Eye on Health Information Exchange, Data Privacy and Alignment of Federal Standards – Information Blocking, HIPAA Updates and Part 2 Flexibility
As we struggle to emerge from the effects of the pandemic, several key federal agencies have implemented substantive changes affecting privacy standards, patient consent requirements and the use of electronic health records in health information exchange. Although many of the changes have been deferred and enforcement has been lenient given the continued struggles of health care industry, the pandemic emergency was extended to April 14, 2022 and other priorities will likely be placed on the forefront this coming year. This informational memo will begin the process of informing you on the following changes:
Office of the National Coordinator for Health Information Technology:
- Providers must allow patients access to their electronic health information in real time.
- Failure to implement a system for patients to review their medical records could count as information blocking.
Substance Abuse and Mental Health Services Administration (SAMHSA)
The Department of Health and Human Services Office of Civil Rights
Regulatory changes are constantly impacting the healthcare industry making it difficult for health care providers to track, but also understand and properly interpret, in order to remain in compliance with the regulations. We hope to assist you in making sense of these changes through information presented by the firm’s Health Care and Long Term Care practices.
The Office of National Coordinator for Health Information Implements Information Blocking Standards
Effective April 5, 2021, the Office of National Coordinator for Health Information Technology (ONC) implemented a new rule which pertains to information blocking. Per the Cures Act, information blocking is defined as a practice that is likely to interfere with, prevent or materially discourage access, exchange or use of electronic health information. This new rule applies to physicians, health care providers, health IT developers of certified health IT, HIEs and HINs.
What this means for the healthcare field is that providers are now required to allow patients to access their electronic health information (EHI) in real time, without them having to go through the procedure of requesting records or test results, with a delay for the patient in gaining access to their information. In essence, providers must be able to provide patients near-instant access to their EHI when they want it, and how they want it. The Cures Act does not require a provider to take any proactive measures to provide electronic health information to their patients who have not requested it. However, if a patient does request their electronic health information, the provider must have a system in place to be able to readily provide that information in a timely manner – failure to do so may implicate the information blocking provisions. While the Act does not directly specify how providers should provide their patients access, it is suggested and seemingly preferred that providers implement electronic portals or apps.
SAMHSA Changes under the CARES Act
The CARES Act has brought about several updates to the privacy policies surrounding substance use disorder records. Federal law on substance abuse information (42 CFR Part 2) covers any information—whether recorded or not—relating to a patient that identifies an individual directly or indirectly, as having a current or past drug or alcohol problem, or as a participant in a substance use disorder treatment program. A Substance Abuse Treatment Program is defined as any program that receives federal financial assistance (directly from the federal government or indirectly from state or city agencies) that holds itself out as providing alcohol or drug diagnosis prevention, treatment or referral for treatment. The CARES Act amends the authorizing statute for regulations codified at 42 CFR Part 2, also known as the Public Health Services Act. The objective is to expand the ability of healthcare providers to share the records of substance use disorder patients while preserving appropriate confidentiality in this sensitive area. The CARES Act also tightens the requirements in the event of a breach of confidentiality and mandates alignment of 42 CFR Part 2 and HIPAA.
In order to address the pressing need to protect patient substance use information, the Part 2 regulations amended under the CARES Act now: mandate general consent for disclosure of substance use disorder treatment records; allow the disclosure of covered records for treatment, payment and health care operations to designated recipients including Part 2 programs, HIPAA covered entities and business associates, so long as such subsequent disclosure is done in accordance with HIPAA; permit the disclosure of de-identified SUD records to public health authorities; prohibit the use of substance use records in civil, criminal, legislative or administrative proceedings other than by court order or patient consent; adopt HIPAA fines and penalties in place of old Part 2 criminal enforcement mechanisms; provide updated obligations to comply with HIPAA breach notification practices; and offer new protections against discrimination based on intentional or inadvertent disclosure of SUD records.
Significantly, SAMHSA is required to issue new regulations to implement the CARES Act changes, and these new rules will be effective sometime after March 27, 2022. The Amendments to the Public Health Services Act will not take effect until the Secretary of Health and Human Services consults with other federal agencies, including SAMHSA, to implement and enforce the amendments.
HIPAA Aligns Itself with Care Coordination
Another rule that will be important to monitor is the HIPAA Privacy Rule. The HIPAA Privacy Rule regulates medical information deemed protected health information (PHI) maintained by Covered Entities and sets forth the circumstances under which PHI can be disclosed. HIPAA has been largely unchanged for the last 10 years. In a regulatory sprint to coordinated care, the Office of Civil Rights issued a Notice of Proposed Rulemaking to modify the HIPAA Privacy Rule to support individuals’ engagement in their health care, remove barriers to coordinated care and decrease regulatory burdens on the health care industry, while continuing to protect individuals’ health information privacy interests. On Dec. 10, 2020, a proposed rulemaking was issued that would expand the individual’s rights to access protected health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosure in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA-covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.
Eye on 2022
Our team will be providing individual assessments of the above areas over the course of 2022. Each area will require substantive changes or development of new policies in health care operations. Please keep an eye out for further educational materials to be posted in this regard.