In this third post in Gravely Group’s series on the information blocking exceptions, we will walk through the requirements of the Privacy Exception. The Privacy Exception focuses on when an Actor’s Practice of not fulfilling a request for electronic health information (EHI) will, nonetheless, not be considered information blocking because the EHI is withheld in order to protect an individual’s privacy. However, per ONC, this exception is narrowly intended to “allow for the protection of patients and other particular persons against substantial risks of harm otherwise arising from the access, exchange, or use of EHI in defined circumstances.”
You already know from our previous posts that an Actor who relies on an exception is required to meet every element of the exception. The Privacy Exception is uniquely structured in that it consists of four, discrete sub-exceptions. An Actor that relies on the Privacy Exception must meet all of the requirements under at least one of these four sub-exceptions.
If you have not yet read Gravely Group’s overview of the information blocking exceptions, we suggest you check it out!
The first sub-exception applies if applicable law imposes a specific precondition that must be satisfied before information may be released, and that precondition has not been met. ONC has expressed concerned about this sub-exception being used as a “pretext” to deny access, exchange, or use of EHI and requires that the Practice be narrowly applied.
- The Actor must tailor the Practice to the applicable precondition that is not satisfied.
- The Actor must implement that Practice in a consistent and non-discriminatory manner.
- The Practice must meet either of the following:
- Organizational Policies & Procedures: The Practice must conform to the Actor’s written policies and procedures that specify the criteria the Actor uses to determine when the precondition is satisfied and, if applicable, specify what steps the Actor will take to satisfy the precondition. These policies and procedures must also be implemented by the Actor, including through the provision of training on such policies and procedures.
- Case-by-Case Determination: The Practice must be documented by the Actor on a case-by-case basis, with such documentation identifying the criteria the Actor uses to determine when the precondition is satisfied, the criterion/criteria that were not met in the instance being documented, and why the criterion/criteria were not met.
- The Actor must demonstrate that it has used reasonable efforts within its control to provide a consent or authorization form that satisfies all criteria of the precondition or to provide other reasonable assistance to allow the individual to satisfy the precondition; and
- The Actor must not encourage or induce the individual to withhold consent.
Privacy Sub-Exception 2: Health IT Developer of Certified Health IT Not Covered by HIPAA
This sub-exception only applies to those health IT developers that are not covered by the HIPAA Privacy Rule. Most health IT developers are Business Associates of their Covered Entity customers, so this sub-exception will not apply to them.
- Describe the process that the Actor will use with respect to blocking access, use, or exchange of EHI via the Actor’s IT;
- Be disclosed to the customer before the customer agrees to use the applicable IT product or service;
- Comply with applicable state and federal law;
- Be tailored to the specific privacy risk the Practice is intended to address; and
- Be implemented in a consistent and non-discriminatory manner.
Privacy Sub-Exception 3: Denying an Individual’s Request for His/Her Own Information as Allowed Under 45 CFR 164.524(a)(1) and (2)
This sub-exception simply says that if an Actor withholds EHI on the basis of this HIPAA provision, it is not violating the Information Blocking rule. However, an Actor must be able to demonstrate that it fully complies with the HIPAA requirements before relying upon this sub-exception.
HIPAA allows a Covered Entity or a Business Associate to deny an individual access to his/her own PHI in limited situations. The Privacy Rule identifies specific grounds on which a Covered Entity or their Business Associate may deny an individual access to their own PHI in very limited situations, which are:
- Requests by inmates of correctional institutions
- Requests by individuals who are participating in “focused studies” while the study is in progress
- Records that are subject to the federal Privacy Act of 1974
- Information from someone who is not a healthcare provider and is provided under a promise of confidentiality
- Psychotherapy notes as defined by HIPAA
- Information compiled in reasonable anticipation of, or use in, civil, criminal, or administrative action or proceeding
Privacy Sub-Exception 4: Respecting an Individual’s Request to Not Share Information
If an individual requests that his/her information not be shared, and an Actor agrees to this request, then the Actor may withhold that information from others unless the Actor is otherwise required by law to provide access, exchange, or use of the EHI.
- Come from the individual;
- Be made without any influence or inducement from the Actor;
- Be documented by the Actor within a “reasonable” time after the request is made; and
- Be implemented by the Actor in a consistent and non-discriminatory manner.
UP NEXT …
In referring to an individual (singular), this post uses the pronouns “his/her.” This is not intended to be exclusionary, and Gravely Group believes in equality for individuals of all gender identities. What is your preferred inclusive, singular pronoun? Are we being too rigid by avoiding use of “they” as a traditionally plural pronoun?
Let us know your thoughts by hitting us up on Twitter @ehealthattorney!
 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health Certification Program, 85 Fed. Reg. 25642, 25821 (May 1, 2020), available at: https://www.federalregister.gov/d/2020-07419.