Sep 16
6 min read
Share Post
Share Post

Tips to Help Your Patients Understand the New Rules of EHI Access

desiging a scandinavian-style home (2)

The new interoperability act recommends providers give patients information about their rights and risks in terms of providing access to their Electronic Health Information (EHI). Below is an outline to help you get started.

The Federal government has released new rules around patient access to data within their electronic health record (EHR interoperability, information blocking, Cures Act). The goal is to put patients in charge of their health records, with the development of more convenient options for on-demand access whenever or wherever they need it. In time, there will be more ability for patients to choose apps that will access, assemble, and possibly read their healthcare records.

Improved interoperability will also allow different EHR systems and applications to connect. Currently, patients must access other systems for each of their various providers and hospital systems. However, patients that plan to use third-party applications should see an improvement of continuity of care and data exchange across systems. The goal is to provide the best healthcare outcomes for individuals, as well as the community. Ultimately, the power of information will give patients and caregivers the ability to make their own medical decisions (the type of care, place of care) that are often made for them by third parties.

Currently, access to records is managed by an organization's release of information (ROI) team or an ROI vendor. In recent years, EHR patient portals have become an additional source of data, but the information is limited and, in some cases, incomplete. The new rule should most likely escalate portal access (electronic access), allowing patients to view and download their records with a link and passcode.

Over the years, the proliferation and use of EHR’s have evolved how providers exchange patient information. The new rule will likely simplify provider access to patients’ previous healthcare history from other providers – improved interoperability. Therefore, patent care should be positively impacted, prevent duplication of tests, and reduce traditional continuity of care requests for records between providers.

The rules also disallow any form of hampering access to protected health information (PHI), which ONC is calling Information Blocking. Information blocking is defined as the intentional withholding of patient health information by an actor either from provider to provider or from provider to patient. There seem to be many questions swirling around this notion, and industry experts are questioning what exactly qualifies as “intentional.” In an effort to provide clarification, the final interoperability rule introduced eight exceptions that are not considered as information blocking.

The eight exceptions are as follows:
  1. Preventing Harm Exception – case by case where the provider believes there may be a risk of harm to the patient or another person, subject to review.
  2. Privacy Exception – when providing access would violate a state or federal privacy law (needs to meet four conditions)
  3. Security Exception – if there is a legitimate security risk concern
  4. Infeasibility Exception to meet a ten-day response requirement – Inability to obtain the information (e.g., disaster, public health emergency, internet interruption, inability to separate info)
  5. Health IT Performance Exception – Gives providers cause of action against certified IT developers if unable to meet commitments (e.g., short term system failure, updates)
  6. Content and Manner Exception - Can limit the amount of content as appropriate
  7. Fees Exception – Recovering reasonable costs to allow access
  8. Licensing Exception – Allows the protection of innovations.
Associated Risks for Patients – Important Information Your Patients Need to Know

While the ONC Final Rules provide sweeping enhancements to patient access, it also raises significant concerns about patient privacy and security. Although HIPAA rules remain, there are a few things your patients should consider: 

  • Once Protected Health Information (PHI)  is sent to third party applications and devices, the healthcare organization is no longer responsible for the security of the PHI. The responsibility for protection shifts to the patient. 
  •  Are  the risks associated with sending requested formation unencrypted or in another unsecured manner understood? Sources that are not secure, like general email, can increase the risk of unauthorized access, breach of PHI and/or health insurance information, etc. 
  • Patients should ask provider to recommend apps or ensure they are certified under the Health IT Certification Program, which further assures providers and patients that HIPAA and industry-standard privacy and security measures are in place for these apps. Patients need to understand the risks of providing other entities or parties access to their electronic Health Information (EHI). It will be incumbent on patients to understand the risks associated with obtaining and sharing their information through these apps. 
  • An EHR is not just one thing; it is a collection of data and information from many sources that need to be connected, ideally using a national set of standard definitions. Therefore, patients must be aware that interoperability is not just connecting EHRs; it is also looking at the data elements within. Questions related to identifying different types of data and the level of data quality must be asked and answered.  For example, do providers, even within the same office, place the same information in the same data element? How are non-standard data elements captured, e.g., ‘dictated’ progress notes, pathology reports, etc.? What is the process to ensure data quality? In addition, each different organization will need to define what is included in their patient records, and patients will have access only to those elements defined. 
  • Finally, records must be reviewed for accuracy. If any areas are found where the accuracy is questioned , discuss it with the provider. If needed, a patient has  the right to request an amendment, in writing formally. Information on how to submit the request is included in the notice of privacy practices from that provider. 

Share with patients as they begin to become aware of the new rules. 

 To view the CMS Interoperability and Patient Access final rule, visit

To view the ONC 21st Century Cures Act final rule, visit,