Supporting Information Privacy for Patients, Now and Always

Four Reminders of How HHS Information Blocking Regulations Recognize Privacy Rules

By Micky TripathiONC
LinkedIn: Micky Tripathi
LinkedIn: ONC

On April 22, 2024, the Biden-Harris Administration, through the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a final rule, entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. HHS issued this final rule after hearing from communities that changes were needed to better protect patient confidentiality and prevent medical records from being used against people for providing or obtaining lawful reproductive health care. The final rule strengthens the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by prohibiting the disclosure of protected health information (PHI) where the PHI is sought for use against any person for merely seeking, obtaining, providing, or facilitating lawful reproductive health care. The Office of the National Coordinator for Health Information Technology (ONC) and OCR work together on all of our policies, and the development of this final rule was no different. As I discuss below, ONC’s information blocking regulations consider applicable law, and that now includes the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule. In short, complying with this new federal rule will not result in a determination of information blocking under ONC’s regulations.

Reminder 1: The information blocking regulations are designed to consider applicable law, including HIPAA rules.

ONC’s information blocking regulations advance the access, exchange, and use of electronic health information (EHI) as defined in the information blocking regulations. Many information blocking “actors” (IB actors) (as defined) are also subject to the HIPAA Privacy Rule. An IB actor may also need to comply with other federal, state, or tribal laws that prohibit or place additional preconditions on sharing EHI in circumstances where these other laws apply. ONC designed the information blocking regulations to accommodate these IB actors’ needs to comply with the HIPAA Privacy Rule and other privacy laws.

Reminder # 2: When sharing EHI would violate another law that applies to an IB actor, it is not information blocking when the IB actor follows that law and does not share the EHI.

The information blocking definition (45 CFR 171.103) excludes practices likely to interfere with access, exchange, or use of EHI when the practices are required by law. The 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program final rule (ONC Cures Act Final Rule) explained that this reference to “required by law” includes practices required by Federal and State law, including statutes, regulations, court orders, and binding administrative decisions or settlements. It also includes tribal laws where applicable. (85 FR 25794)

Interferences with EHI access, exchange, or use that are required by law include (among other mandatory practices) compliance with a prohibition on using or disclosing EHI for a particular purpose. The HIPAA Privacy Rule to Support Reproductive Health Care Privacy final rule establishes a new prohibition (in 45 CFR 164.502(a)(5)(iii)(A)) on HIPAA regulated entities using or disclosing PHI for any of the following activities:

  • To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
  • To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
  • To identify any person for any purpose described in (1) or (2).

On (and after) June 25, 2024, a HIPAA covered entity’s or business associate’s practice of refusing to make any prohibited use or disclosure of PHI will be excluded from the information blocking definition (45 CFR 171.103) because that practice will be required by law. Therefore, the practice will not need to be covered by any information blocking exception because it is not considered information blocking to begin with.

Reminder # 3: When a law that applies to an IB actor permits the IB actor to share EHI only if specific requirements are met first, then information blocking regulations allow for the IB actor to take reasonable and necessary steps to ensure it shares EHI only when those requirements are met.

Where a particular access, exchange, or use of EHI is not prohibited, health information privacy laws and regulations (including the HIPAA Privacy Rule) are typically framed in a way that permits an access, exchange, or use of health information to be made only if specific preconditions are satisfied. (For discussion of how ONC distinguished between practices likely to interfere with EHI access, exchange, or use that are required by law and practices that an IB actor engages in pursuant to a law protecting health information privacy, see 85 FR 25794 and 85 FR 25846).

The Precondition Not Satisfied (45 CFR 171.202(b)) sub-exception of the information blocking Privacy Exception outlines a framework IB actors can follow so that the IB actors’ practices of not fulfilling requests to access, exchange, or use EHI would not be considered information blocking when a precondition of applicable law has not been satisfied.

The HIPAA Privacy Rule to Support Reproductive Health Care Privacy final rule also establishes a new requirement for certain HIPAA Privacy Rule permissions. HIPAA regulated entities must obtain a signed attestation when someone requests PHI potentially related to reproductive health care. The attestation must attest that the use or disclosure is not for a prohibited purpose. If the IB actor must obtain an attestation for disclosure to be permitted, and that precondition is not satisfied, then the EHI may not be shared. By meeting the Precondition Not Satisfied sub-exception’s requirements, the IB actor can have confidence that their practices of not sharing EHI because they have not obtained the required attestation will not be considered information blocking.

Reminder # 4: When laws that limit EHI sharing to protect patient privacy change, the information blocking regulations are built to automatically accommodate IB actors’ needs to comply with applicable laws’ updated requirements.

The exclusion from the (45 CFR 171.103) information blocking definition of practices required by law and the (45 CFR 171.202(b)) precondition not satisfied sub-exception are not tied to specific laws or preconditions. Federal, state, and tribal laws restricting health information sharing to protect individuals’ privacy are likely to continue to evolve in step with the technology and policy landscapes. The information blocking regulations are built to accommodate that evolution without requiring the information blocking regulations to be updated every time any privacy law is updated.

Conclusion and Resources

This blog post has briefly reviewed how the information blocking regulations in place today are already built to accommodate the HIPAA Privacy Rule to Support Reproductive Health Care Privacy final rule’s new prohibition and preconditions as soon as they take effect. No conflict with information blocking regulations will be created by these changes to the HIPAA Rules.

To find out more about how the information blocking regulations work, and learn the answers to relevant FAQs, please visit the information blocking page of ONC’s website, HealthIT.gov.

This article was originally published on the Health IT Buzz and is syndicated here with permission.