Several weeks ago a law firm filed an information blocking complaint on behalf an individual alleging that a hospital, its electronic health records vendor, and a “records staffing firm,” had engaged in information blocking for refusing to produce EHR records in a text-based PDF format.[1] The context is important: the requestor is a former patient of the hospital suing for her records to support her case in a medical malpractice lawsuit. The law firm went on to allege that if the electronic health record vendor’s software lacked the capability to export medical records into a readable format, then it could violate that vendor’s certification.
At its core, the lawyers want the patient’s medical records in an electronic format that they can read, as people (not machines). However, when they went to read those electronic records, what they found after loading the file into Adobe Acrobat allegedly looked like this:
DHA 001318 “O c., -i’ ::. .+ )> 2 -f :I: 0 2 :< 0 0 ;::o 0 -f :I: -< m ::. 0 0 C: ::. …. 11) … Q 0 0 O’I O’) ,+I> “‘4 co (0 “‘4 (..) ,I:,, “O Ill IQ ID a …. <7> I) …. • !locurent HJ/1’.;ne Ml NDR lO/lS/lil rernperature F: 97.2 T;,,1,nc,,•;;t,J!’P SettJrce: Tempora 1 section: l NOR NDR A MU f;NH!ONY.DOROlHY MO Pctge: Printed 03/22/19 at 0348 CP CP A
So, is it information blocking?
Does the prohibition against information blocking apply?
When looking at whether the prohibition against information blocking applies as defined under the 21st Century Cures Act, we have to turn to whether the actor receiving the request is covered by the law, and whether the data being asked for meets the definition of electronic health information (“EHI”). Covered actors include healthcare providers, certified electronic health records, and health information exchanges.
The definition of healthcare provider includes a hospital. In this specific case, the electronic health record vendor is certified through the Office of the National Coordinator for Health IT (“ONC”) Health IT Certification Program. Therefore, the vendor is covered too.
The “records staffing firm” is harder to qualify. “Records staffing” doesn’t appear to be a health information exchange service, so at first glance my gut tells me no. However, a glance at their website shows that they offer “[d]istributed, private health data exchange services[.]” Whether they qualify as a health information exchange depends on whether the vendor “determines, controls, or has the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of electronic health information.”[2] That’s a fairly tight set of definitions: if this vendor simply performs actions at the direction of its customers it might be hard to pin them as a health information exchange.
That said, the prohibition against information blocking applies to the individuals and entities: not products. Once you are subject to it, all of your lines of business are. Let’s say you sell certified health IT and certified health IT. You are subject to the regulation. Assume your non-certified health IT contains EHI and you receive a request for EHI from that product. Even if that technology is not used in healthcare, if it contains EHI, you would have to respond to the request. So we turn next to the definition of EHI.
From April 5, 2021 to October 5, 2022 the definition of EHI is limited the United States Core Data for Interoperability (“USCDI”). The USCDI is composed of roughly 50 data elements and documents like demographics and clinical notes respectively. After that, it means all electronic protected health information (“ePHI”) that is part of a designated record set. ePHI is much broader and basically includes any electronic information that is created or received by a covered entity that relates to the health or condition of an individual.
What the law firm is requesting is a text-based PDF export of a patient’s medical record. That is much broader that the current definition of the EHI: those some-odd fifty data classes and documents. However, it would very likely fall under the future definition of EHI if the hospital created ePHI as PDFs or something similar.
ONC certification and PDFs
What if the vendor cannot export the patient’s medical record as text-based PDF that is human readable? Would that violate its certification? Probably not. If the vendor is certified to HHS’s interoperability criteria, it only be required to exchange clinical records through certain standards and in certain formats: namely exchanging clinical records formatted as an XML file through either secure messaging applications, or through application programming interfaces (“APIs”). For reference, XML includes the C-CDA format used in healthcare, as well as HTML.
The various criteria do require that the vendor’s software be able to DISPLAY the information from these documents in a human readable format, but they by no means guarantee that the RECEIVING software can display it human readable format. Here, the receiving software is Adobe Acrobat. Adobe Acrobat is not certified under the same program and likely does not fully support C-CDAs. Here, the vendor’s certification is likely safe.
HIPAA & Procedure
This is civil litigation: the rules of civil procedure apply. In addition, the Health Insurance Portability and Accountability (“HIPAA”) likewise applies. Rather than an ONC complaint, I would generally expect this to be resolved through the individual’s HIPAA right to their health information, or through a subpoena and judicial order. HIPAA allows an individual to receive their health information in a form or format that is readily available, or, in a readable hard copy. Unless an exception applies, this individual should ultimately receive their data.
Why does it matter?
This case demonstrates how attorneys might use the prohibition against information blocking in a way that surprises. Here, if the extended definition of EHI applies, penalties of up to $1 million per instance of information blocking could have been levied against the electronic health records vendor or records staffing vendor. In addition, the electronic health records vendor could have faced consequences under the ONC Health IT Certification Program: ranging from a corrective action plan, suspension of certification, termination of certification, or a certification ban. Expect the prohibition against information blocking to be leveraged more aggressively in other contexts, and soon. We are seeing this kind of activity before the OIG has even published its final rule on civil monetary penalties for providers who engage in information blocking. Currently, the law is somewhat toothless against healthcare providers for that reason. That stands to change in September according to the OMB’s regulatory tracker, which shows a tentative publication date of September, 2021.[3] That will open up hospitals, physician practice, labs, and more to legal action under the 21st Century Cures Act.
Institutions should brush off their HIPAA policies and procedures and incorporate 21st Century’s Cures nuances into them, and soon.
[1] You may read the full news release at the following link: https://www.law.com/legalnewswire/news.php?id=2891919.
[2] 45 CFR § 171.102.
[3] https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202104&RIN=0936-AA09
eHealth Law Blog 
One thought on “Is it Information Blocking? The Civil Discovery Edition”