This paper is in the following e-collection/theme issue:

Viewpoints and Perspectives (484) Electronic Health Records (966) Ethics, Privacy, and Legal Issues (457) Personal Health Records, Patient-Accessible Electronic Health Records, Patient Portals (542)

Published on in Vol 24, No 2 (2022): February

Preprints (earlier versions) of this paper are available at https://preprints.jmir.org/preprint/34085, first published .
The 21st Century Cures Act and Multiuser Electronic Health Record Access: Potential Pitfalls of Information Release

The 21st Century Cures Act and Multiuser Electronic Health Record Access: Potential Pitfalls of Information Release

The 21st Century Cures Act and Multiuser Electronic Health Record Access: Potential Pitfalls of Information Release

Authors of this article:

Simone Arvisais-Anhalt1, 2 Author Orcid Image ;   May Lau3 Author Orcid Image ;   Christoph U Lehmann4, 5 Author Orcid Image ;   A Jay Holmgren6 Author Orcid Image ;   Richard J Medford7 Author Orcid Image ;   Charina M Ramirez8 Author Orcid Image ;   Clifford N Chen9 Author Orcid Image
Article Authors Cited by (30) Tweetations (21) Metrics

    Viewpoint

    1Department of Hospital Medicine, University of California San Francisco, San Francisco, CA, United States

    2Department of Laboratory Medicine, University of California San Francisco, San Francisco, CA, United States

    3Division of Developmental and Behavioral Pediatrics, Department of Pediatrics, University of Texas Southwestern Medical Center and Children's Medical Center Dallas, Dallas, TX, United States

    4Department of Pediatrics, University of Texas Southwestern Medical Center, Dallas, TX, United States

    5Department of Data Sciences and Bioinformatics, University of Texas Southwestern Medical Center, Dallas, TX, United States

    6Department of Medicine, Center for Clinical Informatics and Improvement Research, University of California San Francisco, San Francisco, CA, United States

    7Division of Infectious Disease, Department of Internal Medicine, University of Texas Southwestern Medical Center, Dallas, TX, United States

    8Division of Pediatric Gastroenterology, Hepatology, and Nutrition, Department of Pediatrics, University of Texas Southwestern Medical Center and Children's Medical Center Dallas, Dallas, TX, United States

    9Division of Hospital Medicine, Department of Pediatrics, University of Texas Southwestern Medical Center and Children's Medical Center Dallas, Dallas, TX, United States

    Corresponding Author:

    Simone Arvisais-Anhalt, MD

    Department of Laboratory Medicine

    University of California San Francisco

    400 Parnassus Avenue

    San Francisco, CA, 94143

    United States

    Phone: 1 415 476 1000

    Email: simone.arvisais-anhalt@ucsf.edu


    Although the Office of The National Coordinator for Health Information Technology’s (ONC) Information Blocking Provision in the Cures Act Final Rule is an important step forward in providing patients free and unfettered access to their electronic health information (EHI), in the contexts of multiuser electronic health record (EHR) access and proxy access, concerns on the potential for harm in adolescent care contexts exist. We describe how the provision could erode patients’ (both adolescent and older patients alike) trust and willingness to seek care. The rule’s preventing harm exception does not apply to situations where the patient is a minor and the health care provider wishes to restrict a parent’s or guardian’s access to the minor’s EHI to avoid violating the minor’s confidentiality and potentially harming patient-clinician trust. This may violate previously developed government principles in the design and implementation of EHRs for pediatric care. Creating legally acceptable workarounds by means such as duplicate “shadow charting” will be burdensome (and prohibitive) for health care providers. Under the privacy exception, patients have the opportunity to request information to not be shared; however, depending on institutional practices, providers and patients may have limited awareness of this exception. Notably, the privacy exception states that providers cannot “improperly encourage or induce a patient’s request to block information.” Fearing being found in violation of the information blocking provisions, providers may feel that they are unable to guide patients navigating the release of their EHI in the multiuser or proxy access setting. ONC should provide more detailed guidance on their website and targeted outreach to providers and their specialty organizations that care for adolescents and other individuals affected by the Cures Act, and researchers should carefully monitor charting habits in these multiuser or proxy access situations.

    J Med Internet Res 2022;24(2):e34085

    doi:10.2196/34085

    Keywords

    21st Century Cures ActOpen NotesInformation Blockingmultiuser EHR accessproxy EHR accessadolescent Healthhealth IT Policyinformation technologycures actelectronic health recordelectronic health informationhealth informationpatient care 


    Primum non nocere” (“First, do no harm”) or nonmaleficence is a fundamental principle taught to every health care provider. It suggests that before applying any medical intervention, one needs to consider the potential negative effects on the patient. In this piece, we examine the potential for patient harm by the Office of The National Coordinator for Health Information Technology’s (ONC) Information Blocking Provision in the Cures Act Final Rule and the additional burden that health care providers, those who provide patient care and provide documentation in the electronic health record, will now face when documenting sensitive information.

