New HHS Guidance on Laboratory COVID-19 Data Reporting Recognizes Valuable Role of HIEs
Late last week, HHS published new Guidance that specifies what additional data must be reported by laboratories along with COVID-19 test results. Reporting of certain data elements by laboratories are legally required, while reporting of other identifiable demographic data is encouraged but not mandatory. The Guidance notes that state and local privacy standards apply to the collection of identifiable demographic data. Importantly, HHS expressly supports health information exchanges (HIEs) being leveraged to facilitate required data collection and reporting.
Bill Aimed at Regulating COVID-19 Notification Apps Introduced in the Senate
The...
5 Reasons Why Your Training is Not Preventing HIPAA Violations by Employees
A State Court of Appeals recently reinstated a patient’s claim that an Indiana hospital is vicariously liable for the actions of its employee who shared the patient’s confidential information with an unauthorized third party. Although the lower court originally dismissed the case, the appellate court found that there is a “genuine issue of fact” and remanded the case for further proceedings. Now a potential monetary settlement teeters on the edge as the hospital’s potential liability for this employee’s HIPAA non-compliance rests in the hands of further proceedings in the lower court – so, you might want to ask why did this happen in the first place?
* HIPAA Training that is too basic and not focused on specific risk areas and organizational policies is not only non-compliant, but also largely ineffective.
* HIPAA covered entities should have clear policies and training that address specific employee behaviors that are “high risk” for HIPAA violations.
* Organizations must make sure they are training EVERYONE, and implementing effective Security Reminders.
“To Block, or Not to Block,” that is the question…
Deciding whether “to block, or not to block” health information based on an exception laid out in ONC’s Final Rule can quickly turn into a Shakespearean tragedy unless Actors understand in advance the specific criteria that must be met in order to satisfy any such applicable exception.
Changes on the Horizon for Part 2 Confidentiality Regulations
As part of its comprehensive COVID-19 response, Congress quietly passed through changes to the federal drug and alcohol confidentiality framework known as “Part 2” under the CARES Act, enacted on March 27. One of the more underreported components of the CARES Act, the changes do not completely overhaul the Part 2 regulations, however, they relax several restrictions that health care providers have struggled with, particularly in the electronic exchange and electronic health records (“EHR”) context (the “CARES Act Changes”).
Will ONC’s Final Rule put HIEs between a “Block and a Hard Place”?
Under the ONC’s Final Rule on Information Blocking, Health Care Providers, HIEs and HINs will be legally prohibited from interfering with the access, exchange, or use of EHI unless an exception applies. However, HIEs/HINs that are HIPAA Business Associates are not allowed to use or further disclose PHI other than as permitted or required by their HIPAA BAAs with respective health care providers. So, what happens if a Health Care Provider and its HIPAA Business Associate HIE/HIN disagree on whether an exception allows EHI to be withheld from access, exchange or use under a certain set of specific facts?
Don’t Make the Mistake of Over-Reporting Data Breaches Under HIPAA
Evaluating incidents that affect protected health information (PHI) to determine whether they must be reported under HIPAA’s Breach Notification Rule is a delicate balancing act. On the one hand, a HIPAA covered entity will want to avoid reporting an incident to the Secretary of HHS if it is not required to do so under the standards set forth in HIPAA’s Breach Notification Rule. On the other hand, a HIPAA covered entity that fails to report a HIPAA Breach risks being exposed to penalties from OCR for each day such Breach was not reported when it should have been. A recent Becker’s Health IT article brought attention to a Notice posted by Ann & Robert H. Lurie Children’s Hospital of Chicago
CMS Continues COVID-19 Assistance for the Promoting Interoperability and Quality Payment Programs
As hospitals and providers continue to struggle in response to the COVID-19 pandemic, CMS has announced several efforts to provide assistance under the Promoting Interoperability Programs and Quality Payment Program.
