This next installment of Gravely Group’s series covering the information blocking exceptions, outlines the Preventing Harm Exception. This exception focuses on when an Actor’s Practice that is likely to interfere with the access, exchange, or use of electronic health information (EHI) will, nonetheless, not be considered information blocking because the Practice is reasonably intended to prevent harm to an individual.
If you have not yet read Gravely Group’s overview of the information blocking exceptions, we suggest you check it out!
According to ONC, the Preventing Harm Exception is intended to “allow for the protection of patients and other particular persons against substantial risk of harm” that may arise from the access, exchange, or use of EHI in defined circumstances.[1] However, in crafting this exception, ONC noted its concern that, if the exception were not narrowly tailored, a general rationale of preventing harm could be used either as a pretext or a post-hoc rationalization for not sharing EHI. Therefore, ONC imposes strict conditions on the use of this exception.
Preventing Harm Requirements
In order to meet the Preventing Harm Exception, an Actor must:
- Have a reasonable belief that the Practice will substantially reduce the risk of the harm to a patient or another natural person;
- Ensure the Practice is no broader than necessary to substantially reduce the risk of harm; and
- Meet at least one of the specified conditions from each of the established categories discussed below: Type of Risk, Type of Harm, and Documented Basis of Determination.
Type of Risk
The type of risk must either:
- “Be determined on an individualized basis in the exercise professional judgement by a licensed health care professional who has a current or prior clinician-patient relationship with the patient whose EHI is affected by the determination.”
OR - “Arise from data that is known or reasonably suspected to be misidentified or mismatched, corrupt due to technical failure, or erroneous for another reason.”
Type of Harm
The type of harm must be one that could serve as grounds for a HIPAA Covered Entity to deny access to an individual’s Protected Health Information (PHI). ONC deliberately aligned this exception with HIPAA to promote consistency and minimize confusion. The information blocking regulations identify four specific circumstances and the type of harm to which each circumstance must give rise:
Circumstance | Type of Harm |
---|---|
Interfering with access, exchange, or use of EHI by the patient’s legal representative based on an individualized determination of risk of harm by a licensed healthcare professional in the exercise of professional judgement | Substantial harm to the individual or another person |
Interfering with the patient’s or their legal representative’s access, exchange, or use of EHI that references another natural person based on an individualized determination of risk of harm by a licensed healthcare professional in the exercise of professional judgement | Substantial harm to such other person |
Interfering with the patient’s access, exchange, or use of their own EHI based on an individualized determination of risk of harm by a licensed healthcare professional in the exercise of professional judgement OR based on data that are known or reasonably suspected to be corrupt due to technical failure, are erroneous for another reason, or are misidentified or mismatched | Harm to the life or physical safety of the individual or another person |
Interfering with the patient’s legal representative’s otherwise legally permissible access, exchange, or use of the patient’s EHI in order to reduce a risk arising from data that are known or reasonably suspected to be misidentified or mismatched, corrupt due to technical failure, or erroneous for another reason | Harm to the life or physical safety of the individual or another person |
Documented Basis of Determination
There are two ways in which the Preventing Harm Exception may be implemented:
- An organizational policy; and/or
- An individualized determination of risk of harm.
Organizational Policy
Such an organizational policy must be:
- In writing;
- Developed with meaningful input from clinical, technical, and other staff with appropriate expertise;
- Implemented in a consistent and non-discriminatory manner; and
- No broader than necessary to address the harm being prevented.
Individualized Determination
The requirements for such an individualized determination are:
- The facts and circumstances must be known or reasonably believed by the Actor at the time the determination was made and while the Practice remains in use; and
- The determination must be based on expertise relevant to implementing the Practice consistent with the requirements of this exception.
UP NEXT …Gravely Group’s next post on the information blocking exceptions will take a look at the requirements under the Infeasibility Exception. So, be sure to check back soon!
[1] 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health Certification Program, 85 Fed. Reg. 25642, 25821 (May 1, 2020), available at: https://www.federalregister.gov/d/2020-07419.