    On December 13, 2016, the 21st Century Cures Act (hereinafter referred to as the “Cures Act”) was signed into law with the intent to “accelerate the discovery, development, and delivery of 21st century cures, and for other purposes” [1]. The Act defined electronic health record (EHR) interoperability, addressed health information technology certification requirements, and prohibited information blocking—the practice that prevents or interferes with those with permission to access electronic health information (EHI) [2]. As the federal entity coordinating efforts to implement health information technology and exchange EHI, ONC, a division within the US Department of Health and Human Services (HHS) [3], developed the Cures Act Final Rule to direct the implementation of the Cures Act legislation [4].


    The stated goal of the ONC Cures Act Final Rule is to empower patients to interact “with their health record in a modern health IT economy” [4]. ONC postulated that “putting patients in charge of their health record is a key piece of patient control in healthcare and patient control is at the center of HHS’s work towards a value-based healthcare system.” The Cures Act Final Rule also encourages innovations in health care technology and hopes to deliver the following:

    • Transparency on cost and outcomes of care
    • Competitive options in obtaining medical care
    • Convenient access to medical records using smartphone apps
    • Innovation and choice for patients, physicians, hospitals, payers, and employers through an app-based economy [4]

    The Cures Act Final Rule promotes interoperability across EHR vendors through the adoption of data exchange standards and calls upon the health care information technology (IT) industry to adopt standardized application programming interfaces through specified Conditions of Certification. Additionally, ONC aims to increase patients’ access to their EHI through minimizing measures that block patient access to information [5-7].


    The Information Blocking Provision of the Cures Act Final Rule mandates that patients have unfettered, free access to their EHI, and provides clear requirements for compliance by health care providers, institutions, health information exchanges, and EHR vendors [8].

    The spirit of the Information Blocking Provision is similar to that of the OpenNotes movement, which over the past decade has been adopted by several health care institutions across the United States, Canada, and Sweden and provides patients with near immediate and full access to their EHI [9,10]. The Information Blocking Provision requires that patients have access to parts of their EHI defined by the United States Core Data for Interoperability (Figure 1) by April 5, 2021, with eventual expansion to all EHI by October 6, 2022 [11-13]. Of note, patients have had the right to access their medical record since the implementation of the Health Insurance Portability and Accountability Act (HIPAA). The Cures Act final rule does not increase the type of health information that patients and families can access, it only facilitates automatic release via patient portals and easier access electronically.

    The Information Blocking Provision includes a means to report violations and enforcement options. ONC encourages anyone who experiences or observes information blocking by any health care provider, health IT developer, certified health IT, health information network, or information exchange to share their concerns through an information blocking portal on ONC’s website [11]. Health IT developers, health information networks, and health information exchanges can be subject to civil monetary penalties of up to US $1,000,000 per violation [14]. Health care providers found to have committed information blocking will also be subjected to penalties that are to be determined [14].

    Figure 1. Elements of the United States Core Data for Interoperability [11].
    View this figure

    The Information Blocking Provision defines eight exceptions that do not constitute information blocking [15]. The preventing harm exception and the privacy exception are applicable to the documenting health care provider.

    The preventing harm exception stipulates that provided certain conditions are met, a health care provider can prevent the access to a patient’s EHI if it is “reasonable and necessary to prevent harm to a patient or another person” [15]. Key conditions include that the health care provider must reasonably believe that preventing access to a patient’s EHI will significantly reduce a risk of substantial harm, and that the interference is no broader than necessary. The patient has the right to request a review of an individualized determination of risk of harm [16].

    According to ONC’s guidance in the “Information Blocking Frequently Asked Questions,” the “Preventing Harm” exception does not apply to situations where the patient is a minor and the health care provider wishes to restrict a parent or legal representative’s access to the minor’s EHI to avoid violating the minor’s confidentiality and destroying the trust between the youth and the health care provider [12]. This lack of applicability in the case of adolescent confidentiality stands in tension with principles outlined by experts in the design and implementation of EHRs [17], endorsed by the American Academy of Pediatrics and Society of Adolescent Health And Medicine [18,19]. The concern over the implication of the Cures Act on adolescent confidentiality has been noted in the literature [20]. The premise underlying confidential care encourages adolescents to communicate with health care providers about sensitive topics such as sexual and reproductive health and substance abuse without the fear that their parents or guardians will have access to this information. Confidentiality on certain health care problems facilitates obtaining medical care that adolescents might forgo if information were shared with others. In the context of providing confidential care, the Cures Act’s broad focus on patient EHI access may cause a trade-off with patient–provider relationships, trust, and nonphysical types of harm. The text of the Final Rule specifically states that the desire to maintain confidentiality and to protect patient–provider relationships is insufficient to prevent the release of sensitive information. In certain multiuser access cases, this may erode the patient’s control over his/her information instead of increasing control. It is worth noting that HIPAA and the Cures act defer to the state laws that grant adolescents the ability to consent for certain conditions. While it is challenging to keep track of each state’s individual and varied confidentiality laws that result in 56 (one for each state and territory) different legal requirements for users of pediatric EHRs, these laws do provide clear legal backing to protect adolescent confidentiality.

