be a “health IT developer of certified health IT” for purposes of their conduct during that time. The information blocking provision would not apply to conduct the individual or entity engaged in after they no longer have or no longer offer any certified health IT. However, claims of information blocking with respect to conduct occurring while the individual or entity had certified health IT could be acted upon by HHS after the individual or entity no longer had or offered certified health IT. (See also ONC Cures Act Final Rule page 85 FR 25797).
Updated:
This FAQ has been updated to reflect the effective date of the HTI-1 Final Rule.
For purposes of the information blocking regulation in 45 CFR part 171, the term "actor" includes health care providers, health IT developers of certified health IT, and health information networks (HIN) or health information exchanges (HIE), as defined in 45 CFR 171.102. Although health plans and other payers are not specifically identified within any of these definitions, they also are not specifically excluded. To the extent an individual or entity that is a payer also meets the 45 CFR 171.102 definition of "health care provider," "health IT developer of certified health IT" or "health information network or health information exchange," that individual or entity would be considered an "actor" for purposes of information blocking. In addition, the HIN/HIE definition is a functional definition and should be reviewed for potential applicability to a health plan’s activities. The Information Blocking Actors fact sheet on HealthIT.gov presents these definitions in an easy-to-use format. (See also Cures Act Final Rule page 85 FR 25803)
In some instances, a business associate will be an actor under the information blocking regulation in 45 CFR part 171 and in other situations, it may not be an actor. The information blocking regulations in 45 CFR part 171 apply to health care providers, health IT developers of certified health IT, and health information networks (HIN) and health information exchanges (HIE), as each is defined in 45 CFR 171.102. Any individual or entity that meets one of these definitions is an “actor” and subject to the information blocking regulation in 45 CFR part 171, regardless of whether they are also a HIPAA covered entity (CE) or business associate (BA).
The Preventing Harm Exception at 45 CFR 171.201 relies on the same types of harm as apply for a covered entity to deny access to protected health information under the HIPAA Privacy Rule (see 45 CFR 164.524(a)(3)). Where an actor's practice, based on an individualized (45 CFR 171.201(c)(1)) determination of risk, is likely to interfere with a patient's or patient representative's access, exchange, or use of the patient's EHI, the type of harm (45 CFR 171.201(d)) needed for the exception to apply depends on who is seeking access to the EHI, and what EHI they are seeking to access.4
The table below shows the type of harm recognized under the Preventing Harm Exception for several commonly encountered patient access scenarios.1
|
Access, exchange, or use of patient's EHI |
EHI for which access, exchange, or use is affected by the interfering practice is |
Applicable type of harm1 |
Regulation Text References |
|
Patient exercising own right of access |
Patient's EHI |
Danger to life or physical safety of the patient or another person |
§ 171.201(d)(3), referencing HIPAA Privacy Rule § 164.524(a)(3)(i) |
|
Patient's EHI that references another person |
Substantial harm3 to such other person |
§ 171.201(d)(2), referencing HIPAA Privacy Rule § 164.524(a)(3)(ii) |
|
|
Patient's personal representative as defined in HIPAA Privacy Rule (45 CFR 164.502) exercising right of access to patient's EHI (for example, parent of a minor child)2 |
Patient's EHI |
Substantial harm3 to the patient or to another person |
§ 171.201(d)(1), referencing HIPAA Privacy Rule § 164.524(a)(3)(iii) |
|
Patient's EHI that references another person |
Substantial harm3 to such other person |
§ 171.201(d)(2), referencing HIPAA Privacy Rule § 45 CFR 164.524(a)(3)(ii) |
|
| Notes: | |||
|
1 - For simplicity of presentation, this table focuses only on patient access use case examples where risk has been determined on an individual basis (45 CFR 171.201(c)(1)). Where the risk arises from data that is known or reasonably suspected to be misidentified or mismatched, corrupt due to technical failure, or erroneous for another reason (45 CFR 171.201(c)(2)), the exception's applicable type of harm conditions (45 CFR 171.201(d)(3) and (4)) recognize only danger to life or physical safety of the patient or another person. |
|||
|
2 - For more information about the definition of a “personal representative” under the HIPAA Privacy Rule, please see https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/personal-representatives/index.html |
|||
|
3 - “Substantial harm” includes “substantial physical, emotional, or psychological harm” (see, for example, HIPAA Privacy Rule preamble at 65 FR 82556). |
|||
|
4 - In order for the Preventing Harm Exception to cover any practice likely to interfere with access, exchange, or use of EHI based on an individualized (45 CFR 171.201(c)(1)) determination of risk, the practice must also satisfy requirements in 45 CFR 171.201(a), (b), (e), and (f). |
|||
For more information about the Preventing Harm Exception, please reference the ONC Cures Act Final Rule preamble discussion and the other FAQs under the Preventing Harm Exception heading.