For the Quality Payment Program, CMS had previously extended the deadline for MIPS eligible clinicians to submit data and reopened the application period for MIPS eligible clinicians to file for a hardship exception for the 2019 payment year. Additionally, CMS announced that any individual MIPS eligible clinician who did not submit data or which submitted data for only one performance category for the 2019 payment year by April 30 will automatically receive a neutral payment instead of a negative payment adjustment (this “extreme and uncontrollable circumstances” policy is not available to groups/virtual groups). If a MIPS eligible clinician is able to submit data, CMS noted that the data submission would override the automatic “extreme and uncontrollable circumstances” policy and the clinician could be eligible for negative, neutral or positive payment adjustments based on the data submission.
Are Lawsuits for Violations of HIPAA’s Deidentification Standards About to Take Off – and What Can You Do About It?
A recent opinion article published in STAT News explored whether potential litigation is looming surrounding the de-identified data exception in HIPAA. The authors of the article point out that “large volumes of data underpin the development of any AI effort,” which is why companies…
A “Double-Double” Set of Proposed Rules from CMS & OCR Affecting Data Sharing & HIPAA
Late last week, two new proposed rules were released which will affect the exchange of health information and HIPAA, among other things. The CMS and OCR proposed rules come in at over 347 and 357 pages respectively – so that’s a lot of meat to digest! At a high level, the CMS Proposed Rule aims to “improve the electronic exchange of health care data among payers, providers, and patients,” and “streamline processes related to prior authorization to reduce burden on providers and patients.” The OCR proposed changes to HIPAA take a bite out of patient access, minimum necessary, the HIPAA NPP and more . . .
ONC Releases Answers to Frequently Asked Questions to Information Blocking
On Monday, ONC posted a new Information Blocking Frequently Asked Questions resource! Here are a few of the highlights from all of the FAQs responded to by ONC:
Q: Are health plans or other payers subject to the information blocking regulation?
Q: For the period of time when Information Blocking is limited to USCDI data, how is an Actor expected to fulfill a request for USCDI data if they do not yet have certified health IT in place that includes an API with the USCDI standard?
Q: Is an Actor required to fulfill a request for access, exchange or use of EHI with all the EHI they have for a patient or should the amount of EHI be based on the details of the request?
Halloween Treat! HHS Delays Information Blocking Compliance Deadline to April 5, 2021!
Interim Final Rule with Comment Period Responds to COVID-19 Pandemic. Responding to public health threats posed by the coronavirus pandemic, today the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) released an interim final rule with comment period that extends the compliance dates and timeframes necessary to meet certain requirements related to information blocking and Conditions and Maintenance of Certification (CoC/MoC) requirements.
Who is on the “Hook” for Information Blocking?
ONC’s final rule on Information Blocking implements the 21st Century Cures Act and fleshes out what is and is not a prohibited information blocking practice. However, not all health care organizations and their vendors are on the hook for complying with this new regulation. In my post today, I want to drill down on the scope of health care providers that must comply with the Information Blocking Rule.
Per ONC, Lab Results Generally Cannot be Delayed to “Prevent Harm” (unless threat to life & physical safety)
As the November 2nd deadline for compliance with ONC’s Information Blocking Rule nears, many health care providers – which are “Actors” subject to the Rule – are scrambling to reexamine their default settings for sharing various types of data, including lab results. In ONC’s Final Rule preamble, several commenters indicated that providers’ current organizational policies call for practices that delay the release of laboratory results so that the patient’s clinician has an opportunity to review the results before potentially needing to respond to patient questions, or has an opportunity to communicate the results to the patient in a way that builds the clinician-patient relationship.
Info Blocking Rules have you STRESSED?!! Join Helen O. for Two Not-to-Miss Workshops for Help!
Join me for a pair of 1.5hr Information Blocking Workshops designed to work thorough the nitty-gritty details of the Information Blocking Rule. The first Workshop will take place WEDNESDAY (9/30) so don’t delay! Workshops will include use cases and scenarios aimed at real challenges faced by health care providers looking to comply with these new regulatory standards for access and sharing of electronic health information. Registrants will receive 2 sample P&Ps, and much more!
Subscribe & Survive the onslaught of new healthcare regulations requiring updates to affected compliance programs.
Get access to exclusive subscription-only access to resources, tools, industry analysis and other valuable solutions.