    The other exception to the Cures Act Final Rule’s patient access provision immediately relevant to health care providers is the privacy exception. Under this exception, interfering with access to EHI is deemed not to be information blocking when the intent is to protect the patient’s privacy. These exceptions, listed in Textbox 1, are included by ONC to comply with HIPAA and other state privacy regulations and allow patients the opportunity to request information not be shared. Depending upon institutional practices, providers and patients may have limited awareness of this exception. Notably, the privacy exception states that providers cannot “improperly encourage or induce a patient’s request to block information” [21]. This stipulation affects a provider’s ability to guide patients for fear of being found in violation of the Information Blocking Provision and fined. Institutional policies and procedures will affect the implementation and management of this exception. Providers may not be aware of the procedure for patients to request their information not be shared during an encounter. Depending upon when the patient places the request (eg, before, during, or after an encounter), the institution may not be able to fulfill the request in a timely manner relative to the immediacy of information being released. Additionally, the privacy exception does not clearly describe if and how a patient can block individual pieces of data (data segmentation) instead of all data. The exception only describes how patients can request to block access and can request to regain access. The interpretation and implementation of this exception is left to the institution and provider and, given the complex nature of the exception, necessitates deference to informatics expertise and legal resources with experience in state and federal privacy laws and statutes for interpretation and use.

    Privacy exceptions to information blocking.

    Exceptions:

    • More stringent state or federal preconditions to exchange is not met 
    • Information technology developer is not covered by the Health Insurance Portability and Accountability Act Privacy Rule 
    • Inability to validate a requester’s right to access 
    • The individual requests the information not to be shared 
    Textbox 1. Privacy exceptions to information blocking.

    Overview

    The OpenNotes initiative has been shown to potentially increase patient activation, engagement, satisfaction, trust, and safety, and to improve the patient–physician relationship [22-25]. However, concern exists that the Information Blocking Provision will result in damaging breaches of confidentiality for cohorts of patients when parents or legal representatives are provided multiuser or proxy access to EHI [26,27]. In circumstances where EHI is made available within a web-based portal with multiuser or proxy access, the information could compromise the confidentiality of the patient, parent, or legal representatives and damage the relationship between the health care provider, patient, parent, or legal representative. The breach of confidentiality may occur bidirectionally as a caregiver may share information with a provider, which could be shared back with the patient. One recent study highlighted another area of concern: when guardians access an adolescent patient’s portal account. The study revealed that the estimated prevalence of guardian access could be as high as 76% of adolescent accounts and also showed a relatively low rate of proxy account creation [28]. When adolescents had their own portal account, proxy accounts for adolescent patients were created in only 0.3%-10% of cases [28]. The reality that many portal accounts are used and managed by guardians must be taken into consideration for adolescent patients who, in the context of their care setting, may lack the autonomy to prevent their guardians from accessing their personal patient portals.

    Pediatric and Adolescent Patients

    Prior to the Information Blocking Provision, pediatric institutions participating in the OpenNotes movement had addressed the concern for violating confidentiality and damaging relationships by blocking all clinical notes from several clinics including adolescent, gynecology, psychiatry, substance abuse, and the child protection team [29]. Although the Cures Act Final Rule explicitly states that maintaining confidentiality and protecting relationships is not sufficient to prevent the release of sensitive information, the effects of releasing this information on patients, their parents or legal representatives, and the patient–provider relationship cannot be underestimated and are concerning to adolescent medicine providers and other health care providers who care for youth [30].

    The Adolescent–Health Care Provider Relationship

    There are many situations that do not fit the “Preventing Harm” exception where adolescent patients may be adversely affected when their private information is accessed by others (Table 1). For example, an adolescent female with concerns for a sexually transmitted infection (STI) such as Neisseria gonorrhoeae or Chlamydia trachomatis may avoid seeking medical care to avoid repercussions or stigma if she knew her parents would have access to this information. This untreated STI could progress to pelvic inflammatory disease, a more serious infection, which may require hospitalization and intravenous antibiotic administration and could affect future fertility. Prior research has shown that 59% of surveyed females younger than 18 years would “stop using all sexual healthcare services, delay testing or treatment for HIV or other STDs, or discontinue use of specific (but not all) sexual healthcare services if their parents were informed they were seeking prescribed contraceptives” [31]. The concern for loss of confidentiality extends to other sensitive topics including mental health, substance use, gender identity, and sexual orientation and may conflict with federal and state laws.

