By Patrick O'Brien, JD, Legal Coordinator, American Med Spa Association

Over the past month, there has been a lot of discussion about the new Open Notes Rules contained in the 21st Century Cures Act, which was signed into law in 2016 and went into effect on April 5. Much of the advice and many of the articles have been about how all medical practices will need an online patient portal to share patient information immediately. While in general, most laws that pertain to medical practices also apply to medical spas, there are some areas where that isn't necessarily the case.

The Open Notes rule applies largely to electronic medical record (EMR) systems and is written with the intention of making it easier for patients to access their health information and share or link it with other providers they may use. The rule terms this patient information as "electronic health information" (EHI), which currently includes 16 categories of information likely to be found in patient records; starting in October of next year, it will include all information that is part of a "designated record set" under HIPAA. Medical practices and health information service providers are penalized if they engage in what is termed "information blocking"—any practice that is likely to interfere with the "access, exchange or use" of health data, or that the provider knew was unreasonable and likely to result in interference. Clearly, this is a standard with a lot of room for interpretation and would be determined on a fact-specific assessment of circumstances in each case. Additionally, medical spas generally do not take insurance and are relatively small practices compared with hospitals and group practices, so their compliance may look different.

Here are three common questions about the new rules and how medical spas approach them.

If I Do Not Currently Have an EMR, Do I Need to Get One?

The U.S. Department of Health and Human Services (HHS) has helpfully set up a website that provides resources on these rules and can help to answer some of these questions. While these Open Notes rules apply only to electronic health information, they do not require that a health practice adopt an EMR. Depending on the health practice in question, other laws or rules may require or incentivize that they adopt an EMR system. Moreover, if they adopt or have already adopted an EMR system, these information blocking rules would apply. However, if, instead, they maintain paper records, there is nothing new for them to change. That is not to say that practices that use paper records do not have a duty to provide their patients access to the records—they certainly should, and will be penalized under state laws for failing to do so.

Are There Exceptions to "Information Blocking?"

Yes, there are exceptions and, again, a helpful document is provided outlining them. Broadly, there are exceptions that allow providers to block the information for the purposes of preventing harm, privacy, security, being infeasible or upgrades/maintenance on IT systems. However, and this is very important, in order to qualify for those exceptions, very specific criteria must be met. Before any practice decides to delay or not comply with a patient's EHI request, it should carefully review the specific conditions for the exceptions, as they are not a blanket "catch-all" excuse.

Is an Online Patient Portal the Only Way to Be Compliant?

The majority of the recent articles on these Open Notes rules have summarized them as requiring that all patient data be immediately available through a patient web portal. However, the rules do not explicitly require this. Instead, the rules are focused on eliminating "information blocking" once patient requests their health data. Operating a patient portal making the patient's data accessible at the same time it enters the EMR system is the most direct way to be compliant. However, being compliant only requires that providers fulfill requests for a patient's health information without unnecessary delay. As medical spas are unlikely to have a significant number of test results or EHI that is generated when the patient is not at the office, there may be other ways to provide EHI to the patient without needing to add a portal.

If you are a medical spa and are worried about your responsibilities regarding this rule or are looking to purchase a new EMR system for compliance purposes, it is certainly worthwhile to read through the rule and resources provided by HHS. It may also be helpful to discuss your compliance steps with your attorney. This will help to ensure that the effort is directed most effectively to become compliant under these rules and to minimize any surprises down the road.