1.    PURPOSE:  To establish a policy to prevent information blocking of electronic health information and document the exceptions to that activity as set forth in CFR Part 171. To implement this policy in a consistent and non-discriminatory manner. The requirements surrounding the information blocking regulations presented in this policy are similar to, but distinct from, HIPAA and do not supersede HIPAA regulations.  Therefore, this separate policy is created.

2.                   APPLICABILITY:  This policy applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, The UAB Employee Assistance Program, and other UAB entities that may be added from time-to-time) and to the following UABHS Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, Callahan Eye Hospital and Clinics, UAB Health Centers, Medical West Hospital, VIVA Health, Inc., University of Alabama Health Services Foundation owned and operated clinics, Ophthalmology Services Foundation, Valley Foundation, and other UABHS managed entities that may be added from time-to-time. This policy also applies to all health care providers, regardless of whether the unit in which health care services are provided are considered HIPAA covered entities; such entities include UAB Student Health and Wellness. For purposes of this policy, UAB and UABHS Covered Entities shall be collectively referred to as “UAB.”

3.    DEFINITIONS:
   1. Access: The ability or means necessary to make EHI (defined below) available for exchange or use.
   2. Actor: A health care provider, health IT developer of certified health IT, health information network or health information exchange.
      1.       Health IT Developer of Certified Health IT: The rule excludes health care providers that self-develop health IT that do not offer any certified health IT to others.
      2.       Offer Health IT: When an actor provides or supplies certified health IT to be deployed by others. This excludes implementation and use activities.
   3. Designated Record Set (DRS): The group of records maintained by or for a covered entity, in any medium, that is (1) the medical records and billing records, (2) the enrollment, payment, claims adjudication, and case or medical management record systems, or (3) used to make decisions about individuals.  The DRS consists of the Legal Medical Record and the Billing Record.
      1.       Legal Medical Record: The documentation of the health care services provided

to an individual during any aspect of health care delivery in any type of health care

organization used, in whole or in part, by or for the covered entity to make

decisions about the individual (including clinical care provided as a part of a

research study unless appropriate steps are taken to blind the data as may be

required by the research study).

2.       Billing Record:  The documentation in the billing records used, in whole or in part,

by or for the covered entity to make decisions about individuals.

3.4 EHI: Electronic protected health information; individually identifiable health information transmitted by, or maintained in, electronic media that is included in a designated record set; EHI does not include psychotherapy notes or information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

3.5  Exchange: The ability of EHI to be transmitted between and among different technologies, systems, platforms, or networks.

3.6  Health care provider: Defined broadly and covers (1) all clinical facilities, including but not limited to, hospitals, nursing facilities, long term care facilities, health care clinics, community mental health centers, renal dialysis facilities, blood centers, ambulatory surgical centers, rural health clinics, group practices, pharmacies, and laboratories; (2) physicians, including but not limited to, pharmacists and emergency medical services providers; and (3) practitioners, including physician assistants, nurse practitioners, or clinical nurse specialists, certified registered nurse anesthetists, certified nurse-midwives, clinical social workers, clinical psychologists, registered dietitians, nutrition professionals, therapists and any other category of health care facility, entity, practitioner, or clinician determined appropriate by the Secretary of HHS.

3.7  Health IT: Short for “health information technology”; the use of computer hardware, software, or infrastructure to record, store, protect, and retrieve clinical, administrative, or financial information; health IT can include electronic health records, personal health records, electronic medical records, and electronic prescribing.

3.8 Information blocking (health care provider perspective): A practice that, except as required by law or covered by an information blocking exception, is likely to interfere with access, exchange, or use of electronic health information and the provider knows such practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of PHI. 

3.9 Information Security incident:  Any event or series of events that violates or threatens to violate information security policies, confidentiality, integrity or availability related to a system or systems within the UABHS infrastructure.

3.10 Trusted Exchange Framework Common Agreement (TEFCA): A set of principles that enables exchange of electronic health information (EHI) across health information networks (HINs) and among Qualified Health Information Networks (QHINs) (e.g., Commonwell).

3.11 Use: The ability for EHI, once accessed or exchanged, to be understood and acted upon.

3.12 USCDI: The United States Core Data for Interoperability, a standardized set of health data classes and constituent data elements for nationwide, interoperable health information exchange.

4.                   POLICIES:

4.1 No activity shall be allowed that would likely interfere with the access, exchange, or use of EHI, except as allowed by the exceptions noted in Section 4.2. of this policy. 