    Table 1. Hypothetical scenarios for potential harm related to either lack of clarity of the laws, technical limitations regarding the release of electronic health information, or a combination of both.
    At risk for harmThird party receiving informationDomainMode of disclosureConsequence
    PatientParents or guardianMental healthPatient portalAvoiding care or deterioration
    PatientParents or guardianSubstance usePatient portalAvoiding care, overdose, or continued addiction
    PatientParents or guardianSexual history or reproductive healthPatient portalAvoiding care, complications from sexually transmitted infection, or infertility
    PatientParents or guardianGender management or identityPatient portalAvoiding care, delay in gender reassignment, or psychological impact
    PatientParents, guardian, or abuserViolence or abuse (physical or sexual)Patient portalAvoiding care, continued abuse, complications, or death
    PatientParents or guardianComplex social situationsPatient portalAvoiding care or delayed care
    PatientParents or guardianNeglectPatient portalAvoiding care, delayed care. or continued neglect
    Child/AdolescentParents or guardianFoster or custody issuesPatient portalAvoiding care, delayed care, or family strife
    Child/AdolescentParents or guardianMisattributed paternityPatient portalAvoiding care, delayed care, or family strife
    Parent/Care Giver / Legal GuardianPatient, other parent, or other care giverPerinatally acquired sexually transmitted infectionPatient portalAvoiding care, delayed care, or family strife
    Parent/Care Giver / Legal GuardianPatient, other parent, or other care giverSubstance abusePatient portalAvoiding care, delayed care, or family strife
    Parent/Care Giver / Legal GuardianPatient, other parent, or other care giverParent or caregiver’s mental healthPatient portalAvoiding care, delayed care, or family strife
    Parent/Care Giver / Legal GuardianPatient, other parent, or other care giverViolence, abuse, or legal problemsPatient portalAvoiding care, delayed care, or family strife
    Parent/Care Giver / Legal GuardianPatient, other parent, or other care giverMisattributed paternityPatient portalAvoiding care, delayed care, or family strife
    Parent/Care Giver / Legal GuardianPatient, other parent, or other care giverStress associated with chronic carePatient portalFamily strife or mistrust
    ProviderPatient, other parent, or other care giverPatient or family disagreement with providerPatient portalDelayed or missing documentation
    ProviderPatient, other parent, or other care giverNeglect or abusePatient portalLawsuit or unsafe environment for the provider

    Inadvertent Disclosure of Medically Relevant Information Obtained From Proxies

    There may be situations in which health care providers may document pertinent information that they receive from parents, relatives, and legal representatives, which may adversely affect the patient, parent, or legal representative or damage relationships when disclosed (Table 1). For example, parents may disclose their difficulty in coping with an adolescent’s chronic illness to a provider who documents it in the adolescent’s chart. This information could then be seen by the adolescent in their patient portal and affect the parent–child relationship. Another example is if a parent discloses information about a drug use during pregnancy or perinatally acquired STI to the pediatrician caring for the newborn. This information would be accessible through the infant’s electronic record by other users, such as the other parent. In both situations, disclosing medically relevant information may be disincentivized for fear of its discovery by another person having access to the medical record.

    Health Care Provider–Patient Relationship in Difficult Diagnostic Dilemmas

    Disclosure of information can adversely affect health care provider–patient relationships, especially when there is disagreement between the health care provider and the parents or patient (Table 1). In functional disorders where the medical work up does not demonstrate an organic etiology for the complaint, the parents or patient may believe otherwise. For example, when the defined Rome’s Criteria of Functional Abdominal Pain fits a patient’s symptoms, parents or the patient may disagree with this diagnosis. In similar cases where the relationship among the patient, family, and health care provider is critical to helping the patient improve, documenting this information could further damage a fraught or tenuous relationship with the health care provider. Although providers should hold themselves to high standards for documenting information in the EHR, providers should not feel pressured to augment their documentation for fear of their medical opinion offending patients or proxies. This can be the case when child abuse is in a differential diagnosis, and documentation of this in the child’s record may adversely affect the relationship between parent and health care provider if the parent feels unfairly accused or judged. There are situations where abuse is in a differential diagnosis, albeit with a very low index of suspicion, or where a provider may want to document that they have thought of but ruled out abuse or neglect. In these cases, it is unlikely the information will be compiled in “reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding” [32], which is clearly protected and eligible for legal blocking by HIPAA, and the remainder of the documented information may be of interest to the patient or proxy. The limited capabilities of data segmenting technology create an awkward or burdensome situation for providers.


    Overview

    The complexity of care and the large number of comorbidities and treatments associated with aging make the electronic patient portal an attractive tool for persons with multiple health conditions. However, many older adults feel uncomfortable or ill-equipped using technology and rely on their caregivers for their health care–related tasks, necessitating proxy portal access. Less than 20% of US hospitals that allow caregiver proxy access also allow patients to filter or partially block the EHI passed on to their proxies [33]. Therefore, older adults are faced with many of the same challenges and potential harms that adolescents may experience.

    The Older Adult Patient–Caregiver Relationship

    Despite an increase in STIs among adults over the age of 65 years, many older adults are reluctant to share a recent sexual encounter [34] with their health care provider, knowing that this information will be available to caregivers. Syphilis, which is a treatable condition, can mimic dementia and neurocognitive disorders in late stages of the disease if the diagnosis is missed. Similarly, older patients may withhold health information regarding mental health (including depression) and elder abuse (physical, sexual, emotional, neglect, abandonment, financial, and self-neglect) from their health care providers for fear of their proxy finding out (Table 1). Again, the emphasis on broad access may paradoxically erode the patient’s control over who can access their data. One potential solution may be allowing patients to block all information related to a specific topic from all users of the patient portal, including themselves, and unblock it again when they become sole users of the portal.

