Skip to main content

Thank you for your interest in our webinar, Information Blocking & The 21st Century CURES Act: The Future of Client Data Management.

Below you will find the replay video and a link to the webinar slides.

Enjoy the replay!


Find More CURES Act Information Here:

Information Blocking & The CURES Act Presentation Slides

ONC Information Blocking Exceptions



What are the protections for LGBTQ+ minors who are not out with their parents?

This is a highly confusing area right now and a big push has been made to get ONC to provide better education on this topic. What I do know, or at least what I hear from people, is the ages in which minors can consent is still set at state level as long as it is consistent with HIPAA privacy rules. In California, I found this document to be helpful:

What would be examples of common practices today where EHR systems and/or EHRs are “blocking” information?

Information blocking happened before EHRs became prevalent in the U.S., and are not the primary culprit in the information blocking world. Some examples are: A healthcare provider can provide same-day access to EHI in a form and format requested by a patient, or a patient’s healthcare provider, but takes several days to respond; or contractual arrangements that prevent sharing or limit how EHI is shared with patients, their healthcare providers, or other third parties. Hospital policies or procedures that require personnel to obtain an individual’s written consent before sharing the individual’s EHI with unaffiliated providers for treatment purposes, even if obtaining such consent is not required by state or federal law.

Does this apply to crisis hotlines?

It is not a matter of the 21st Century CURES Act applying to specific programs so much as the EPI you hold. A program that is talking to someone to deescalate a volatile situation would most likely not capture the information required to be provided upon request. I would say no, it does not.

So if a guardian of a minor who holds legal rights can request any EHI, and the agency provides it, regardless of concerns of what the EHI may be, would the legal rights holder still go about the process of requesting the information?

Whoever has the legal rights to access the information can request access. There is no limit on the number of individuals who access data. I would, however, look at the harm exception if the practitioner feels the information could cause harm to the individual by providing access.

Can you provide a list of specific types of clinical (mental health) notes that fall under the CURES Act, for example, case management, rehab services, collateral, therapy, etc.?

So this is an interesting question. Psychotherapy notes are not considered part of EHI; however, every other type of behavioral health note is included. By definition, Psychotherapy Notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session, or a group, joint, or family counseling session and that is separated from the rest of the individual’s medical record.

Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, progress notes, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date information.

Regarding the fees, are EHR vendors allowed to charge existing clients more support fees to activate/use features that would allow for a client portal, etc.? Who does the “additional fee” item mentioned apply to? To health agencies or EHR vendors?

It will not be information blocking for you to charge fees for accessing, exchanging, or using EHI, provided certain conditions are met. The purpose of the fee exception is to enable you to charge fees related to the development of technologies and provision of services that enhance interoperability while not protecting certain opportunistic fees and exclusionary practices that interfere with the access, exchange, or use of EHI.

Conditions include that your fees must be based on objective and verifiable criteria that are uniformly applied for all similarly situated classes of persons or entities and requests, e.g., the same fees are charged to all patients, and they must be reasonably related to the cost of providing that type of access. For this information blocking exception, a provider may include fees that result in a reasonable profit margin. But this FAQ focuses on patient access. Note that HIPAA prohibits charging patients anything more than cost-based fees for accessing their records.

Is there a deadline as to how quickly the data has to be shared? Currently, the deadline is 15 business days.

The Final Rule does not establish a set timeframe for what timely access means. The Final Rule states that processes that create unnecessary delays or response times or limit the timeliness could implicate information blocking. Under the HIPAA Privacy Rule, a covered entity must act on an individual’s request for access no later than 30 calendar days after receiving the request. Federal agencies are currently reviewing a rule now to set the time frame at 15 days, but that has not been subjected to public review at this point. States can put their own time frames in place.

Is the expectation that a client/legal guardian will be able to access an EHR directly (their chart in the EHR) and pull documents?

With adolescent confidential notes, protection rules may not apply under the information blocking regulations. These regulations will release progress notes, imaging narratives, procedure notes, and labs to parents via their EHR portals. The release of information is not limited, and both inpatient and outpatient records will be released.

