- Information Blocking compliance for Actors remains November 2, 2020.
- The 8 Exceptions to Information Blocking are dense, and all conditions must be met for them to apply.
- Actors should begin to digest the rule piece-by-piece and continue to look to resources to help implement its requirements as needed by the applicable deadlines.
Subscribe HERE to Legal HIE’s Compliance Library to gain access to sample policies, documents & tools for compliance with the Info Blocking Rule.
Earlier this week, Becker’s Hospital Review reported that 70% of CIOs and digital health executives are “concerned” about meeting the upcoming November 2nd deadline for complying with the Final Rules prohibiting information blocking practices. This is according to a survey conducted by CHIME, which included responses from executives at academic medical centers, critical access hospitals, multi-hospital systems and specialty hospitals. Although the CHIME survey did not appear to identify specifically what concerns CIOs about complying with information blocking rules by this fall, one possibility is fully understanding how ONC’s rule and certification criteria will apply to releasing patients’ electronic health information (EHI) to third-party apps.
The ONC Final Rule mirrors the definition of “information blocking” found in the 21st Century Cures Act, which prohibits any practice that is “likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” If a health care provider engages in such information blocking, the provider must know that such practice is unreasonable; and, when a health IT developer, HIN or HIE engages in information blocking, such Actor must either know or should know that the practice is unreasonable. Although the EHI that could be requested to be sent to a third-party application is initially limited to United States Core Data for Interoperability (USCDI), this still can include things like laboratory tests and values/results, medication lists, and clinical notes. So, one “million-dollar question” might be — at least for health IT developers of certified Health IT and HIEs/HINs – does USCDI EHI have to be transmitted to third-party apps when such request is initiated by the patient after the November compliance deadline?
Under Section 164.524(c)(2) of the HIPAA Privacy Rule, a covered entity health care provider must provide a patient with access to the protected health information (PHI) he/she has requested in the form and format requested by the individual, if it is readily producible in such form and format. In responses to questions about mobile apps, HHS has said the following:
Q: Does an individual have a right under HIPAA to access his PHI in a particular technical standard?
A: In some circumstances, an individual may request access to an electronic copy of his PHI in a particular technical standard – for example, a copy of the individual’s medication data represented in RxNorm or a lab test represented in LOINC. An individual may request PHI in a particular standard in order to use that information in other software the individual is using. If the covered entity is able to readily produce the PHI in the requested standard format, the covered entity must do so (unless the entity has a ground for denial as specified in the Privacy Rule at 45 CFR 164.524(a). (We note that individuals, in exercising their rights of access under the Privacy Rule, are not required to state their purpose for requesting access, regardless of whether or not a particular form or format for the request is specified, and an individual’s rationale for requesting access is not a reason to deny access.)
A: No. The HIPAA Privacy Rule generally prohibits a covered entity from refusing to disclose ePHI to a third-party app designated by the individual if the ePHI is readily producible in the form and format used by the app. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). The HIPAA Rules do not impose any restrictions on how an individual or the individual’s designee, such as an app, may use the health information that has been disclosed pursuant to the individual’s right of access. For instance, a covered entity is not permitted to deny an individual’s right of access to their ePHI where the individual directs the information to a third-party app because the app will share the individual’s ePHI for research or because the app does not encrypt the individual’s data when at rest. In addition, as discussed in a separate FAQ, the HIPAA Rules do not apply to entities that do not meet the definition of a HIPAA covered entity or business associate.
Therefore, it is already the case under HIPAA that if it is readily feasible to transmit EHI to an app requested by a patient, then the request must be complied with. You can review additional guidance and views from HHS about patient access rights, mobile apps and APIs here.
Moving next to the Information Blocking Rule, by now the “8 Exceptions” to what would otherwise be prohibited information blocking are likely becoming more familiar. Taking the Security Exception as an example, an Actor may choose to not fulfill a request for EHI if such blocking is determined to be “necessary to mitigate a security risk” to EHI and there is “no reasonable and appropriate alternatives to the practices to address the security risk.” (45 CFR 171.203(e). However, this is an overly-simplified explanation of how this exception works. The Security Exception, as well each as the other seven exceptions, contain detailed conditions which must all be met in order to ensure that a blocking practice falls squarely within the protection of such safe-harbor exception. This includes, among other things, an option of developing organization-wide policies reflecting how such exceptions will be implemented on a consistent and non-discriminatory basis. In light of this, the November deadline really does not offer much time for Actors to fully digest and ramp up their organization’s system-wide approach to information blocking. However, taking a default approach to simply not block any USCDI EHI from flowing to any third-party apps without giving adequate consideration to actual security or privacy concerns is also risky.
A headline in a New York Times article late last year warned consumers “When Apps Get Your Medical Data, Your Privacy May Go With It.” It pointed out that groups like the American Medical Association and American Hospital Association have been arguing that consumer apps will be free to share or sell sensitive details like a patient’s prescription drug history because they are not subject to the HIPAA regulations and enforcement. Perhaps in response to such concerns being voiced, in its Preamble to the Final Rule on Information Blocking ONC specifically carved out that a practice of “educating patients about the privacy and security risks” posed by the consumer apps they chose should not – and would not – be viewed as “interference with” the access, exchange, or use of EHI. ONC even went one step further by suggesting that consumer apps that collect EHI should maintain a minimum set of privacy policies & policies which:
1. Are publicly accessible at all times, including updated versions;
2. Are shared with all individuals that use the technology prior to the technology’s receipt of EHI from an Actor;
3. Are written in plain language and in a manner calculated to inform the individual who uses the technology;
4. Include a statement of whether and how the individual’s EHI may be accessed, exchanged, or used by any other person or other entity, including whether the individual’s EHI may be sold at any time (including in the future); and
5. Includes a requirement for express consent from the individual before the individual’s EHI is accessed, exchanged, or used, including receiving the individual’s express consent before the individual’s EHI is sold (other than disclosures required by law or disclosures necessary in connection with the sale of the application or a similar transaction)
Without the incentive of HIPAA enforcement to keep consumer app vendors “honest,” the Federal Trade Commission (FTC) has recently taken a particular interest in this developing area. In fact, the FTC’s upcoming PrivacyCon event happening on July 21, 2020 will specifically and, from the looks of it, entirely focus on the privacy of health data collected, stored, and transmitted by mobile apps. The FTC has also hinted that with its new focus on privacy with mobile apps, it could also be gearing up as the agency of enforcement of consumer apps collecting EHI by pointing out that “the FTC Act, of course, would likely apply to such apps and information.” For more information about PrivacyCon and the topics likely to be covered at that event next month, I encourage readers to take a peek at the FTC’s call-for-presentations for that event.
In sum, the Information Blocking rule and its exceptions are dense and it will take time for organizations to digest and implement their approaches to this new compliance challenge. Although the ONC announced a 3-month delay in its enforcement discretion with regard to the Certification criteria for Health IT developers of Health IT, the same extension was not extended to the general information blocking provisions. As a result, and unless something changes, the best that Actor-organizations can do is begin to digest ONC’s Final Rule piece-by-piece and continue to look to resources to help implement requirements as needed by the applicable deadlines.
___________________
If you are interested in being emailed directly about our upcoming 8-part Webinar series which will take a deep dive into each one of the 8 Exceptions to Information Blocking one-by-one, use our Contact Us portal to get on our notification list.