    Inadvertent Disclosure of Medically Relevant Information Obtained From Caregivers

    Caregivers may disclose emotional, physical, or mental exhaustion leading to burnout. If this information is documented and shared with the older adult patient, unintended consequences are feelings of guilt, overburdening, and depression (Table 1).

    Of note, there is a clause in the HIPAA Privacy Rule that specifically addresses keeping third-party information confidential. According to this clause [35]:

    Any information disclosed to the provider by another person who is not a healthcare provider that was given under a promise of confidentiality (such as that shared by a concerned family member), may be withheld from the patient if the disclosure would be reasonably likely to reveal the source of the information.

    Since the Cures Act defers to the HIPAA, this clause should be applicable under the Cures Act; however, this is likely not well-known or understood across institutions.

    In some cultures, it is common practice for caregivers to withhold negative information such as the diagnosis of a cancer or a terminal illness. Caregivers are also frequently surrogate decision-makers and may for many reasons ask a health care provider to withhold a diagnosis [36]. Although we consider disclosure to the patient as the ethically preferable choice, we acknowledge that the inability to block information may not align with the cultural norms of certain patient groups [37]. The patient may also desire information blocking, such as when an older patient is afraid that disclosure of a new diagnosis of cancer or recurrence may burden their caregiver or lead to caregiver burnout.

    Health Care Provider–Patient Relationship in Difficult Diagnostic Dilemmas

    Maintaining a good relationship with patients is critical for health care providers taking care of older adults, as dynamic shifts in health often require changing or transitioning goals of care. Even neutral personal descriptors such as “elderly” in a note can make patients feel judged and perceived themes of disrespect, errors, and surprises can lead to straining of a patient–provider relationship [38]. For example, the term palliative is often misinterpreted for end-of-life care when in fact the goal is symptom and quality of life improvement for any serious illness (even curative ones), irrespective of prognosis. Further, the National Center for Educational Statistics reports that 21% of adults in the United States (~43 million) are illiterate or functionally illiterate [39]. Misinterpreting documentation may prevent older adults from seeking care to relieve symptoms and stress and align treatment options with their goals. One unintended, but positive, consequence of the information blocking rules might be that it encourages providers to be more vigilant in their documentation to achieve language that is both medically accurate and affirming of the patient’s dignity.


    Although the potential adverse outcomes previously discussed do not meet the Cures Act Final Rule definition of harm, in some cases, releasing this information may violate the foundational principles of a trusting provider–patient relationship.

    Information Blocking in the Multiuser EHR

    While the Cures Act final has made it easier to access information electronically, this increase in access is not accompanied with the requisite technical advances to block access to data in appropriate circumstances. In the situations when information blocking can be legally used, strategies are limited in number and capability, especially in the context of a multiuser or proxy access. Information blocking is technically and logistically challenging, and the burden is placed upon the documenting health care providers to determine what EHI is and is not appropriate to block and to whom. For some health care providers, such as those practicing in adolescent medicine, family medicine, general pediatrics, pediatric subspecialties, internal medicine, and geriatrics, navigating information blocking may be a routine experience depending on patient needs.

    At the institutional level, the hospital system can deactivate proxy access; however, this may be burdensome and can be delayed depending upon institutional implementation (eg, a health care provider clicking a button in the EHR versus contacting health information management and placing a ticket for a request to be completed). The ONC exceptions emphasize that information blocking should be no broader than necessary. It will be an infrequent occurrence that a patient or proxy is completely blocked from accessing all EHI and more common that the blocking will occur on a data-element-by-data-element (clinical documentation, laboratory tests, imaging, etc) basis. This may create a substantial burden for the health care institutions and be prone to user errors. Additionally, the absence of information may be conspicuous when a patient or proxy who usually receives information does not. There is an evolving standard called “Data Segmentation for Privacy” (DS4P) where a health care provider could mark portions of a note to be blocked from access; however, the adoption of this standard is minimal [40,41].

    Beyond institutional policies and EHR technical capabilities, the health care provider can adopt new documentation workflows when information blocking is legally acceptable. For example, the health care provider could create one note that is appropriate to share with all users and another that includes the information which is then blocked (ie, shadow charting); however, this solution is time-consuming and burdensome and unlikely to be adopted as clinical documentation has already been shown to be a significant contributor to burnout among health care providers [42-46]. Further, duplicate documentation would also be error-prone, jeopardizing safety and creating additional work and confusion for other health care providers on the treatment team relying on documentation to support patient care. Health care providers may choose to avoid caring for patients who are more prone to these complicated situations.

    Where information blocking is not acceptable, the health care provider, not wanting to damage a relationship or breach confidentiality, may decide to stop documenting certain information. This is a potentially dangerous practice that could affect medical care, reduce accurate billing, and result in incomplete communication about the patient’s medical history with other health care providers.


