December 9, 2023
Provider Obligations For Patient Portals Under The 21st Century Cures Act

When Congress prohibited “information blocking” under the 21st Century Cures Act in 2016, it made no reference to patient portals, the websites through which many health care providers share clinical information with their patients. Similarly, the word “portal” does not appear once in the 6,000-word information blocking regulation, issued by the Office of the National Coordinator for Health Information Technology (ONC) in 2020. Such regulation defines information blocking to mean a practice that is likely to interfere with the access, exchange, or use of electronic health information, subject to some important limitations.

Yet, nearly two years after the ONC issued its rule, hospitals and other providers throughout the country have significantly changed the information available to patients in their portals as a direct result of the information blocking rule. While portals once had limited information, many providers now offer a vast array of data to their patients, including laboratory results, surgical reports, and doctors’ notes. And providers are continuing to adapt their practices as new regulatory requirements take effect later in 2022. Changes to patient portals are so far the most visible manifestation of the shift in practices resulting from the information blocking rule.

Key aspects of information blocking, however, remain widely misunderstood. The right of access requirements under the Health Insurance Portability and Accountability Act (HIPAA) can be quite prescriptive—with guidance going so far as to specify the exact dollar figure that a provider may charge a patient for a record. In contrast, the information blocking rule looks like a Rorschach test, with countless interpretations possible. While the ONC has issued limited guidance, the government has not answered key questions: What types of information do patients have a right to access via portals? When may providers withhold information when not required to do so by law? Providers are struggling to navigate these issues, just as patients are beginning to understand their rights under this new regulatory framework.

Origins Of The Portal Push

The shift in patient portals reflects a fundamental difference between the information blocking rule and the access right that has long existed under HIPAA. The HIPAA access right, which was adopted in regulation in 2000, reflects the older model of medical records. The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) envisioned that patients would call up their provider or send a written request asking for a copy of their medical records and providers would respond by providing a copy of those records. Although the agency understood that some information would be provided electronically, the more typical case involved either providing paper records via mail or making them available for in-person pickup. As a result, HIPAA gives providers 30 days to correspond with the patient about what information needs to be provided, locate the files, make copies, and assemble mailings, when applicable (the 30-day time frame can be extended to 60 days).

The information blocking law, in contrast, was adopted in a world where most health information is in electronic form. The rule applies only to “electronic health information” (EHI); therefore, information that exists solely in paper form is exempt from its scope entirely. Since the government anticipated that information would be provided electronically, it also anticipated that EHI could be provided in a much faster time frame than 30 days.

The rule itself does not mandate immediate or real-time access to information. But Congress defined information blocking to mean, in part, a practice that is “likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” And the ONC has concluded that a delay in access can interfere with a patient’s access to EHI. While the agency declined to mandate that providers proactively make their data available to patients via patient portals, the agency said that a “delay in making EHI available through a ‘patient portal’ or an API [application programming interface] for patients could constitute an interference and thus implicate the information blocking regulations.”

The ONC’s recent focus on patient access to information reflects a broader trend among federal and state agencies seeking to promote the availability of information to individuals who are the subject of records. Last year, the OCR proposed to amend HIPAA to strengthen the right of access, proposing, among other things, to reduce the 30-day response time frame to 15 days. Similarly, the Centers for Medicare and Medicaid Services finalized its interoperability rule, which requires certain health plans to make more information directly available to their members via APIs. More broadly, these rules mirror the push of some states to increase consumer access to their data under laws such as the California Consumer Privacy Act.

The Extent Of Providers’ Obligations

In effect, the ONC is interpretating the 21st Century Cures Act to mean that patients have the right to obtain their data from health care providers as quickly as possible. Therefore, patient portals—which permit patients to see a significant trove of information about themselves as soon as they log in to the sites—have become a key tool in meeting this obligation.

But the ONC’s position leaves open many questions. Providers have been left struggling with how to comply with government regulations and determining whether they must upload every piece of information they have about patients to their portals.

