What Open Notes Exceptions Does the Cures Act Allow?

Chad Anguilm, MBA; Richard F. Cahill, JD; and Kathleen Stillwell, MPA/HSA, RN

The executive director of the research group OpenNotes encourages all patients to read their doctors’ notes: “You’ll be amazed, I think, at how much the clinician was listening to you, how much they really know you. You’ll see your own words reflected back to you in the note. And that’s a very powerful experience.”

Many providers realize that the prohibition on information blocking, referred to as the “open notes” provision of the 21st Century Cures Act, is now in effect. As of April 5, 2021, patients must be able to access information in their electronic health records (EHRs) “without delay.” Unless an exception applies, clinical notes must not be blocked.

But what exceptions to open notes does the Cures Act allow—or in some cases, require? Many providers are wondering which notes they should not allow patients or their caregivers to see. This information is vital for providers trying to implement the open notes requirement in their practice.

Exceptions are divided into two basic categories:

Category 1: Exceptions that involve not fulfilling requests to access, exchange, or use electronic health information (EHI).

  • Preventing Harm Exception: Applies if a provider believes that the patient viewing the note may harm another person or themselves. An example of a preventing harm exception would be a psychologist blocking the release of a suicidal patient’s health information if they believe the records would increase the risk of the patient taking their own life.
  • Privacy Exception: Applies in a variety of situations involving the patient and/or caregivers. For example, certain lab results, such as a positive HIV test, may be briefly protected against patient access prior to discussion with the healthcare provider regarding this life-changing information. Moreover, certain family situations require a nuanced understanding of what is sharable with caregivers and what should be accessible to the patient only, such as designated aspects of the medical records of adolescents. Alternately, some of a mother’s health information may be contained within her child’s record. The Office of the National Coordinator for Health Information Technology provides more information about the privacy exception.
  • Security Exception: Applies when fulfilling the patient’s request would compromise the security of EHI. In other words, the open notes requirement does not negate all the familiar responsibilities that the Health Insurance Portability and Accountability Act (HIPAA) imposes when it comes to protecting the privacy of personal health information (PHI) with appropriate safeguards. An example of the security exception in practice would be a patient requesting their information in an insecure manner, such as via unencrypted email. If this request violates the practice’s organizational security policy, the practice could block the information from being shared in that manner.
  • Infeasibility Exception: Applies when practical challenges limit a provider’s ability to meet a request. Situations listed under this exception include public health emergencies, public safety incidents, and labor strikes. In this case, the obligation to respond to the patient’s request still applies—the provider must respond, in writing, within 10 business days of receipt of the patient’s request—but the provider need not immediately fulfill that request.
  • Health IT Performance Exception: Applies when health IT, most commonly the EHR, is down for required or necessary maintenance or upgrades. In this case, the system may be down for no longer than necessary to maintain or improve the system. An example would be if a patient requests access to their most recent progress note during a system-down upgrade where the medical practice has no access to the note itself.

Category 2: Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.

  • Content and Manner Exception: Applies when the recipient of an EHI request desires to limit the scope of EHI provided, or the manner in which it is provided. For example, when the recipient proposes to fulfill the request in an alternative manner because they are technically unable to fulfill the request in the manner asked for. An example of this would be if the patient requests their record via their Apple Health app and the practice is unable to comply in that manner but could comply through their own patient portal.
  • Fees Exception: Applies when technologies and services that enhance interoperability are being developed. This exception is unlikely to apply to the average healthcare practice.
  • Licensing Exception: Applies under conditions where the recipient of the request is licensing interoperability elements for EHI to be accessed. This exception is unlikely to apply to the patient records requests most healthcare practices will encounter.

For more information regarding exceptions, see information provided by the Office of the National Coordinator for Health Information Technology.

For a summary of the nature, potential risks, and potential benefits of the open notes requirement, see Open Notes in Healthcare: The Good, the Bad, and the Ugly of the Cures Act.

Chad Anguilm, MBA, is Vice President, In-Practice Technology Services, Medical Advantage, part of TDC Group. Richard F. Cahill, JD, is Vice President and Associate General Counsel, The Doctors Company, part of TDC Group. Kathleen Stillwell, MPA/HSA, RN, is Senior Patient Safety Risk Manager, The Doctors Company, part of TDC Group.

The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider considering the circumstances of the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.