New rules change handling of patient data

Under new rules, patients must have access to their electronic health information as soon as it is available. But there are also a few exceptions that allow some flexibility on what is released when.


Beginning this month, patients must have access to their electronic health information as soon as it is available. New rules in the 21st Century Cures Act, intended to improve interoperability and patient access to electronic health information and promote information sharing, take effect on April 5. The rules apply to developers of certified health information technology, to health information exchanges and networks, and to all health care “providers,” including physicians, group practices, hospitals, nursing homes, clinics, pharmacies, and laboratories. Referred to as “information blocking” rules, the regulations attempt to prevent interference with access, exchange, or use of electronic health information or the intentional withholding of patient information.

There is a long list of data elements that must be shared with patients, but there are also a few exceptions that allow some flexibility on what is released when. While it is possible that many physician groups are already sharing some or all of this information with patients, many may not be sharing all the required information or may hold back until a clinician is able to review and respond. It is important for physician practices to understand what information they now need to make available to patients (whether by request or automatic transfer to the patient portal) and how best to accomplish that as painlessly as possible.

Some of the trickier data elements that will have to be shared include clinical notes, such as consultations, discharge summaries, history and physical exam notes, and narratives to lab, imaging, and pathology results, as well as vital signs. Reasonable and necessary activities may not be considered blocking in some situations, but these will require clear documentation and good communication with the patient.

There are a few specific exceptions that can be claimed in response to requests for electronic health information. The exceptions that are most likely to apply to physician offices recognize that disclosure may risk patient harm, privacy laws may require consent, or there may be practical or technological reasons why it is not possible to release the information.

Practices will depend in part on their electronic health record (EHR) vendors to set up their systems to comply with the new rules but must understand the rules and exceptions in order to adjust their own policies and procedures. For example, current systems may allow staff or clinicians to review test results and other information before moving it to the patient portal.

Because the patient might access some information before the clinician, it is possible that an ordering clinician can use professional judgment in the context of the situation to make an individualized determination that could satisfy the “prevent harm” exception. Therefore, it is important for clinicians and staff to identify scenarios when it might cause distress or harm to patients if they see their information first, or situations when a technical issue might prevent the sharing of information. This exercise will help the practice develop standard responses, templates, or other communications. It will also help practices work through how to document the ways in which an exception applies to these common situations and establish procedures for handling them (including how to set up the EHR accordingly).

ACP has more information regarding the new rules. In addition, ACP's Practice Advisor™ has a new free module to help practices understand and implement the information sharing rules while earning CME and MOC credits.