Handbook of Operating Procedures 2-1910

Availability of Electronic Health Information & Prohibition Against Information Blocking



Effective February 18, 2021
Executive Sponsor: Vice President for Medical Affairs
Policy Owner: Privacy Officer


 

  1. Policy Statement

The University of Texas at Austin (University) and its HIPAA covered components, as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are committed to ensuring that electronic health information (EHI) is available and usable by patients for authorized purposes pursuant to applicable laws and specifically in accordance with the 21st Century Cures Act (Cures Act) and applicable regulations.
 

  1. Reason for Policy

This Policy provides information regarding the University’s efforts to support the seamless exchange of, access to, and use of EHI, to promote interoperability of systems containing EHI, to address information blocking in accordance with the Cures Act and its implementing regulations, and to ensure that the University’s HIPAA-covered components comply with applicable law.
 

  1. Scope & Audience

This Policy applies to the University’s HIPAA-covered components as designated by the University from time to time and health care providers providing clinical care and treatment within the University’s HIPAA-covered components.
 

  1. Definitions (specific to this policy)

Access:
the ability or means necessary to make electronic health information available for exchange or use.

Electronic Health Information (EHI):
electronic protected health information (as defined in 45 C.F.R. § 160.103) to the extent that it would be included in a designated record set (as defined in 45 C.F.R. § 164.501), regardless of whether the records are used or maintained by or for a covered entity. But EHI does not include: (1) psychotherapy notes as defined in 45 C.F.R. § 164.501; or (2) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

Health Care Provider:
includes a HIPAA-covered University component which provides medical care and treatment to patients.  This includes a hospital, health care clinic, ambulatory surgery center, community mental health provider, emergency medical services provider, federally qualified health center, group practice, pharmacist, pharmacy, laboratory, physician, health care practitioner, therapist, and any other category of health care facility, entity, practitioner, or clinician determined appropriate by the University.

Health Information Technology Health (IT):
hardware, software, integrated technologies or related licenses, IP, upgrades, or packaged solutions sold as services that are designed for or support the use by health care entities or patients for the electronic creation, maintenance, access, or exchange of health information.

Information blocking by a healthcare provider:
a practice that (1) except as required by law or covered by an exception set forth in federal regulations, is likely to interfere with access to, exchange of, or use of EHI; and (2) the provider knows is unreasonable and is likely to interfere with, prevent, or materially discourage access to, exchange of, or use of EHI.

Information blocking by a health IT developer, health information network or health information exchange:
a practice that (1) except as required by law or covered by an exception set forth in federal regulations, is likely to interfere with access to, exchange of, or use of EHI; and (2) the developer, network or exchange knows, or should know, is likely to interfere with, prevent, or materially discourage access to, exchange of, or use of EHI.

Interoperability:
with respect to Health IT means Health IT that: (1) enables the secure exchange of EHI with, and the use of EHI from, other Health IT without special effort on the part of the user; (2) allows for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law; and (3) does not constitute information blocking.

Interoperability element:
hardware, software, integrated technologies or related licenses, technical information, privileges, rights, intellectual property, upgrades, or services that: (1) may be necessary to access, exchange, or use EHI; and (2) is/are controlled by the HIPAA-covered University component, which includes the ability to confer all rights and authorizations necessary to use the element to enable the access to, exchange of, or use of EHI.

 

  1. Website (for policy)

https://secure4.compliancebridge.com/utexas/public/getdoc.php?file=3-1910
 

  1. Contacts

CONTACT

DETAILS

WEB

Jeff Graves, Chief Compliance Officer & University Privacy Officer

Phone: (512)232-7055

Website: https://compliance.utexas.edu/
Leah Stewart, Associate Vice President for Dell Medical School Legal Affairs & Dell Medical School Privacy Officer


Phone: (512)495-5146
 
Tim Boughal, Senior Compliance Officer
Phone: (512)495-5143
 
 
  1. Responsibilities & Procedures
Responsibilities

The University and its HIPAA-covered components will comply with the requirements and applicable standards as required, responding to appropriate requests for EHI in a timely manner and avoiding undue delay, unless an exception within the Office of the National Coordinator for Health IT (ONC) Cures Act Final Rule applies. The Final Rule describes eight (8) exceptions to the general prohibition against information blocking that do not constitute information blocking even if they interfere with access to, exchange of, or use of EHI.

Practices or activities that satisfy one or more of these eight exceptions will not be considered information blocking if all requirements of the applicable exception(s) are met. Practices not meeting all requirements of an exception will not automatically constitute information blocking; instead, such practices will be evaluated by the ONC on a case-by-case basis to determine whether information blocking has occurred.

The eight (8) exceptions are divided into two categories: (1) exceptions that involve not fulfilling a request to access, exchange, or use EHI; and (2) exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.

Five (5) exceptions involve not fulfilling requests to access, exchange, or use EHI.
  1. Preventing harm exception (45 C.F.R. § 171.201): this exception applies, provided certain conditions are met, when an actor engages in practices that are reasonable and necessary to prevent harm to a patient or another person. Any practice implemented under this exception must be documented in written policy complying with the terms of the regulation.
 
