Written by Catriona Coffey.
The new year has much in store for electronic health information exchange compliance! Today’s post provides an overview of anticipated changes to the health information regulatory landscape in 2021, including increased interoperability efforts and telehealth expansion due to the coronavirus pandemic. It is not surprising that many of the topics discussed below are a direct result of the interoperability requirements created by the 21st Century Cures Act (“Cures Act”) enacted in December 2016.
Section 4004 of the Cures Act prohibits “information blocking,” or any practice by a health IT developer of certified health IT, health information network, health information exchange, or healthcare provider that is likely to interfere with access, exchange, or use of electronic health information (EHI). As was announced on a previous blog post, the Information Blocking compliance deadline has been moved to April 5, 2021—a deadline that is rapidly approaching. Thus, entities subject to information blocking prohibitions (referred to as “actors”) will need to work quickly to ensure that their practices either (1) do not block information (except as required by law) or (2) comply with one of the eight exceptions provided by HHS.
ONC’s Final Information Blocking Rule provides eight exceptions where access, exchange, or use of EHI may legally be restricted or denied as part of a reasonable and necessary activity. These exceptions address both how actors may fulfill requests and situations where actors may choose not to fulfill a request at all. Notably, failure to meet the requirements of an exception will not automatically constitute information blocking. Rather, information blocking will only be found in situations where:
- the Actor is regulated by the information blocking provision;
- EHI is involved;
- the Actor’s practice is likely to interfere with access, exchange, or use of EHI;
- the Actor possesses the requisite level of intent;
- failure to fulfill the request is not required by law; and
- failure to fulfill the request is not covered by an exception.
Actors should be aware that information blocking complaints will be assessed on a case-by-case basis, taking into account the specific facts and any potential intent on the part of the Actor. Actors who are determined to have blocked information may be subject to appropriate disincentives, civil monetary penalties, and/or certification bans (for developers of certified health IT).
In an effort to assist regulated parties in achieving compliance ahead of its deadline, ONC has released a variety of guidance information, including fact sheets, blog posts, and frequently asked questions.
CMS Interoperability Implementation
In March 2020, CMS published its Final Rule on Interoperability and Patient Access in accordance with the 21st Century Cures Act. Among other requirements, the Final Rule created a new condition of participation (CoP) for acute care hospitals, psychiatric hospitals, and critical access hospitals, requiring these entities to incorporate encounter notifications into their electronic medical records systems. Encounter notifications must comply with state and federal law and may not be inconsistent with the patient’s expressed privacy preferences. Thus, at a minimum, these hospitals must permit an individual to request that the hospital restrict use or disclosure of his or her PHI in accordance with the HIPAA Privacy Rule (see 45 CFR 164.522(a)(1)).
Encounter notifications are required upon emergency department registration or inpatient care admission, as well as when the patient is discharged or transferred to another facility. Notifications should be sent to all applicable post-acute care providers to support the patient’s further treatment and care coordination, as well as for quality improvement purposes. In addition to post-acute care providers, notification should be sent to the patient’s established primary care practitioner, established primary care practice group or entity, or other provider identified by the patient as primarily responsible for the patient’s care.
Hospital compliance with the encounter notification CoP was extended due to the coronavirus pandemic—hospitals now have until May 1, 2021 to comply with the encounter notification provision.
In addition to the encounter notification CoP, entities involved in federal-funded health programs must comply with mandatory application programming interface (API) standards that seek to automate patients’ access to their information. While some of these standards were created by the Final Rule on Interoperability and Patient Access discussed above (fact sheet), readers should anticipate ongoing changes in this area. CMS has already published an additional Proposed Rule for Reducing Provider and Patient Burden by Improving Prior Authorization Processes and Promoting Patients’ Electronic Access to Health Information (fact sheet). The comment period for this additional Proposed Rule closed on January 4, 2021, and a final rule may be promulgated within the year.
Notice of Proposed Rulemaking
This year will also likely bring changes to the HIPAA Privacy Rule as OCR seeks to harmonize HIPAA with information blocking and other interoperability requirements. HHS informed the public of its intent to issue a Notice of Proposed Rulemaking (NPRM) through a December 2020 press release; however, the final NPRM has yet to be officially published in the Federal Register. Public comments will be due 60 days from the date of official publication.
OCR’s proposed rule seeks to expand patient access rights, improve coordinated care and interoperability, and reduce administrative burden. Potential changes include adjustments to the permitted disclosures to prevent harm, an exception to the existing “minimum necessary” standard, and permitted disclosures to facilitate care with social and community services. In addition, a number of proposed changes relating to patient access seek to empower patients to control the sharing of PHI in their electronic health record, shorten request fulfillment deadlines to 15 days, and clarify the request process (including increased fee transparency). Interested readers should look for the official NPRM publication and public comment deadline, likely towards the end of the first quarter of 2021.
HIPAA and COVID-19
OCR has also been heavily involved in the medical community’s response COVID-19, as a variety of unique privacy concerns have been raised by the pandemic. While OCR has provided guidance on a variety of topics, including the use or disclosure of health information for public health purposes, the agency’s most substantial action has been its formal use of enforcement discretion. OCR issued its first notification of enforcement discretion on March 17, 2020, when it announced that it would waive any potential penalties for HIPAA violations that may result from the good faith provision of telehealth services. OCR’s enforcement discretion still requires providers to utilize only non-public facing remote communication products and to implement reasonable safeguards to prevent or limit incidental uses or disclosures of protected health information (PHI).
