A “Double-Double” Set of Proposed Rules from CMS & OCR Affecting Data Sharing & HIPAA

by | Dec 14, 2020 | CMS Proposed Rule, HIPAA, HIPAA Privacy, Information Blocking, Legislation & Rulemaking

Late last week, two new proposed rules were released which will affect the exchange of health information and HIPAA, among other things.  The CMS and OCR proposed rules come in at over 347 and 357 pages respectively – so that’s a lot of meat to digest!  Here is an overview of the highlights:

CMS Proposed Rule

At a high level, the CMS Proposed Rule aims to “improve the electronic exchange of health care data among payers, providers, and patients,” and “streamline processes related to prior authorization to reduce burden on providers and patients.”  It also builds upon CMS’s prior Interoperability and Patient Access Final Rule.  Specifically, the CMS Proposed Rule proposes to place new requirements on Medicaid and CHIP managed care plans, state Medicaid and CHIP fee-for-service programs, and QHP insurers on the Federally-facilitated Exchanges (FFEs).  CMS is also proposing to require increased patient electronic access to their health care information.

The proposed rule includes 5 main topics:

  1. Patient Access API

The Patient Access API requirement will predominantly impact payers. In its prior Interoperability and Patient Access Final Rule, CMS required payers to implement FHIR-based Patient Access API.  The new Proposed Rule would require payers to include, as part of such Patient Access API, information about the patient’s pending and active prior authorization decisions.  CMS is also proposing to require impacted payers to establish, implement, and maintain an attestation process for third-party application developers to attest to certain privacy policy provisions prior to retrieving data via the payer’s Patient Access API.  This is particularly interesting because no such “condiment” was included in the Information Blocking Rule with respect to Actors (i.e., Providers, Health IT Developers & HIE/HINs).  In fact, ONC’s preamble discussion suggested that mandating such a requirement as a condition to the release of EHI could potentially be information blocking. Notably, however, payers are excluded from compliance with the ONC Information Blocking Rule. Nevertheless, if CMS adopts this standard in a final rule, it should arguably be permissible for Actors to also require such an attestation from APIs requesting health data from EMRs.  Equal condiments for all, I say!

  1. Provider Access APIs

With regard to Providers, CMS is proposing to require payers to build and maintain a Provider Access APIs for payer-to-provider data sharing of claims and encounter data, USCDI data, and pending and active prior authorization decisions for both individual patient requests and groups of patients.

  1. Documentation and Prior Authorization

With regard to authorizations, CMS noted the following:

While prior authorization has its benefits, patients, providers, and payers alike have experienced burden from it. And, it has been identified as a major source of provider burnout. Providers expend staff resources to identify prior authorization requirements and navigate the submission and approval processes, resources that could otherwise be directed to clinical care and processes that vary across payers. Patients may unnecessarily pay out-of-pocket or abandon treatment altogether when prior authorization is delayed. In an attempt to alleviate some of the administrative burden of prior authorization and to improve the patient experience, we are proposing a number of policies to help make the prior authorization process more efficient and transparent.”

To address these challenges, CMS is proposing that payers build and maintain a number of technical solutions to capturing, tracking and sharing the prior authorization of patients. For example, CMS is proposing payers to build and maintain a FHIR-enabled API that could be integrated with a provider’s EMR.  There are other technical requirements proposed in the rule which, if adopted, all together should offer a very beneficial tool for tracking such authorizations.  This proposed change should definitelyl get a lot of “thumbs-up” tomato ratings.

  1. Payer-to-Payer Data Exchange on FHIR

In its prior Interoperability and Patient Access Final Rule, CMS required that, at a patient’s request, CMS-regulated payers must exchange certain PHI. In the proposed rule, CMS is introducing several new requirements to use FHIR-based standards to increase sharing of data between payers, and improve patient access to their own PHI.

  1. Adoption of Health IT Standards and Implementation Specifications

Finally, HHS “on behalf of” ONC is proposing to adopt the APIs – Standards and Implementation Specifications as standards and implementation specifications for health care operations. These are being proposed as implementation specifications for adoption by HHS as part of a nationwide health information technology infrastructure.  I will peel back the onion on this one in future posts.

In addition to the forgoing, HHS is requesting information on a number of topics, including:

  • Methods for Enabling Patients and Providers to Control Sharing of Health Information
  • Electronic Exchange of Behavioral Health Information
  • Reducing Burden and Improving Electronic Information Exchange of Documentation and Prior Authorization
  • Reducing the Use of Fax Machines for Health Care Data Exchange
  • Accelerating the Adoption of Standards Related to Social Risk Data

Comments on the CMS Proposed Rule can be submitted here through January 4, 2021.

 

OCR Proposed Rule to Modify HIPAA

Last Thursday, December 10th, the Office for Civil Rights (OCR) at HHS also announced its proposed rule to modify the HIPAA Privacy Rule.  The focus of the proposed changes is aimed at supporting individuals’ “engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry.”  The proposed changes include strengthening individuals’ rights to access their own health information; improving information sharing for care coordination and case management; facilitating greater family/caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.  Here is a bullet list of the proposed changes to the HIPAA Privacy Rule:

  • Add definitions for the terms electronic health record and personal health application;
  • Modify individuals’ right of access to PHI by:
    • strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI;
    • shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension);
    • clarifying the form and format required for responding to individuals’ requests for their PHI;
    • requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy;
    • reducing the identity verification burden on individuals exercising their access rights;
    • creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR;
    • requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access;
    • limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR;
    • specifying when ePHI must be provided to the individual at no charge;
    • amending the permissible fee structure for responding to requests to direct records to a third party; and
    • requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization and, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests.
  • Creating an exception to the “minimum necessary” standard for individual level care coordination and case management uses and disclosures;
  • Clarifying the scope of covered entities’ abilities to disclose PHI to social services agencies, community-based organizations, home and community based service (HCBS) providers, and other similar third parties that provide  health-related services, to facilitate coordination of care and case management for individuals;
  • Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual;
  • Expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety;
  • Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP);
  • Modifying the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights; and
  • Expressly permitting disclosures to Telecommunications Relay Services (TRS) communications assistants for persons who are deaf, hard of hearing, or deafblind, or who have a speech disability, and modifying the definition of business associate to exclude TRS providers.

Comments on the OCR Proposed Rule can be submitted here up to 60 days after the publication of the OCR Proposed Rule in the Federal Register.

There are a lot of layers to these proposed rules, which we’ll take up on “smaller bites” in coming posts.  For now, this summary has made me hungry — so off to lunch I go!

____________

Subscribe HERE to Legal HIE’s compliance library to gain access to sample policies, documents and tools for compliance with HIPAA, which will be updated for these coming changes!

Share this:

If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

Archives