These regulations are written for adults with the assumption that all information is released to the individual receiving the care and shared with outside providers. Although the Rule appropriately defers to state adolescent privacy and data sharing laws, which vary significantly across the country, this may not be enough. Each state will need to be thoughtful about balancing the action or inaction of allowing access to confidential or sensitive progress notes, as interference with access may be considered information blocking and subject to penalties and fines.

Technically, the parsing of confidential information from clinically critical information is not easy. Providers will need to be creative in using the exemptions, most notably infeasibility, content, and manner to control adolescent privacy.

Is there a distinction in immediate access regulations (e.g. Portal) vs delayed access through a report?

There is not any specific direction regarding immediate via portal vs. a generated report. You must avoid the perception of delay, denial, or dissuading.

Is there a certain clause that we should look for within our Cyber Insurance regarding information blocking?

For this information blocking exception, a provider may include fees that result in a reasonable profit margin. But this FAQ focuses on patient access, and HIPAA prohibits charging patients anything more than cost-based fees for accessing their records.

Is it information blocking if the request was sent with an electronic signature? With some requests, the clients have applied for services via online portal and the signature on the form is electronic.

I am not sure what this is referring to. Still, electronic signatures are accepted on legal documents, so if the electronic signature process is consistent with electronic signature rules, it would be allowed.

Once the CURES Act takes effect, how far back do we need to provide info? For example, if we had a client who received services from us five years ago but is not a current client, do we have to give them access to their records through our EHRS? Or can we provide the info by another means (paper)?

There are no specific references to how far back portal access needs to be retained. State law requires you to maintain records for a specific period. It should be adequate for you to be able to use a download file or paper copy. I would look at the infeasibility exception as the mechanism to limit the way you can provide the information.

Once a client portal is available, will health providers be required to allow clients open access to their own EHI, or do clients/caregivers still need to make a record request?

An individual has always had the right to access their medical record under the HIPAA privacy rule. What the information blocking rule does is to put in place a systematic approach to access PHI and rules to manage access setting in place standards for complying with requests and identifying potential exceptions.

I assume if families are not involved, or the minor client is system-involved, their attorney or social worker would be cosigning a request. Is this true?

This would depend upon the age of the minor and state law. Not every state handles minor access the same.

To clarify, would clients have electronic access to a portal where they can sign-in and see their record at any time, or do clients still need to submit written requests to access their record?

Once a client portal is set up and the individual has given consent to share their information on their portal (to themselves and/or designated others) then the expectation is that they would have access continuously until they terminate their relationship with the provider.

Is it Information Blocking when a behavioral health client requests their progress notes (clinical notes), and they  are offered a summary first? If the client refuses the summary, the notes are provided within a certain timeframe. Can this policy be construed as Information Blocking?

This is a good question and one that, unfortunately, is again left up to interpretation. For ePHI and the Final Rule, all data elements listed under the USCDI are now required to be shared upon request (within a certain timeframe and with certain exceptions that we discussed). This includes progress notes, but not psychotherapy notes. Psychotherapy notes should be stored separately, either electronically in a designated “psychotherapy notes” section of EHR and/or physically, from the rest of the medical record.

Regarding progress notes, you can summarize progress notes, but only if your intention is that you are willing and able to provide detailed data. In other words, providing a summary does not preclude you from fulfilling the request. You must be careful that you are not being perceived to be delaying or attempting to dissuade an individual request.

Is a “patient portal” specifically a requirement under the CURES Act, or would other timely forms of access to data suffice?

The rule requires patients to have immediate access to their digital data, such as via a patient portal. A patient portal is not mandated but has been identified as a mechanism. No other alternatives are offered. It is expected that portals are the most accessible means to share with individuals.

About Exym Behavioral Health EHR Software

Exym is a comprehensive EHR software solution designed specifically for behavioral health agencies. Trusted for 20+ years, our intuitive and customizable software empowers providers to improve client outcomes, manage revenue cycles, and increase agency efficiency. Exym allows you to spend more time on what matters most- the clients in your care.

To learn more about how Exym EHR software can help your organization navigate the CURES Act, book a demo today!



Exym News
Jessica Carey
Post by Jessica Carey
May 30, 2023