Yesterday, all at once, OCR announced that it has entered into five new Resolution Agreements — each of them stemming from one or more violations of HIPAA’s right of access afforded to individuals. There are several interesting observations about these new cases that are worth taking note of.
CMS & ONC have promulgated their Final Rules to implement the 21st Century Cures Act. A main goal is to accelerate the access, exchange and use of electronic health information (EHI). One way this is being accomplished is to require certain entities and actors to provide Application Programming Interfaces (APIs) that use a new standard for data access and exchange called Fast Healthcare Interoperability Resources (aka “FHIR”). These new standards for adopting FHIR for information exchange is expected to exponentially accelerate individuals ability to access and share EHI through mobile apps, as well as allow any third-party adopting such FHIR standards to obtain access to such EHI. Especially for HIPAA Privacy Officers, Security Officers, Compliance Officers and attorneys who have for years focused on ensuring that their organizations do not make the mistake of releasing protected health information to a third-party in violation of federal or state privacy and security laws, I feel your pain on FHIR!
Becker’s Hospital Review reported that 70% of CIOs are “concerned” about meeting the upcoming November 2nd deadline for complying with the Final Rules prohibiting information blocking practices. This is according to a survey conducted by CHIME, which included responses from executives at academic medical centers, critical access hospitals, multi-hospital systems and specialty hospitals. Although the survey did not appear to identify specifically what concerns CIOs about complying with information blocking rules by this fall, one possibility is fully understanding how ONC’s information blocking rules will apply to releasing patients’ EHI to third-party apps.
Join the NJ Chapter of HIMSS and Helen Oscislawski for this Webinar to get a lean and focused overview of what you need to do to comply with ONC’s and CMS’s final rules implementing the 21st Century Cures Act. On April 24, 2020, the OIG also released its Proposed Rule on CMPs to be imposed against Actors who engage in prohibited “Information Blocking.” These new rules turn on their heads certain HIPAA policies and procedures.
Deciding whether “to block, or not to block” health information based on an exception laid out in ONC’s Final Rule can quickly turn into a Shakespearean tragedy unless Actors understand in advance the specific criteria that must be met in order to satisfy any such applicable exception.
Under the ONC’s Final Rule on Information Blocking, Health Care Providers, HIEs and HINs will be legally prohibited from interfering with the access, exchange, or use of EHI unless an exception applies. However, HIEs/HINs that are HIPAA Business Associates are not allowed to use or further disclose PHI other than as permitted or required by their HIPAA BAAs with respective health care providers. So, what happens if a Health Care Provider and its HIPAA Business Associate HIE/HIN disagree on whether an exception allows EHI to be withheld from access, exchange or use under a certain set of specific facts?
On Friday, April 24th, the Office of Inspector General (OIG) of HHS published a Proposed Rule to amend the civil monetary penalties (CMP) rules to incorporate new authorities for investigating and assessing monetary penalties for Information Blocking violations.
Today, ONC announced that it will exercise its discretion in enforcing all new requirements under its Cures Act Final Rule which have compliance dates and time frames until 3 months after each such date identified in the Final Rule. The ONC Final Rule is scheduled to be published on May 1, 2020 in the Federal Register. The ONC has developed an “Enforcement Discretion Dates and Time frames” chart which indicates that the Part 170 Information Blocking provisions will have a compliance Enforcement Discretion Date of February 1, 2021.