In addition to aiding in the expansion of telehealth services, OCR has provided notifications of enforcement discretion to support covered entities in participating in the operation of Community-Based Testing Sites and to allow uses and disclosures of PHI by business associates for public health and health oversight purposes. Readers should be aware that OCR will terminate its formal use of enforcement discretion when the PHE has ended, a date that will hopefully come sooner rather than later. In anticipation of this, covered entities should begin preparing to adjust any more “lenient” practices they might have adopted pursuant to OCR’s enforcement discretion to realign with HIPAA’s true standards.
42 CFR Part 2 – Confidentiality and Substance Use Disorder Treatment
In the 1970s, Congress enacted federal confidentiality legislation in order to encourage individuals with substance use disorders (SUD) to get treatment (see 42 U.S.C. § 290dd-2). That law was implemented through rules found at 42 C.F.R. Part 2, and together with the enabling statute, these restrictive requirements have been place for decades relatively untouched—until recently. SAMHSA enacted two NEW RULES amending 42 CFR Part 2 (“Part 2”). Initial amendments went into effect on March 21, 2017 (the “2017 Final Rule”), at which time SAMHSA also invited comments to additional proposed amendments to Part 2. SAMHSA’s second 2018 Final Rule was released in January 2018, and its provisions became effective February 2, 2018 except for new requirements for obtaining a “general treatment” consent which had an effective date of February 2, 2020. Still not enough, the following year in August of 2019 SAMHSA released yet another Proposed Rule to modify additional sections of Part 2 in order to increase coordinated care, reduce provider burden, and improve substance use disorder treatment (the “2019 Proposed Rule”). However, a final rule was never issued before Congress took somewhat unexpected action to amend the federal statute governing SUD facilities and programs through the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which became law on March 27, 2020.
The CARES Act fundamentally changes the consent process for Part 2 records and information and aligns downstream uses and disclosures of SUD information with HIPAA after an initial consent is obtained. Therefore, SUD programs and facilities and others who handle Part 2 records and information (e.g., health IT vendors; health care providers etc.) must be poised to develop and implement NEW appropriate policies, procedures and practices to comply with anticipated changes and an anticipated new rule(s) implementing the CARES Act in the near future.
Notably, HHS has just announced a revision to federal buprenorphine prescribing guidelines. Formerly, additional training and education were required to obtain a special federal waiver, called an “X-waiver,” allowing providers to prescribe buprenorphine for medication-assisted SUD treatment. The new guidelines eliminate the requirements for additional training and allow physicians to utilize the X-waiver without formal pre-approval from the federal government. As a result, many more physicians will be able to provide medication-assisted SUD treatment utilizing buprenorphine, creating the potential for an influx of new SUD providers. These new providers should be aware of their potential obligations under 42 CFR Part 2, including chart segregation requirements, and they should be prepared to adjust in accordance with any future CARES Act implementation efforts.
As many of our readers are aware, the coronavirus pandemic brought about a substantial increase in the use of telemedicine during 2020, as the public was encouraged to stay home to prevent virus transmission. The expansion of telemedicine services was made possible by waivers at both the federal and state levels. Policy changes have included increased flexibility regarding HIPAA compliant communication platforms, expanded service reimbursement, licensure waivers, and adjustments to specific practice requirements, such as controlled substance prescribing.
State level policy changes vary widely. In many places, though not all, telehealth waivers are expected to remain in place for the remainder of the public health emergency (PHE). With increased access to vaccination, this may mean telehealth waivers are terminated at some point in 2021. As always, it is advisable to reference the specific laws of the state in which telehealth is provided. Many state requirements are encompassed in governors’ executive orders or professional boards’ licensure waivers, available through the websites of state governors or administrative agencies (e.g., Departments of Health or Consumer Affairs). For example, in New Jersey, Governor Phil Murphy has authorized state agencies to promote telehealth payment parity, waive site of service requirements, allow alternative technologies to be used for telehealth purposes, and provide temporary licensure to retired and foreign-licensed healthcare providers.
At the federal level, CMS has published its Physician Fee Schedule for 2021, indicating that federal health programs will continue to reimburse eligible (Category 3) services provided via telehealth through the end of the calendar year in which the PHE ends. As of now, this means that reimbursement will be provided at least through the end of 2021. However, since practice requirements for providing telehealth services are not governed by CMS, these policy changes (e.g., telehealth only for existing patients) will be in place only through the end of the PHE.
Health Information Exchange
The Trusted Exchange Framework and Common Agreement (TEFCA) was created by the 21 Century Cures Act to ensure nationwide interoperability of health information among a variety of stakeholders, including health information networks (HINs), healthcare providers, health plans, and public health entities. In 2019, the Sequoia Project was selected as the recognized coordinating entity (RCE) for the TEFCA initiative to engage stakeholders and develop a framework for the program. ONC is presently providing the Sequoia Project with a second year of funding to continue its progress from August 2020 to August 2021.
In October 2020, the TEFCA published a fact sheet containing its value proposition statement for HINs. In addition, the TEFCA continues to work on a variety of other priorities, including developing a participatory governance structure, creating transparent and efficient onboarding processes for Qualified Health Information Networks (QHINs), and, in conjunction with ONC, publishing a draft Common Agreement and a draft QHIN Technical Framework for public comment. Since the TEFCA could impose substantial contractual and other requirements on QHINs, interested readers should watch for any proposed agreements the TEFCA or ONC may publish this year. Readers can keep abreast of the TEFCA’s progress through the Sequoia Project’s monthly informational call archive.
* * * *
Legal HIE is thrilled to have Catriona Coffey prepare today’s blog post! Catriona is a third year law student at Seton Hall University School of law. She expects to graduate this May 2021. Catriona serves as a Senior Editor for the Seton Hall Law Review (vol. 51), and previously served as its Associate Editor (vol. 50). She received the Seton Hall Law Excellence in Civil Procedure Award, as well as several scholarships. You can learn more about Catriona on her Linked In profile here.