On April 5, the Information Blocking Rule goes into effect in the US. The new legislation enacted by the 21st Century Cures Act was written and will be enforced by the Office of the National Coordinator for Information Technology (ONC).
The Information Blocking Rule (the complete name is ONC Final Rule on Interoperability, Information Blocking, and ONC Health IT Certification) is also referred to as the “Open Notes Rule” due to its stipulation that notes, with some exceptions, must be made available to clients.
If you have questions about this rule, you are not alone! You’re probably wondering how this rule is going to apply to your practice and what, if anything, you should do to prepare.
This post will shed some light on what’s ahead, who’s affected, and what you need to do before April 5.
What is the Information Blocking Rule?
The Cures Act defines information blocking as “business, technical, and organizational practices that prevent or materially discourage the access, exchange or use of electronic health information (EHI) when the entity knows, or should know, that these practices are likely to interfere with access, exchange, or use of EHI.”
The purpose of the Information Blocking Rule is to ensure that clients have unimpeded access to their information. This is not a HIPAA rule and applies to all healthcare providers. Not just HIPAA covered entities.
Note that when we talk about HIPAA rules on this blog, we use the term protected health information (PHI). In this post we’ll refer to EHI, which basically means the same thing but is the term preferred by the ONC.
Here are a few examples of information blocking:
- Not including individuals’ rights to access their information in the Notice of Privacy Practices (NPP)
- Making it difficult to find the NPP on the practice website
In a past post, HIPAA tips: are you correctly informing your clients of their rights?, we noted that 89 percent of a selection of covered entities failed to show they were correctly informing patients and clients of their rights with an easy-to-access NPP.
Other examples of information blocking include:
- Withholding requested information that isn’t exempt from the rule
- Not responding to a request for information within the acceptable timeframe
- If you have an ONC certified EHR, not enabling the capability that allows clients instant access to their records
NOTE - few therapists in private practice use ONC certified EHRs, but it’s important to understand that if you do use one, you must use its capabilities to allow your clients access to their records.
Understanding the “open notes” part of the rule
A question about what the “open notes” part means has been in the forefront since the final rule was released in March 2020, particularly for behavioral health practitioners who often rely on detailed notes taken for their personal understanding of cases. The question of whether or not practitioners need to make these notes available in their entirety to clients has caused some concern. So let’s clarify what “open notes” means in the context of this rule :
Under the rule, clients must be given access to any medical record notes, including the following information:
- Functional status
- Treatment plans
- Progress to date
- Session start and stop times
- Test results
- The modalities and frequencies of treatment furnished
- Medication prescription and monitoring
Psychotherapy notes are exempt as long as they’re kept separate from medical record notes and don’t contain any of the items listed under medical record notes, including session start and stop times.
There are other exceptions, which you can read about in the ONC’s Information Blocking Exceptions.
However, keep in mind that state standards supersede federal rules, and some states, such as California, require all EHI, including psychotherapy notes, to be made available to the client. So be sure to check with your state.
You can see how easy it would be to inadvertently include medical record notes in with your psychotherapy notes. That’s why it’s very important to be aware of what you’re including in your notes. Or, you might want to take written notes to ensure there’s no mistaking their purpose. Written notes are not subject to the ONC rule.
Establish who your client is early
The main purpose of the rule is to ensure that electronic health information flows easily between practitioner and client. You can read the rule in its entirety here: ONC Final Rule on Interoperability, Information Blocking, and ONC Health IT Certification
Much of what it requires is also required by the HIPAA Privacy Rule, so there’s a good possibility you’re already prepared. However, as we mentioned earlier, many practitioners aren’t currently compliant with the Privacy Rule when it comes to ensuring clients have access to their records, so take a look at HIPAA tips: are you correctly informing your clients of their rights? to make sure you’re up to speed.
One of the most important things you can do to ensure you’re compliant with both rules is to determine at the outset of the relationship who your client is and who gets access to the records. You might think this is obvious. However, in certain situations, such as couples counseling, who the client is isn’t always clear.
For example, consider a couple that’s visiting a Licenced Marriage and Family Therapist (LMFT). The therapist can decide to treat the “couple” as the client and give both individuals access to the records, but this is only possible if insurance isn’t involved. That’s because insurance usually requests one designated client for coverage. This client is then designated as the client for information access, and there’s where problems can occur. Imagine if a divorce takes place, and one individual wants to access the records to send to their divorce attorney. However, they aren’t listed as the client. Therefore, they have no access to the records unless the other individual approves the request.
That’s why it’s so important to establish upfront who the client is. And be sure to check with your attorney to make sure you’re doing this correctly.
Use secure forms with e-signatures to support your compliance
With an intake form, you can establish upfront who your client is, and, in the case of a couple, ensure a clear understanding of who has access to the records. The forms you build with Hush Secure Forms allow your clients to e-sign with signatures that are as legally binding as handwritten signatures.
E-signatures also make it very convenient for clients to authorize access to a third party, their divorce attorney, for example. However, keep in mind that the client does not need to sign a request form, and requiring a signature could be considered information blocking if it slows down the request process.
Want to prepare for April 5 with Hush Secure Forms?
When it comes to preparing for April 5, the bottom line is this: if you have an ONC certified EHR, make sure you’re using it properly to allow your clients access to their records; if you don’t want to allow your clients access to your personal notes, make sure they’re kept separate from your medical record notes and don’t include information like start and stop times; and ensure that everyone who comes to your sessions understands who has access to the records as the designated client.
Hushmail partner Person Centered Tech offers a variety of tools and trainings to help you achieve compliance with HIPAA and ONC rules. They’re available to be “your expert partner on all things technology, ethics, teletherapy, and HIPAA security compliance in mental health practices.” Visit Person Centered Tech and consider becoming part of their community to help ensure your compliance.
Hush Secure Forms with e-signatures can help make sure that you’re on the same page with your clients by providing a fast and convenient way to get your intake forms signed and filed.
The ONC Final Rule on Interoperability, Information Blocking, and ONC Health IT Certification goes into effect April 5. The purpose of the Information Blocking Rule is to ensure that clients have unimpeded access to their information. This is not a HIPAA rule and applies to all healthcare providers. Not just HIPAA covered entities. This post sheds some light on what’s ahead, who’s affected, and what you need to do before April 5.