For more information about the HIPAA Privacy Rule, the Privacy Rule individual right of access, or grounds for denial of access under the Privacy Rule, please visit the Health Information Privacy section of the HHS website.
No. Unless an actor reasonably believes a practice that interferes with a parent or other legal representative’s requested access, exchange, or use of the minor’s electronic health information (EHI) will substantially reduce a risk of at least substantial harm to the patient or another person, the Preventing Harm Exception is not designed to cover that practice.
The Privacy Exception contains a sub-exception (45 CFR 171.202(e)) that covers practices respecting an individual’s request not to share information, subject to certain conditions.
Yes. The Preventing Harm Exception’s type of harm condition relies on the same types of harm that serve as grounds for reviewable denial of an individual’s right of access under the Privacy Rule (45 CFR 164.524). (See ONC Cures Act Final Rule preamble Table 3—Mapping of Circumstances Under § 171.201(d) to Applicable Harm Standards.)
In most instances, including where a practice interferes with a patient’s own or the patient’s other health care providers’ legally permissible access, exchange, or use of the patient’s electronic health information (EHI), coverage under the Preventing Harm Exception requires that the risk be of physical harm. (See 45 CFR 171.201(d)(3) and (4).)
However, the Preventing Harm Exception’s type of harm condition applies a “substantial harm” standard for practices interfering with a patient’s representative’s requested access, exchange, or use of the patient’s EHI and to the patient’s or their representative’s access to other persons’ individually identifiable information within the patient’s EHI in some circumstances. (See 45 CFR 171.201(d)(1) and (2)).
No. Blanket delays that affect a broad array of routine results do not qualify for the Preventing Harm Exception. The Preventing Harm Exception is designed to cover only those practices that are no broader than necessary to reduce a risk of harm to the patient or another person.
As we discussed in the Cures Act Final Rule, a clinician generally orders tests in the context of a clinician-patient relationship. In the context of that relationship, the clinician ordering a particular test would know the range of results that could be returned and could prospectively formulate, in the exercise of their professional judgment, an individualized determination for the specific patient that:
- withholding the results of the particular test(s) from the patient would substantially reduce a risk to the patient’s or another person’s life or physical safety
- or - - that withholding the results of the particular test(s) from a representative of the patient would substantially reduce a risk of substantial harm to the patient or another person.
Such individualized determinations made in good faith by an ordering clinician, in the exercise of their professional judgment and in the context of the treatment relationship within which they order the test, would satisfy the type of risk and type of harm conditions of the Preventing Harm Exception. Actors, including but not limited to the ordering clinician, could implement practices in reliance on such determinations and the Preventing Harm Exception would cover such practices so long as the practices also satisfy the other four conditions of the exception.
No. The reasonable belief condition does not include a requirement that the harm be expected to occur within a particular time period or that the likelihood of the harm be high enough to be considered “imminent.” (See 45 CFR 171.201(a)). The Preventing Harm Exception’s reasonable belief condition requires an actor engaging in a practice likely to interfere with a patient’s access, exchange, or use of their own EHI to have a reasonable belief that the practice will substantially reduce a risk to life or physical safety of the patient or another person that would otherwise arise from the affected access, exchange, or use.
Yes, where the risk of harm has been determined on an individualized basis and all other conditions of the Preventing Harm Exception are met. For example, the practice must be no broader than necessary and the actor must reasonably believe the practice will substantially reduce the risk of harm. (For all the conditions of the Preventing Harm Exception, please see 45 CFR 171.201.)
For purposes of the Preventing Harm Exception, a parent or legal guardian would be considered a patient’s legal representative. The Preventing Harm Exception’s type of harm condition applies a “substantial harm” standard for practices interfering with a patient’s representative’s requested access, exchange, or use of the patient’s EHI. (See 45 CFR 171.201(d)(1)).
The type of harm conditions for Preventing Harm Exception coverage of practices interfering with patients’ and their representatives’ access to EHI on the basis of an individualized determination of risk are specifically aligned with the HIPAA Privacy Rule’s grounds for reviewable denial of an individual’s right of access under the Privacy Rule. (See also ONC Cures Act Final Rule preamble discussion and Table 3—Mapping of Circumstances Under § 171.201(d) to Applicable Harm Standards).