1.         At no time shall a workforce member be involved in a practice that is unreasonable and likely to interfere with, prevent, or materially discourage authorized access, exchange, or use of EHI.
2.         No policy, procedure, or practice shall be permitted that would prevent EHI from being appropriately shared or used for authorized purposes.
3.         No contract or agreement document shall be executed that would interfere with the appropriate access, exchange, or use of EHI. 
4.         The entity shall not allow technical limitations that discourage or make it unnecessarily costly or burdensome to share and use EHI.

2.       Some necessary actions to protect patient safety, privacy, security, etc., are not considered information blocking but are exceptions to the rule as set forth in CFR Part 171.
   1.         Exceptions that involve not fulfilling requests to access, exchange, or use EHI:
      1.   Exception #1: Preventing Harm – This exception recognizes that the public interest in protecting patients and other persons against unreasonable risks of harm to a patient or other person can justify practices that are likely to interfere with access, exchange, or use of EHI.
      2.   Exception #2: Privacy – This exception recognizes that practices that are reasonable and necessary to protect an individual’s privacy and are in compliance with other state or federal privacy laws are not information blocking.
      3.   Exception #3: Security – This exception is intended to cover all practices that are reasonable and necessary to protect the confidentiality, integrity, and availability of EHI.
      4.   Exception #4: Infeasibility – This exception allows certain circumstances outside the entity’s control to be legitimate reasons for being unable to fulfill a request to access, exchange, or use EHI; the conditions of uncontrollable events, segmentation, and infeasibility under the circumstances are acceptable exceptions.  In addition, it allows actors to refuse certain requests of third parties seeking to modify EHI in a system. 
      5.   Exception #5: Health IT Performance – If certain IT practices are implemented to maintain and improve the overall performance of health IT but are likely to interfere with the access, exchange, and use of EHI, they will not be considered information blocking as long as the period of time is no longer than necessary to complete the IT maintenance or improvement.
   2.         Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI:
      1.   Exception #6: Manner – This exception provides information about the required content of the EHI and the manner in which the request must be fulfilled to not be information blocking.  The manner in which the request is fulfilled may be in the manner requested or in an alternative manner if the entity is not technically able to fulfill the request in the manner requested.

Manner Exception Exhausted – An actor can deny a request for access, use, exchange, or use of EHI after two alternative manners have been attempted and failed.  If this exception is exercised, then a written response to the requestor must be provided within 10 business days of the receipt of the request.

2.   Exception #7: Fees – This exception allows for setting fees to recover costs reasonably incurred for providing access, exchange, or use of EHI; strict conditions to prevent potential abuse apply.
3.   Exception #8: Licensing – This exception allows the entity to protect the value of its innovations and to charge reasonable royalties to earn returns on the investments made to develop, maintain, and update those innovations.
4.   Exception #9: TEFCA – This exception applies when both the actor and requestor are both part of TEFCA.  The requestor must be capable to access, use, and exchange EHI via the TEFCA and does not involve the use of API certified technology and the exchange can be performed under TEFCA without violating the information blocking. The actor must comply with Fees and Licensing exceptions.

3.               All workforce members shall report suspected information blocking activities.
4.               Any member of the workforce who does not follow the above policies may be subject to disciplinary action up to and including termination of employment or assignment.
5.               Vendors or contractors who do not follow the above policies may be subject to breach of contract penalties.
6.               Management of each covered entity shall ensure workforce members are informed about information blocking.
7.               If the covered entity is required to act on any action, activity, or assessment related to information blocking or the complaint of such, then the covered entity will maintain a written record of the action, activity, or assessment for six (6) years from the date it was created or in effect, whichever is later.
8.               The HIPAA Entity Privacy Coordinator and the HIPAA Entity Security Coordinator shall serve as a resource for receiving reports of information blocking and for escalating reports to the appropriate Compliance Office or other unit managing information blocking complaints for the covered entity.
9.               CONTACTS:  For questions regarding the requirements and enforcement of this policy, contact one of the following:
   1.               Your supervisor
   2.               UAB Medicine Compliance Department at 205-975-0585
   3.               The UAB Hotline at 866-362-9476 or file a report online.
   4.               Your departmental HIPAA Entity Privacy or Security Coordinator (found on the HIPAA website at Security Contacts and Privacy Contacts)
   5.               UABHS Privacy Officer at 205-996-5051

5.                   REFERENCES:  None.

6.                   ATTACHMENTS:  None