Welcome (or, to some, “welcome back”) to Legal HIE — we are thrilled that you are here! What started off informally as a wildly popular blog almost 10 years ago is now back (and still free) — but BETTER!
Legal HIE readers now have an new option to subscribe to an annual Membership and gain access to a trove of additional checklists, tools, sample forms, sample policies, whitepapers, PowerPoints, and other organized content for all things related to the electronic exchange of health information. Member-Only content touches on everything from health information exchange, to HIPAA, 42 C.F.R. Part 2, Data Breaches, Telehealth/Telemedicine, GDPR, Research, Healthcare Apps, TCPA, Meaningful Use, and the 21st Century Cures Act and its Information Blocking Rules. This wealth of invaluable resources is developed and refined by our authors, Helen and Krystyna, who have been lending their deep insight and experience on these topics to the healthcare industry for over two decades. A more detailed list of content available to Legal HIE Members is provided at the end of this blog post.
Legal HIE Members will also gain access to hot-off-the presses new content being developed to tackle recent changes to laws affecting electronic exchange of health information. A little over a month ago, the ONC CURES Final Rule and CMS CURES Final Rule implementing the 21st Century CURES Act and prohibiting “Information Blocking” were publicly released. Health Care Providers, Health Information Networks (HINs), Health Information Exchanges (HIEs), as well as Health IT Developers of Certified Health IT are all considered “Actors” subject to the Information Blocking Rules. HOT OFF THE PRESSES! On Wednesday, April 22nd, ONC Announced its Enforcement Discretion related to the ONC Cures Act Final Rule which has been scheduled for publication in the Federal Register on May 1, 2020. In short, all compliance deadlines and time frames REMAIN THE SAME (with an November 1, 2020 deadline for complying with certain prohibited information-blocking practices), except that ONC will not begin enforcement of these new requirements for 3 months after such set dates. ONC has posted a chart of compliance deadlines related to the ONC CURES Final Rule on its website. Even with an extra 3-months, the best time for such organizations to get their compliance house in order for these new requirements is NOW!
Legal HIE Member-Only content will be updated regularly, and new content added periodically. This aims to provide a regular stream of helpful turn-key solutions for Members to use as a springboard to begin making necessary changes to their compliance programs, HIPAA polices and other documentation to address regulatory and legislative changes, such as the ones brought about by the Information Blocking Rules. Don’t know if your HIPAA compliance program is up to snuff? Legal HIE also offers subscriptions to our HIPAA Helpers for Health Care Providers and Business Associates. Not only will HIPAA Helper subscribers gain access to an excellent starter-stack of one-of-a-kind HIPAA tools, sample forms and sample policies, they will also receive all updates to such documents made to reflect recent and future changes to HIPAA for up to one year (the duration of the subscription).
Not ready to become a subscribing member? Not to worry. Legal HIE blog posts are still FREE! Sign up to our mailing list and stay informed about cutting-edge developments and our Authors’ perspicacious insights into all things related to the electronic exchange of health information! Enjoy!
Legal HIE Member-Only Content Categories:
HIE & HIN/HIO
Broadly speaking, electronic health information exchange (HIE) includes any technological mechanism (e.g., EHRs, Direct Secure Messaging, Interfaces routing of ADTs, CCDAs, Telemedicine etc.) which allows health care providers, patients and other authorized individuals to access and securely share patients’ medical information electronically for permitted purposes, such as treatment. Health information networks (HINs) and health information organizations (HIOs) are vendors and facilitators of electronic HIE. They are also HIPAA Business Associates and must be HIPAA-compliant. Many states have enacted HIE-specific and HIN/HIO-specific legislation. At the federal level, organizations looking to participate in with the federal eHealth Exchange need to be aligned with federal privacy, security and technological standards required by the DURSA. Finally, when any health IT is used to facilitate exchange of health information, these and many other HIE-specific considerations need to be taken into account.
Legal HIE Members gain access to all Checklists & Tools; Sample Forms & Policies; PowerPoints; Whitepapers; and Quick Access Links relevant to HIE & HIN/HIO. SUBSCRIBE NOW!
