Feds Begin Enforcing New Patient Data Rules

These new data rules are rooted in the 21st Century Cures Act, a law passed in 2016 to accelerate medical innovation and increase patient access to their electronic health information. The core principle is that patients have a right to their health data, and providers must facilitate that access securely and electronically, often at no cost to the patient. A key component of the enforcement is the prohibition of "information blocking," which is any practice likely to interfere with, prevent, or discourage the access, exchange, or use of electronic health information. For a solo practitioner, this could mean delays in providing records to a client or another provider, or implementing policies that make it unreasonably difficult for clients to get their data. Penalties for non-compliance are significant. Health IT developers and health information exchanges can face civil monetary penalties of up to $1 million per violation. For individual healthcare providers, penalties are structured as "disincentives," which could include being barred from participation in certain Medicare programs or receiving lower scores in quality payment systems. Enforcement of these disincentives for providers began as of July 31, 2024. For coaches working with K-12 and college students, the rules around minor consent and parental access are critical. State laws still govern a minor's ability to consent to their own care and control their health records. The Cures Act does not override these state laws or HIPAA, which often grant privacy protections to adolescents for sensitive services like mental and sexual health care. There are specific exceptions to the information blocking rule that are relevant to coaching. The "Preventing Harm Exception" allows a provider to withhold information if they reasonably believe its release would lead to physical or emotional harm to the patient or another person. Another is the "Privacy Exception," which can be invoked if sharing the information would violate state or federal privacy laws. Psychotherapy notes, which are a clinician's private notes not intended for billing or to be part of the official medical record, are generally excluded from what must be shared. However, progress notes, consultation notes, and treatment plans are considered part of the electronic health information that must be made accessible upon request. Providers are required to respond to requests for information in a timely manner. A delay of several days when the capability exists for same-day access could be considered information blocking. If a request cannot be fulfilled, for instance, due to technical infeasibility, the provider must respond in writing within 10 days explaining the reason. The ultimate goal of these regulations is to empower patients by giving them more control over their health journey. This includes the ability to use third-party applications to access and manage their health data, which can facilitate better care coordination and more informed decision-making.