When Does a Health Care Provider Wear an HIE/HIN Hat for Purposes of the Info Blocking Rule?
Under the Information Blocking Rule (IBR), a health information network (HIN) or health information exchange (HIE) type actor is one that “determines,” “controls,” or has the “discretion to administer” access, exchange or use of EHI between two or more unaffiliated entities. ONC has said that a separate entity is not necessary to trigger the IBR HIN/HIE definition of an Actor. Additionally, ONC has specifically pointed out that a health care system, for example, could wear two IBR actor hats: (1) as a health care provider, and (2) as a HIN/HIE.
What Information Must be Made Available on Patient Portals?
Well folks, the Information Blocking Rule (IBR) April 5th compliance deadline is behind us at this point. However, I know that many of you are continuing to work through your top IBR challenges and questions one at a time. At this point, I have worked through many thorny IBR issues with numerous health care providers and health information exchanges (HIE), so I thought it might be interesting for me to share what is the main topic that I see Actors are focused on. And the winner is …..
Information Blocking Compliance — So What Happens on April 5th?
The deadline for compliance with the Information Blocking Rule is just 12 days away! I am certain that all the Actors are working feverishly and diligently to come into compliance with these new requirements by this fast-approaching date. On the bright side, I suppose that we can all be relieved that ONC did not stick with its original deadline date of November 2, 2020. However, even with the extra time Actors may still be scrambling to get all of their ducks in a row by April 5, 2021. So, what are the actual consequences if everything is not “buttoned-up” in time?
NEW ONC FAQ: Prior Agreements or Contracts CAN Implicate Information Blocking as of April 5th!
On and after April 5, 2021, any actor’s agreements, arrangements, or contracts are subject to and may implicate the Information Blocking Rule. The Communications Condition of Certification (CCOC) requirements must be revised to remove or void the contractual provision that contravenes the CCOC requirements whenever the contract is next modified for any reason. A Business Associate Agreement should generally not prohibit or limit the access, exchange, or use of the EHI for treatment.
How to Use the Privacy Exception to Deny an Abuser Access to EHI
When an Actor wants to potentially deny access of EHI to a person who is suspected of some type of abuse of the individual (the “Abuser”) whose EHI is being sought, the natural inclination is want to look to the Information Blocking (IB) Rule’s Preventing Harm Exception to justify such denial. However, the IB Rule’s Privacy Exception offers additional options and, in certain ways, more flexibility for the Actor to deny a suspected Abuser’s request for EHI.
Checklist for Info Blocking Compliance
Over the last few weeks, I have come across a number of health care provider organizations that are under the incorrect assumption or belief that their EMR vendor is “taking care of” all that needs to be done in order for the provider to comply with Information Blocking. This is false. There are operational decisions and other process issues that must be addressed and can only be implemented by the Actor. Every health health care provider that meets the definition of an “Actor” should be taking active steps towards getting their organization positioned to comply with Information Blocking by April 5, 2021. Where should you start? I propose using a checklist as a simple starting point to begin “ticking off” your Information Blocking “to do” list . . .
Threading the HIPAA Needle through Information Blocking to Block Patient Access when Data is Corrupted
The Information Blocking (IB) Rule is intended to work in sync with HIPAA, including the “right of access” the Privacy Rule grants to patients with regard to access to their own protected health information (PHI). However, as I continue to analyze how to implement various standards that overlap between these two regulations, questions about how to thread the needle on seemingly conflicting standards continues to come up. Today, I take a closer look at the difference between HIPAA’s “right of access” as compared to the Preventing Harm Exception found in the IB Rule. Specifically, this post considers how a covered entity health care provider . . .
How the Preventing Harm Exception Changes HIPAA
the “Preventing Harm Exception” under the Information Blocking Rule is not only the most challenging exception to apply, but also the most difficult to interpret – particularly where some of the standards do not exactly track HIPAA, and still other imprecise language ONC used has made its interpretation uncertain. In this post, I will attempt to distill the Preventing Harm Exception down to its basic elements, as well as point out issues in its interpretation to be aware of.
Fifth Circuit Vacates $4.3M MD Anderson Penalty
The Court of Appeals for the Fifth Circuit vacated the $4.3M penalty imposed on M.D. Anderson as arbitrary, capricious and contrary to law.
ONC Says “Vetting” Mobile Apps is Information Blocking
ONC says actors that require third-party apps to be “vetted” by them for security reasons before allowing patients to use such apps to receive EHI via API technology certified to the Standardized API certification criterion is likely to be information blocking. However, my concern with relying solely on the security criteria required for API certification is that it is too low of a bar to adequately protect patients and other individuals from developers of apps that fail to keep promises to keep individuals’ information confidential.
ONC Publishes New FAQs on Information Blocking focused on the Privacy Exception.
The Office of National Coordinator says it receives a lot of questions regarding how the Information Blocking Rule is supposed to work in tandem with the HIPAA Privacy Rule and other federal and state laws governing privacy and confidentiality. Their new FAQs aim to help clarify when actors can choose to not respond to a request for access, exchange, or use of electronic health information.
ONC Vindicated. Patients Want Immediate Access to Test Results
JAMA published a study earlier this week finding more than 95% wanted immediate access to test results. However, when speaking to ONC, the study’s lead researcher specifically noted that although 95.3% of patients who received abnormal test results responded that they still would like to continue to receive immediately released results, this was associated with nearly twice the likelihood of worry compared to respondents who received normal results.
FTC Orders BetterHelp Health App to Pay $7.8M for Sending User Data to Facebook & Snapchat
The FTC issued a proposed order requiring BetterHelp to pay $7.8 million to consumers to settle charges that it shared consumers’ health data with Facebook, Pinterest, Snapchat, and Criteo after promising to keep such data private and claiming it is “certified” as “HIPAA compliant.” The real juice of this case is in the FTC compliant — and HIPAA-covered providers, facilities & organizations can learn a lot about what to watch out for with health data Apps as we continue to march towards the FHIR.
Not So Sunny News in Arizona – Major Health Care System Agrees to Pay $1.25 Million HIPAA Settlement for Cybersecurity Hacking Incident from 2016
The forecast for Arizona is thunderstorms, at least for at least one health care system. Last week, OCR announced a $1.25 settlement for HIPAA Security Rule violations brought to light by a cybersecurity hacking incident that took place over five years ago.
Mobile Health Apps and Vendors of Health Records Beware! – the FTC has just started Enforcing the Breach Notification Rule.
The chickens have come home to roost for GoodRx. The FTC has assessed a $1.5 Million penalty against the telehealth and prescription drug discount provider for failing to report unauthorized disclosures as required by the Health Breach Notification Rule.
Subscribe & Survive the onslaught of new healthcare regulations requiring updates to affected compliance programs.
Get access to exclusive subscription-only access to resources, tools, industry analysis and other valuable solutions.