By Linda Kloss

HHS officials discussed the nuances of how Right of Access is handled under the HIPAA Privacy and Information Blocking Rules in last week’s Verisma-sponsored Webinar HIPAA Right of Access and Information Blocking.[i]  We are grateful to Elisabeth Myers, Deputy Director, Office of Policy, HHS Office of the National Coordinator and Timothy Noonan, Deputy Director for Health Information Privacy, HHS Office for Civil Rights for customizing a presentation to compare and contrast Right of Access elements of the two Rules, spotlighting areas that have generated questions. I urge everyone to access the Webinar archive as it is a very useful reference. 

The laws giving rise to Right of Access regulations were passed two decades apart (HIPAA in 1996, 21st Century Cures in 2016). Both are complex multi-part laws dealing with health system effectiveness from different perspectives. HIPAA focuses on health insurance and administrative functions while 21st Century Cures focuses on facilitating clinical research and improved therapeutics. How their regulatory framework handles Right of Access reflects different contexts and purposes. The Information Blocking Rule concerns electronic health information which Myers and Noonan described as a “a subset of the protected health information (PHI)” covered by the Privacy Rule.

Myers and Noonan underscored another helpful distinction that can guide compliance. Access to protected health information under the HIPAA Privacy Rule is governed by permissions.  Patients, of course, have a right to access and they or their legal designees grant permission for release to third parties. The Rule grants permission to use protected health information (PHI) for treatment, payment and healthcare operations and specifies other parties who are granted permission under certain circumstances. The Information Blocking Rule picks up where permissible requests leave off and assumes that electronic PHI (ePHI) be shared unless the request meets one of eight exceptions. This distinction reminds us that we should be advocates for legitimate and customer friendly access. We should focus on eliminating barriers,  reducing turnaround times, and shifting to e-release whenever possible. 

The Rules differ in their breadth of who must comply. Under the HIPAA Privacy Rule, we deal with covered entities (providers, health plans, and clearinghouses) and their Business Associates. The definitions of providers are aligned under the two Rules. The list of “Actors” who must comply with the Information Blocking Rule includes health information exchange entities and technology developers. This is a welcome expansion that better reflects who is involved in today’s health information ecosystem. EHR vendors, private exchanges, or other entities will no longer be able to block the exchange of health information needed for continuity of care.

Information Blocking aligns to HIPAA regarding timelines for release. Myers and Noonan reinforced that the Rule reads no later than 30 days. We should be doing all we can to reduce turnaround times by putting in place systems and workflows to avoid any “unnecessary delay.”   We were reminded that such delays are currently resulting in enforcement action by OCR, the nineteenth such action announced earlier this month. Enforcement for Information Blocking Rule will be administered by HHS’s Office of the Inspector General and the rules for this have yet to be released or approved.

Fees for ePHI are handled similarly in both Rules. Reasonable, cost-based fees for labor are allowable. The Information Blocking Rule adds a requirement that they be uniformly applied and not anticompetitive. The trend is that providers are making access available to patients on a no fee basis and this is driving adoption of use of Apps such as Verisma’s Request App ™ (VRA), a practice very much in line with the intent of both Rules. 

Verisma recognized the rapidly changing landscape by sponsoring Health Information Access Week, June 14-18. The OCR-ONC Webinar was a highlight of the week along with guest bloggers covering topics from consumer advocacy to HIM leadership. The Information Blocking Rule and proposed changes to the Privacy Rule underscore once again the need to upgrade ROI practices with technologies, including access and management tools, to stay ahead of the curve.   

We continue to grapple with a patchwork of federal and state laws and regulations concerning health information and privacy. The Information Blocking Rule provides some much needed modernization, particularly in bridging to a broader cast of actors. For ROI, HIM, and Compliance experts, the Right of Access is inviolable. At the same time, we know that when a custodian discloses PHI, today’s protections for individuals fall far short of where they should be. I know we will sort out how to comply with Information Blocking and future modifications to the Privacy Rule. But I also know that our work won’t be done until we can help people have real choice in how they want to handle their confidential health information, in identifiable and deidentified formats, when it moves beyond the protections of current law. 

[i] Please e-mail Davy Simanivanh at to receive a recording of the webinar.