Information Blocking Exceptions: Preventing Harm (Part 4 of 8)

This next installment of Gravely Group’s series covering the information blocking exceptions, outlines the Preventing Harm Exception. This exception focuses on when an Actor’s Practice that is likely to interfere with the access, exchange, or use of electronic health information (EHI) will, nonetheless, not be considered information blocking because the Practice is reasonably intended to prevent harm to an individual.

 If you have not yet read Gravely Group’s overview of the information blocking exceptions, we suggest you check it out!

According to ONC, the Preventing Harm Exception is intended to “allow for the protection of patients and other particular persons against substantial risk of harm” that may arise from the access, exchange, or use of EHI in defined circumstances.^[1] However, in crafting this exception, ONC noted its concern that, if the exception were not narrowly tailored, a general rationale of preventing harm could be used either as a pretext or a post-hoc rationalization for not sharing EHI. Therefore, ONC imposes strict conditions on the use of this exception.

Preventing Harm Requirements

In order to meet the Preventing Harm Exception, an Actor must:

Have a reasonable belief that the Practice will substantially reduce the risk of the harm to a patient or another natural person;
Ensure the Practice is no broader than necessary to substantially reduce the risk of harm; and
Meet at least one of the specified conditions from each of the established categories discussed below: Type of Risk, Type of Harm, and Documented Basis of Determination.

Type of Risk

The type of risk must either:

“Be determined on an individualized basis in the exercise professional judgement by a licensed health care professional who has a current or prior clinician-patient relationship with the patient whose EHI is affected by the determination.”
OR
“Arise from data that is known or reasonably suspected to be misidentified or mismatched, corrupt due to technical failure, or erroneous for another reason.”

Type of Harm

The type of harm must be one that could serve as grounds for a HIPAA Covered Entity to deny access to an individual’s Protected Health Information (PHI). ONC deliberately aligned this exception with HIPAA to promote consistency and minimize confusion. The information blocking regulations identify four specific circumstances and the type of harm to which each circumstance must give rise:

Circumstance	Type of Harm
Interfering with access, exchange, or use of EHI by the patient’s legal representative based on an individualized determination of risk of harm by a licensed healthcare professional in the exercise of professional judgement	Substantial harm to the individual or another person
Interfering with the patient’s or their legal representative’s access, exchange, or use of EHI that references another natural person based on an individualized determination of risk of harm by a licensed healthcare professional in the exercise of professional judgement	Substantial harm to such other person
Interfering with the patient’s access, exchange, or use of their own EHI based on an individualized determination of risk of harm by a licensed healthcare professional in the exercise of professional judgement OR based on data that are known or reasonably suspected to be corrupt due to technical failure, are erroneous for another reason, or are misidentified or mismatched	Harm to the life or physical safety of the individual or another person
Interfering with the patient’s legal representative’s otherwise legally permissible access, exchange, or use of the patient’s EHI in order to reduce a risk arising from data that are known or reasonably suspected to be misidentified or mismatched, corrupt due to technical failure, or erroneous for another reason	Harm to the life or physical safety of the individual or another person

Documented Basis of Determination

There are two ways in which the Preventing Harm Exception may be implemented:

An organizational policy; and/or
An individualized determination of risk of harm.

Organizational Policy
Such an organizational policy must be:

In writing;
Developed with meaningful input from clinical, technical, and other staff with appropriate expertise;
Implemented in a consistent and non-discriminatory manner; and
No broader than necessary to address the harm being prevented.

Individualized Determination
The requirements for such an individualized determination are:

The facts and circumstances must be known or reasonably believed by the Actor at the time the determination was made and while the Practice remains in use; and
The determination must be based on expertise relevant to implementing the Practice consistent with the requirements of this exception.

UP NEXT …Gravely Group’s next post on the information blocking exceptions will take a look at the requirements under the Infeasibility Exception. So, be sure to check back soon!

Download a copy of this post

^[1] 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health Certification Program, 85 Fed. Reg. 25642, 25821 (May 1, 2020), available at: https://www.federalregister.gov/d/2020-07419.

About Us

Practices

Information Blocking Tool

eHealth Resources

Contact Us

Useful Links

Subscribe Now