Providers’ concerns generally fall into three categories. The first is a clinical concern: How can physicians have conversations with their patients about an unexpected laboratory result if results must be posted on a portal as soon as the laboratory completes its work? The information blocking rule recognizes a “preventing harm exception,” which permits a provider to withhold information if disclosure is “reasonably likely to endanger the life or physical safety” of any person. But sharing an unexpected cancer diagnosis is unlikely to meet such a standard in most cases.

The second is a legal concern: In many cases, there is tension between the information blocking rule and privacy laws that limit access to information. Striking a balance can be difficult, particularly in the case of minors. Parents and guardians generally have the right to see the health information of their children; therefore, the information blocking rule suggests that providers should upload pediatric information to portals for their parents to see. But nearly all states have “minor consent” laws that prohibit a provider from sharing a minor’s information with a parent or guardian if the minor requested a type of service such as for family planning, abortion, mental health care, or treatment of a substance use disorder. Drawing the line between pediatric records that cannot be shared with parents and guardians and those that must be shared is not always an easy task.

The third is a practical concern: In some cases, posting certain records to a portal can be time-consuming and costly. Is a provider obligated to upload all records, even those that are many years old? What about large data files, such as detailed imaging results, which may not be compatible with the portal’s current configuration? Is there an obligation to pull records that exist outside the provider’s primary electronic health record (EHR) system? What if the provider doesn’t have an EHR system at all? 

While the ONC has not provided answers to these questions, the information blocking rule itself can help to address some of these issues. The rule applies only to records that exist in electronic form. That means providers have no obligation to wade through mountains of paper files and put that information in patient portals. Furthermore, the rule does not apply to information that exists outside of a patient’s “designated record set,” which essentially means records that may be used to make decisions about the patient. Therefore, if the provider maintains an electronic system of employee evaluation records that includes information on a patient, that system would not be part of the patient’s designated record set, as long as clinicians did not access it for the purposes of making treatment or billing decisions about that particular patient. As such, there would be no need to link that data set to the patient portal.  

But even a provider’s determination that certain information is part of an electronic designated record does not mean that the provider always needs to make that information available in their portal. While one may argue that a failure or inability to upload such information to the portal may constitute “interference” with access to EHI, such failure or inability may not constitute information blocking. Preventing a patient from having access to EHI rises to the level of information blocking only if no information blocking exception applies and the “provider knows that such practice is unreasonable.”

The reasonableness limit is critical to implementation of information blocking regulations. Congress did not want providers to be held financially liable for every failure to share information that happened to fall outside one of the narrow information blocking exceptions. Instead, the law focuses on practices that providers know are unjustified. Adopting a policy of preventing all laboratory test results from being uploaded to patient portals may be an unreasonable stance, particularly if the provider has the technical capability of making those records accessible. But providers have a much better argument that they are acting reasonably if they prevent parents from being able to access their teenager’s record to ensure compliance with a minor consent law, even if the provider is unsure whether the particular record falls within the scope of that law.

The Future Of Portals

So far, there has been no enforcement of the information blocking rule. The HHS Office of Inspector General issued a proposed regulation to enforce information blocking requirements in 2020, but that rule has yet to be finalized. Moreover, the proposed rule only addressed actions against health information exchanges and health information technology vendors, not against providers. The federal government has not developed a scheme to effectuate information blocking requirements against providers.

However, providers eventually will face enforcement of these rules. Data released by the government so far suggest that such enforcement may focus on patient complaints against providers, in regard to portals and otherwise. The government recently found that nearly 80 percent of information blocking complaints received through February 2022 were against providers and that patients made up about two-thirds of those who filed complaints. ONC officials noted that one common complaint was patients saying their providers unnecessarily delayed providing access to their information. 

In short, health care providers’ efforts to give their patients better access to their information will be subject to scrutiny for years to come.

Author’s Note

The author is an employee of Manatt, Phelps & Phillips, LLP, which provides advice to organizations seeking to comply with the information blocking rule.