HIPAA Privacy & Security
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was signed into law on August 21, 1996. The Final HIPAA Privacy Rule required Covered Entity Health Care Providers and Health Plans (“small” plans had an extra year) to be in full compliance by April 14, 2003. The Final HIPAA Security Rule required full compliance by April 20, 2005. On January 25, 2013, the Health Information Technology for Economic and Clinical Health (HITECH) Act required amendments to the HIPAA Privacy and Security Rules, which were implemented by HHS through the Final Omnibus Rule with a compliance deadline of September 23, 2013. Over the years, OCR has ramped up HIPAA enforcement and, as of April 2020, entered into over 75 Settlement Agreements and collected over $199 Million due to HIPAA violations. Now, NEW changes to HIPAA are on the horizon. In December of 2018, HHS published a Request for Information as part of its “Regulatory Spring to Coordinated Care” initiative. Input was sought on how HIPAA can be revised further to: encourage information-sharing for treatment and care coordination; facilitate involvement in care; address the opioid crises and serious mental illness; address the accounting of disclosures (AOD) required by the HITECH Act, but never implemented; change requirements pertaining to obtaining Acknowledgment of HIPAA NPP. The Comment Period closed on February 12, 2019, and a new proposed rule is expected sometime in the near future.
Legal HIE Members gain access to all Checklists & Tools; Sample Forms & Policies; PowerPoints; Whitepapers; and Quick Access Links relevant to HIPAA Privacy & Security. SUBSCRIBE NOW!
Cures Act & Information Blocking Rules
The 21st Century Cures Act (CURES) was signed into law on December 13, 2016. On March 9, 2020, the ONC and CMS released their Final Rules addressing the Information Blocking provisions of the CURES Act. The Effective Date of the Final Rules is 60 Days after publication in the Federal Register, with the first deadline for compliance coming at 6 months after publication. All Health Care Providers, Health Information Networks (HINs), Health Information Exchanges (HIEs), as well as Health IT Developers of Certified Health IT are all defined as “Actors” which are required to comply and must develop and implement NEW appropriate policies, procedures and practices to comply with these new rules.
Legal HIE Members gain access to all Checklists & Tools; Sample Forms & Policies; PowerPoints; Whitepapers; and Quick Access Links relevant to the CURES Act & Information-Blocking Rules. SUBSCRIBE NOW!
Data Breaches
The HITECH Act amended HIPAA to introduce a new requirement that Individuals and HHS be notified of Breaches of Protected Health Information (PHI). An Interim Final Rule for Breach Notification went into effect on September 23, 2009. The Final Rule for Breach Notification went into effect March 26, 2013 (the “HITECH Breach Rule”). In addition, all 50 states have enacted legislation requiring private and public entities to notify individuals of security breaches of their personally identifiable information (PII) (“State Breach Laws”). HIPAA Covered Entities and Business Associates must comply with both the HITECH Breach Rule and their applicable State Breach Laws. Entities not subject to HIPAA are still required to comply with their applicable State Breach Law. Finally, Vendors of Personal Health Records (PHRs) and their third-party service providers are required to comply with breach notification provisions implemented and enforced by the FTC, which were adopted pursuant to §13407 of the HITECH Act.
Legal HIE Members gain access to all Checklists & Tools; Sample Forms & Policies; PowerPoints; Whitepapers; and Quick Access Links relevant to Data Breaches. SUBSCRIBE NOW!