    The Cures Act Final Rule is undoubtedly necessary to facilitate significant improvements in patient care and innovation; however, in some cases of a multiuser or proxy access situation, the Information Blocking Provision conflicts with the standard that health care providers hold themselves to in the United States. Additionally, applying these exceptions to the Information Blocking Provision in legally acceptable cases will be burdensome and could lead to increased burnout among health care providers. Paradoxically, providing patients more control over their data may actually jeopardize their control and privacy in some scenarios. Although breaching confidentiality and damaging the patient–provider relationship will not necessarily cause substantial harm as defined by the text of the Final Rule, it may cause unnecessary anguish, limit the quality of care, or cause a patient to forgo or delay care, and lead to increased morbidity. Additionally, the privacy exception may be underutilized as it necessitates patients and providers be educated on the application of this rule and an institution’s policies and procedures. In light of these concerns, we recommend that ONC provide more detailed guidance both on their website and targeted outreach to health care providers caring for patients in the adolescent health setting and other multiuser or proxy access situations. As clause 171.202 (b) of the Cures Act allows institutions to develop policies around information blocking, we encourage ONC to develop and publish sample policies that institutions may use or modify. Such guidance should outline the exact processes by which a patient can opt out of their health data being shared with a proxy user using the privacy exception and detail how providers can best guide patients through decision-making without the fear of being in violation of the information blocking rules. Where data segmentation for privacy is not feasible, we recommend that ONC considers carving out an option for providers to return to traditional sharing options to prevent breaches of privacy. We also urge ONC to interpret the privacy exception broadly and not penalize hospitals or providers for information blocking when proxy access is the reason for the information blocking. We suggest that ONC and researchers carefully monitor charting habits in these multiuser or proxy access situations by studying how often patients use the privacy exception compared with single-user EHR access scenarios, how much time is spent documenting for these scenarios, and how much shadow-charting is taking place. We also suggest researchers carefully monitor the effect of information blocking on patient, provider, and proxy relationships. Additionally, we recommend limited penalties on health care providers in multiuser or proxy access situations during the implementation process of the Cures Act Final Rule until technological capabilities advance to better segment notes and block them from certain users.

    Conflicts of Interest

    ML has been compensated for presentations for the Texas Pediatric Society, for consulting on modules to educate providers for Texas Health Steps, for time working with the Texas Essential Knowledge and Skills Proclamation 2022 Review Adoption Review Panel, and as a consultant for the Texas Child Psychiatry Access Network. She was also awarded support funds through the Technology and Adolescent Mental Well Being (TAM) youth Advisory Board (funding to start in January 2022), received a grant from Texas Pediatric Society Foundation, and is a Nexplanon trainer for Organon. CUL owns shares in Celanese and Markel. The remaining authors have no conflicts to declare.