  1. Privacy exception (45 C.F.R. § 171.202): this exception applies, provided certain conditions are met, when an actor declines to fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy.
 
  1. Security exception (45 C.F.R. § 171.203): this exception applies, provided certain conditions are met, when an actor interferes with the access to, exchange of, or use of EHI in order to protect the security of EHI.
 
  1. Infeasibility exception (45 C.F.R. § 171.204): this exception applies, provided certain conditions are met, when an actor declines to fulfill a request to access, exchange, or use EHI due to the infeasibility of the request.
 
  1. Health IT performance exception (45 C.F.R. § 171.205): this exception applies, provided certain conditions are met, when an actor takes reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT.
 
Three (3) exceptions involve procedures for fulfilling requests to access, exchange, or use EHI.
  1. Content and manner exception (45 C.F.R. § 171.301): this exception applies, provided certain conditions are met,  when an actor limits the content of its response to or the manner in which it fulfills a request to access, exchange, or use EHI, in any manner requested or in an alternative manner, using (i) certified health IT specified by the requestor; (ii) content and transport standards specified by the requestor and published by the federal government or a standards-developing organization accredited by the American National Standards Institute; or (iii) an alternative machine-readable format, including the means to interpret the EHI, agreed upon with the requestor.  This exception establishes both the content that must be provided in response to a request to access, exchange, or use EHI in order to satisfy the exception and the manner in which a request to access, exchange, or use EHI must be fulfilled to satisfy the exception.
 
  1. Fees exception (45 C.F.R. § 171.302): this exception applies, provided certain conditions are met, when an actor charges fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI.
 
  1. Licensing exception (45 C.F.R. § 171.303): this exception applies, provided certain conditions are met, when an actor licenses interoperability elements for EHI to be accessed, exchanged, or used.
 

The HIPAA Privacy Rule (45 C.F.R. Part 160 and Subparts A and E of Part 164) provides a federal floor of privacy protections for individually identifiable health information held by a covered entity or by a business associate of a covered entity. Some states have implemented laws that expand patient rights and access to their health information and, therefore, are more stringent than HIPAA.  Such state laws are not superseded by HIPAA or the Privacy Rule.
 


Procedures
 

Each HIPAA-covered University component will review its ongoing practices and ensure compliance with this Policy through the following:
  1. Implementation of this Policy and appropriate specifications and procedures in accordance with specific organizational processes for policy implementation within the covered component.  The covered component will be particularly aware of the documentation requirements and standards addressing availability, time limits for response, enabling access, and review.
 
  1. Each covered component will periodically review its existing policies and procedures for receiving, processing, and responding to requests to access, exchange, or use EHI and revise them accordingly to ensure compliance with federal information-blocking requirements. Implementation of this procedure may require:
 
  1. Reviewing existing arrangements and coordinating with health IT developers and vendors to identify and ensure availability of processes that covered components can utilize to comply with the information-blocking regulations and to ensure that processes are in place to timely respond and provide access to patient data as appropriate.
 
  1. Developing appropriate policies and procedures to ensure timely response to requests for EHI from patients.
 
  1. Ensuring that methods for response and processes exist to receive requests for patient data and timely respond to such requests.
 
  1. Reviewing Data Use Agreements, Business Associate Agreements, and other agreements to ensure compliance with ongoing information-blocking requirements.
 
  1. Reviewing and improving existing workflows regarding the storage and transmittal of EHI.
 
  1. Developing policies and procedures for responding to requests for EHI from patients, providers, third-party apps, health IT vendors, and others.  This may include creating forms for receiving, processing, and responding to such requests and procedures specifying how access to EHI will be provided.
 
  1. Reviewing  policies and procedures relating to the “Preventing Harm” exception above to ensure that polices are in writing, based on relevant clinical, technical and other appropriate expertise, and implemented in a non-discriminatory manner.
 
  1. Reviewing any fees charged for access to EHI, exchange, or date to ensure compliance with information-blocking requirements.
 
  1. Ensuring that any fees charged to provide EHI in physical media (e.g. paper, flash drive, cd/dvd) comply with the requirements for reasonable, cost-based fees established by the Cures Act or HIPAA.
 
  1. Workforce members within each covered component will be informed of this Policy as it applies to the University, the covered component, and the workforce members within their specific roles.
 
  1. Where this Policy requires an action, activity, or assessment to be documented, the applicable covered component will create a written record of the action, activity, or assessment and retain such documentation pursuant to the University’s document retention schedule.
 
  1. Each covered component will make documentation available as appropriate to workforce members and units responsible for implementation of the procedures to which the documentation pertains.
 
  1. Forms & Tools

Provider FAQs are available to workforce members of the covered components to assist review and drafting of medical documentation.
 

  1. Frequently Asked Questions

None
 

  1. Related Information

45 CFR § 171 et. seq.

  42 USC § 300jj

  45 CFR § 164.524(c)(4)

 

  1. History

  Full Policy Origination Date: February 18, 2022

       Interim Origination Date:  April 7, 2021

  Next scheduled review date: February 2025