42 CFR Part 2
In the 1970s, Congress enacted the legislation in order to encourage individuals with substance abuse disorders (SUD) to get treatment (see 42 U.S.C. § 290dd-2). That law was implemented through rules found at 42 C.F.R. Part 2, and together with the enabling statute these restrictive requirements have been place for decades relatively untouched – until recently. SAMHSA enacted two NEW RULES amending 42 CFR Part 2 (“Part 2”). Initial amendments went into effect on March 21, 2017 (the “2017 Final Rule”), at which time SAMHSA also invited comments to additional proposed amendments to Part 2. SAMHSA’s second 2018 Final Rule was released in January 2018, and its provisions became effective February 2, 2018 except for new requirements for obtaining a “general treatment” consent which had an effective date of February 2, 2020. Still not enough, the following year in August of 2019 SAMHSA released yet another Proposed Rule to modify additional sections of Part 2 in order to: increase coordinated care, reduce provider burden, and improve substance use disorder treatment (the “2019 Proposed Rule”). However, a final rule was never issued before Congress took somewhat unexpected action to amend the federal statute governing SUD facilities and programs through the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which became law on March 27, 2020. The CARES Act fundamentally changes the consent process for Part 2 records and information, and aligns downstream uses and disclosures of SUD information with HIPAA after an initial consent is obtained. Therefore, SUD programs and facilities and others who handle Part 2 records and information must begin to be poised to develop and implement NEW appropriate policies, procedures and practices to comply with anticipated changes and an anticipated new rule implementing the CARES Act in the near future.
Legal HIE Members gain access to all Checklists & Tools; Sample Forms & Policies; PowerPoints; Whitepapers; and Quick Access Links relevant to 42 CFR Part 2. SUBSCRIBE NOW!
Telehealth, Telemedicine & Tele-Mental Health
The challenges that arise from use of Telehealth, Telemedicine and, more recently, Tele-Mental Health flow from a variety of federal and state standards governing licensing, reimbursement, regulation of medical devices, and security, among other compliance issues. With regard to state licensing of practitioners, most states require physicians to be licensed to practice in the originating site’s state, and some states require the providers using telehealth technology across state lines to have a valid state license in the state where the patient is located. However, the Interstate Medical Licensure Compact between states is working to streamline the multistate-licensing process for physicians. For reimbursement, the CMS Physician Fee Schedule is used as a basis for Medicare coverage for Telehealth services, however states vary as to their Medicaid reimbursement for such services. And, while private payors typically trend towards aligning commercial reimbursement to Medicare, variation exists. Next, the FDA regulates medical devices which may be used to engage in Telehealth or Telemedicine, and so this agency’s standards must be complied with in those instances. Finally, other compliance issues, such as HIPAA privacy and security, also must be considered with any Telehealth, Telemedicine and Tele-Mental Health activities.
COMING SOON! Legal HIE Members will gain access to Telehealth, Telemedicine & Tele-Mental Health Checklists & Tools; Sample Forms & Policies; PowerPoints; Whitepapers; and Quick Access Links. SUBSCRIBE NOW!
Research
Health care providers who conduct research are subject to multiple regulations governing their conduct of research, institutional review boards (IRBs), informed consent and authorizations, and use and disclosure of study subject information. Health care providers must navigate not only HIPAA’s requirements for use and disclosure of protected health information in the research context, but also the Food and Drug Administration (FDA) rules and regulations, the Department of Health and Human Services (HHS) “Common Rule” and other applicable federal and state laws. In addition, health care providers must negotiate and comply with clinical trial/study agreements entered into with study sponsors.
COMING SOON! Legal HIE Members will gain access to Research Checklists & Tools; Sample Forms & Policies; PowerPoints; Whitepapers; and Quick Access Links. SUBSCRIBE NOW!
Certified Health IT
Meaningful Use continues to remain “meaningful” as the Promoting Interoperability and Quality Payment Programs. Use of Certified EHR Technology (CEHRT) remains a requirement for eligible clinicians, critical access hospitals and hospitals in 2020 and subsequent years in order to earn positive payment adjustments (and avoid negative payment adjustments). Eligible clinicians and hospitals are also still required to submit Prevention of Information Blocking Attestations, in addition to complying with other interoperability and prevention of information-blocking obligations under the 21st Century Cures Act Final Rules published this year. The Promoting Interoperability and Quality Payment Programs continue to evolve, making it critical for eligible clinicians and hospitals to stay on top of applicable program changes and guidance.
COMING SOON! Legal HIE Members will gain access to Certified Health IT Checklists & Tools; Sample Forms & Policies; PowerPoints; Whitepapers; and Quick Access Links. SUBSCRIBE NOW!