    1. P.L. 114–255, Approved December 13, 2016 (130 Stat. 1033). Social Security. 2016.   URL: https:/​/www.​ssa.gov/​OP_Home/​comp2/​F114-255.​html#:~:text=An%20Act%20to%20accelerate%20the,%E2%80%9C21st%20Century%20Cures%20Act%E2%80%9D [accessed 2022-02-09]
    2. 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Final Rule: Summary of Information Blocking and Eight Exceptions. CHiME Public Policy.   URL: https:/​/chimecentral.​org/​wp-content/​uploads/​2020/​06/​061420_CHIME-Information-Blocking-Cheat-Sheet-FINAL-RULE1-1.​pdf [accessed 2022-02-09]
    3. About ONC. The Office of the National Coordinator for Health Information Technology (ONC).   URL: https://www.healthit.gov/topic/about-onc [accessed 2021-03-20]
    4. About ONC's Cures Act Final Rule. The Office of the National Coordinator for Health Information Technology (ONC).   URL: https://www.healthit.gov/curesrule/overview/about-oncs-cures-act-final-rule [accessed 2021-03-20]
    5. What ONC's Cures Act Final Rule Means for Patients. The Office of the National Coordinator for Health Information Technology.   URL: https://www.healthit.gov/curesrule/what-it-means-for-me/patients [accessed 2021-03-20]
    6. What ONC's Cures Act Final Rule Means for Clinicians and Hospitals. The Office of the National Coordinator for Health Information Technology.   URL: https://www.healthit.gov/curesrule/what-it-means-for-me/clinicians [accessed 2021-03-20]
    7. What ONC's Cures Act Final Rule Means for Health IT Developers. The Office of the National Coordinator for Health Information Technology.   URL: https://www.healthit.gov/curesrule/what-it-means-for-me/health-it-developers [accessed 2021-03-20]
    8. Michael Lipinski, Mark Knee. 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Proposed Rule. US Department of Health and Human Services.   URL: https:/​/www.​healthit.gov/​sites/​default/​files/​facas/​2019-03-22_ONC_Cures_Act_NPRM_IB_%20HITAC_IB_Task_Force_508.​pdf [accessed 2022-02-12]
    9. Everyone on the Same Page. OpenNotes.   URL: https://www.opennotes.org/ [accessed 2021-03-20]
    10. Hägglund M, DesRoches C, Petersen C, Scandurra I. Patients' access to health records. BMJ 2019 Oct 02;367:l5725. [CrossRef] [Medline]
    11. United States Core Data for Interoperability (USCDI). The Office of the National Coordinator for Health Information Technology (ONC).   URL: https://www.healthit.gov/isa/united-states-core-data-interoperability-uscdi [accessed 2021-03-20]
    12. Information Blocking FAQs. The Office of the National Coordinator for Health Information Technology.   URL: https://www.healthit.gov/curesrule/resources/information-blocking-faqs [accessed 2021-03-20]
    13. New Applicability Dates included in ONC Interim Final Rule. The Office of the National Coordinator for Health Information Technology.   URL: https:/​/www.​healthit.gov/​cures/​sites/​default/​files/​cures/​2020-10/​Highlighted_Regulatory_Dates_Information_Blocking.​pdf [accessed 2021-03-20]
    14. Certified Health IT. The Office of the National Coordinator for Health Information Technology.   URL: https://www.healthit.gov/playbook/certified-health-it/ [accessed 2021-03-20]
    15. Information Blocking. The Office of the National Coordinator for Health Information Technology.   URL: https://www.healthit.gov/curesrule/final-rule-policy/information-blocking [accessed 2021-03-20]
    16. Cure Act Final Rule: Information Blocking Exceptions. The Office of the National Coordinator for Health Information Technology.   URL: https://www.healthit.gov/sites/default/files/cures/2020-03/InformationBlockingExceptions.pdf [accessed 2021-03-12]
    17. Dufendach KR, Eichenberger JA, McPheeters ML, Temple MW, Bhatia HL, Alrifai MW, et al. Core Functionality in Pediatric Electronic Health Records. Rockville, MD: Agency for Healthcare Research and Quality; 2015.
    18. Council on Clinical Information Technology. Policy Statement--Using personal health records to improve the quality of health care for children. Pediatrics 2009 Jul;124(1):403-409. [CrossRef] [Medline]
    19. Society for Adolescent Health and Medicine, Gray SH, Pasternak RH, Gooding HC, Woodward K, Hawkins K, et al. Recommendations for electronic health record use for delivery of adolescent health care. J Adolesc Health 2014;54(4):487-490. [CrossRef] [Medline]
    20. Schapiro NA, Mihaly LK. The 21st Century Cures Act and Challenges to Adolescent Confidentiality. J Pediatr Health Care 2021;35(4):439-442. [CrossRef] [Medline]
    21. 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program.: Federal Register   URL: https:/​/www.​federalregister.gov/​documents/​2020/​05/​01/​2020-07419/​21st-century-cures-act-interoperability-information-blocking-and-the-onc-health-it-certification [accessed 2022-02-12]
    22. Delbanco T, Walker J, Bell SK, Darer JD, Elmore JG, Farag N, et al. Inviting patients to read their doctors' notes: a quasi-experimental study and a look ahead. Ann Intern Med 2012 Oct 02;157(7):461-470 [FREE Full text] [CrossRef] [Medline]
    23. Esch T, Mejilla R, Anselmo M, Podtschaske B, Delbanco T, Walker J. Engaging patients through open notes: an evaluation using mixed methods. BMJ Open 2016 Jan 29;6(1):e010034 [FREE Full text] [CrossRef] [Medline]
    24. Gerard M, Chimowitz H, Fossa A, Bourgeois F, Fernandez L, Bell SK. The Importance of Visit Notes on Patient Portals for Engaging Less Educated or Nonwhite Patients: Survey Study. J Med Internet Res 2018 May 24;20(5):e191 [FREE Full text] [CrossRef] [Medline]
    25. Bialostozky M, Huang JS, Kuelbs CL. Are You In or Are You Out? Provider Note Sharing in Pediatrics. Appl Clin Inform 2020 Jan;11(1):166-171 [FREE Full text] [CrossRef] [Medline]
