Electronic Healthcare Records , Governance & Risk Management , Healthcare Information Exchange (HIE)

Information Blocking Rule: Understanding the Exceptions

Privacy Attorney Adam Greene on Data-Sharing Rule Compliance Challenges
Adam Greene, partner, Davis Wright Tremaine

Although the federal information blocking rule spells out practices that are not considered violations of the regulation, healthcare entities must carefully assess the validity of privacy or security concerns before denying access, exchange or use of patient data, says attorney Adam Greene of the law firm Davis Wright Tremaine.

See Also: OnDemand | Making the Connection Between Cybersecurity and Patient Care

The Department of Health and Human Services' 21st Century Cures Act information blocking rule, which went into effect for compliance in April, generally prohibits healthcare providers, health IT developers and health information exchanges from knowingly interfering with the access, exchange or use of electronic health information.

The rule, however, contains eight exceptions - including one pertaining to privacy and one to security - that spell out practices that are not considered information blocking.

But not every possible issue involving health data privacy or security is a valid excuse for failing to share patient data, Greene explains in an interview with Information Security Media Group.

For instance, under the security exception, "anything you do that you point to as 'security' as the basis for denying access … you want to be cognizant of the fact that just because the [data] requester may have poor security on their side, that doesn't necessarily mean it falls under the exception," he says. The key factor, he explains, is "whether your sharing of information with that requester creates security issues that you are addressing in a manner consistent with standard security practices."

In the video interview, Greene, who was a featured speaker at the recent 2021 Healthcare Information and Management Systems Society Conference in Las Vegas, also discusses:

  • Pending enforcement considerations involving information blocking rule violations, including penalties, that are still being hammered out by HHS;
  • Advice to healthcare entities and health IT developers about complying with the information blocking rule while still maintaining strong privacy and security protections for the health information being accessed, used or shared;
  • Other upcoming health data privacy and security regulatory issues to watch.

As a partner at Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.