    26. Sinha S, Puttagunta R, Vodzak J. Interoperability and Information-Blocking Rules: Implications for Pediatric and Adolescent Health Care Professionals. JAMA Pediatr 2021 Oct 01;175(10):997-998. [CrossRef] [Medline]
    27. Pageler NM, Webber EC, Lund DP. Implications of the 21st Century Cures Act in Pediatrics. Pediatrics 2021 Mar;147(3):e2020034199. [CrossRef] [Medline]
    28. Ip W, Yang S, Parker J, Powell A, Xie J, Morse K, et al. Assessment of Prevalence of Adolescent Patient Portal Account Access by Guardians. JAMA Netw Open 2021 Sep 01;4(9):e2124733 [FREE Full text] [CrossRef] [Medline]
    29. Parsons CR, Hron JD, Bourgeois FC. Preserving privacy for pediatric patients and families: use of confidential note types in pediatric ambulatory care. J Am Med Inform Assoc 2020 Nov 01;27(11):1705-1710 [FREE Full text] [CrossRef] [Medline]
    30. Carlson J, Goldstein R, Hoover K, Tyson N. NASPAG/SAHM Statement: The 21st Century Cures Act and Adolescent Confidentiality. J Adolesc Health 2021 Feb;68(2):426-428. [CrossRef] [Medline]
    31. Reddy DM, Fleming R, Swain C. Effect of mandatory parental notification on adolescent girls' use of sexual health care services. JAMA 2002 Aug 14;288(6):710-714. [CrossRef] [Medline]
    32. Under what circumstances may a covered entity deny an individual’s request for access to the individual’s PHI? U.S. Department of Health & Human Services.   URL: https:/​/www.​hhs.gov/​hipaa/​for-professionals/​faq/​2046/​under-what-circumstances-may-a-covered-entity/​index.​html [accessed 2021-12-05]
    33. Latulipe C, Mazumder SF, Wilson RKW, Talton JW, Bertoni AG, Quandt SA, et al. Security and Privacy Risks Associated With Adult Patient Portal Accounts in US Hospitals. JAMA Intern Med 2020 Jun 01;180(6):845-849 [FREE Full text] [CrossRef] [Medline]
    34. Bowen V, Braxton J, Davis D. Sexually Transmitted Disease Surveillance 2018. Centers for Disease Control and Prevention. 2018.   URL: https://www.cdc.gov/std/stats18/STDSurveillance2018-full-report.pdf [accessed 2022-02-09]
    35. Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524. U.S. Department of Health & Human Services.   URL: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html [accessed 2021-12-04]
    36. McCabe MS, Wood WA, Goldberg RM. When the family requests withholding the diagnosis: who owns the truth? J Oncol Pract 2010 Mar;6(2):94-96 [FREE Full text] [CrossRef] [Medline]
    37. Ni YH, Alræk T. What circumstances lead to non-disclosure of cancer-related information in China? A qualitative study. Support Care Cancer 2017 Mar;25(3):811-816 [FREE Full text] [CrossRef] [Medline]
    38. Fernández L, Fossa A, Dong Z, Delbanco T, Elmore J, Fitzgerald P, et al. Words Matter: What Do Patients Find Judgmental or Offensive in Outpatient Notes? J Gen Intern Med 2021 Sep;36(9):2571-2578. [CrossRef] [Medline]
    39. Mamedova S, Pawlowski E. Adult Literacy in the United States. National Center for Education Statistics. 2019.   URL: https://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2019179 [accessed 2022-02-09]
    40. McCarthy MW, de Asua DR, Gabbay E, Fins JJ. Off the Charts: Medical documentation and selective redaction in the age of transparency. Perspect Biol Med 2018;61(1):118-129. [CrossRef] [Medline]
    41. Security Tags for Sensitive Information. The Office of the National Coordinator for Health Information Technology.   URL: https://www.healthit.gov/isa/data-segmentation-sensitive-information [accessed 2021-03-20]
    42. Downing NL, Bates DW, Longhurst CA. Physician Burnout in the Electronic Health Record Era: Are We Ignoring the Real Cause? Ann Intern Med 2018 Jul 03;169(1):50-51. [CrossRef] [Medline]
    43. Shanafelt TD, Dyrbye LN, West CP. Addressing Physician Burnout: The Way Forward. JAMA 2017 Mar 07;317(9):901-902. [CrossRef] [Medline]
    44. Marmor RA, Clay B, Millen M, Savides TJ, Longhurst CA. The Impact of Physician EHR Usage on Patient Satisfaction. Appl Clin Inform 2018 Jan;9(1):11-14 [FREE Full text] [CrossRef] [Medline]
    45. West CP, Dyrbye LN, Shanafelt TD. Physician burnout: contributors, consequences and solutions. J Intern Med 2018 Jun;283(6):516-529 [FREE Full text] [CrossRef] [Medline]
    46. Frintner MP, Kaelber DC, Kirkendall ES, Lourie EM, Somberg CA, Lehmann CU. The Effect of Electronic Health Record Burden on Pediatricians' Work-Life Balance and Career Satisfaction. Appl Clin Inform 2021 May;12(3):697-707. [CrossRef] [Medline]

    DS4P: Data Segmentation for Privacy
    EHI: electronic health information
    EHR: electronic health record
    HHS: US Department of Health and Human Services
    HIPAA: Health Insurance Portability and Accountability Act
    IT: information technology
    ONC: Office of The National Coordinator for Health Information Technology
    STI: sexually transmitted information
    TAM: Technology and Adolescent Mental Well Being

    Edited by T Leung; submitted 06.10.21; peer-reviewed by N Pageler, J Hron; comments to author 06.11.21; revised version received 07.12.21; accepted 26.12.21; published 17.02.22

    Copyright

    ©Simone Arvisais-Anhalt, May Lau, Christoph U Lehmann, A Jay Holmgren, Richard J Medford, Charina M Ramirez, Clifford N Chen. Originally published in the Journal of Medical Internet Research (https://www.jmir.org), 17.02.2022.

    This is an open-access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in the Journal of Medical Internet Research, is properly cited. The complete bibliographic information, a link to the original publication on https://www.jmir.org/, as well as this copyright and license information must be included.