Privacy & Data Security

As efforts at the federal and individual states level evolve every day at almost a breakneck pace to address challenges and needs related to the COVID-19 outbreak, here is a updated running list of some of the top actions taken at the federal level that we thought would be helpful to the healthcare industry (Caveat, this is not an exhaustive list): …
On May 1, modifications to the Medicare Conditions of Participation (“CoPs”) went into effect, requiring certain electronic event notifications for admissions, discharges and transfers (“ADTs”) to and from hospitals, critical access hospitals and psychiatric hospitals. To provide guidance to hospitals and state surveyors, CMS released several FAQs as well as interpretive guidance last week to be published in the State Operations Manual. Hospitals are required to make a “reasonable effort” to ensure that notifications are sent to post-acute care services providers and suppliers, and other practitioners and entities, which need such notifications for treatment, care coordination or quality improvement. Under…
Under the Information Blocking Rule (IBR), a health information network (HIN) or health information exchange (HIE) type actor is one that “determines,” “controls,” or has the “discretion to administer” access, exchange or use of EHI between two or more unaffiliated entities. ONC has said that a separate entity is not necessary to trigger the IBR HIN/HIE definition of an Actor. Additionally, ONC has specifically pointed out that a health care system, for example, could wear two IBR actor hats: (1) as a health care provider, and (2) as a HIN/HIE.…
Well folks, the Information Blocking Rule (IBR) April 5th compliance deadline is behind us at this point.  However, I know that many of you are continuing to work through your top IBR challenges and questions one at a time.  At this point, I have worked through many thorny IBR issues with numerous health care providers and health information exchanges (HIE), so I thought it might be interesting for me to share what is the main topic that I see Actors are focused on. And the winner is …..…
The deadline for compliance with the Information Blocking Rule is just 12 days away!  I am certain that all the Actors are working feverishly and diligently to come into compliance with these new requirements by this fast-approaching date.  On the bright side, I suppose that we can all be relieved that ONC did not stick with its original deadline date of November 2, 2020.  However, even with the extra time Actors may still be scrambling to get all of their ducks in a row by April 5, 2021. So, what are the actual consequences if everything is not “buttoned-up” in time?…
On and after April 5, 2021, any actor’s agreements, arrangements, or contracts are subject to and may implicate the Information Blocking Rule. The Communications Condition of Certification (CCOC) requirements must be revised to remove or void the contractual provision that contravenes the CCOC requirements whenever the contract is next modified for any reason. A Business Associate Agreement should generally not prohibit or limit the access, exchange, or use of the EHI for treatment.…
When an Actor wants to potentially deny access of EHI to a person who is suspected of some type of abuse of the individual (the “Abuser”) whose EHI is being sought, the natural inclination is want to look to the Information Blocking (IB) Rule’s Preventing Harm Exception to justify such denial.  However, the IB Rule’s Privacy Exception offers additional options and, in certain ways, more flexibility for the Actor to deny a suspected Abuser’s request for EHI.  …
Over the last few weeks, I have come across a number of health care provider organizations that are under the incorrect assumption or belief that their EMR vendor is “taking care of” all that needs to be done in order for the provider to comply with Information Blocking. This is false. There are operational decisions and other process issues that must be addressed and can only be implemented by the Actor. Every health health care provider that meets the definition of an “Actor” should be taking active steps towards getting their organization positioned to comply with Information Blocking by April…
How can an Actor/covered entity provider comply with both the Information Blocking Rule & HIPAA when access to EHI/PHI needs to be denied based on harm that arises from corrupted data? Delay access to EHI/PHI instead of denying access completely. Have a licensed health care professional confirm the denial of access due to data issues. Adopt a standing policy “signed off” by a licensed health care professional permitting denials of access in pre-identified scenarios involving data issues. The Information Blocking (IB) Rule is intended to work in sync with HIPAA, including the “right of access” granted to patients with regard…
I believe that the “Preventing Harm Exception” under the Information Blocking Rule is the most challenging exception to decipher and apply. This is particularly so because some of the standards do not precisely track HIPAA, and yet other standards appear to be inconsistent in how they are applied. In this post, I will attempt to distill the Preventing Harm Exception down to its basic elements, as well as point out issues to be aware of as Actors work to implement these new requirements into their compliance processes. The Preventing Harm Exception can be found at 45 C.F.R. §171.201. Under…
Written by Catriona Coffey. The new year has much in store for electronic health information exchange compliance!  Today’s post provides an overview of anticipated changes to the health information regulatory landscape in 2021, including increased interoperability efforts and telehealth expansion due to the coronavirus pandemic. It is not surprising that many of the topics discussed below are a direct result of the interoperability requirements created by the 21st Century Cures Act (“Cures Act”) enacted in December 2016. Information Blocking Section 4004 of the Cures Act prohibits “information blocking,” or any practice by a health IT developer of…
Seasons Greetings to all of our readers!  First, we want to wish you and yours a holiday season filled with health, happiness and hope!  We also want to thank you all for continuing to make Legal HIE such a popular and highly visited blog!  It puts a smile on our face seeing so many of you enjoying our posts and returning to our site often! As stockings are being hung by chimneys with care, we want to make sure you know that Legal HIE’s stockings are absolutely stuffed to the brim with tremendous tools, sample forms, polices and turn-key solutions…
Last Friday, the Office for Civil Rights (OCR) issued new Guidance on how HIPAA permits covered entities and their business associates to use health information exchanges (HIEs) to disclose PHI for the public health activities of a Public Health Authority (PHA).  Specifically, it provides examples relevant to the COVID-19 public health emergency. OCR Director, Roger Severino, specifically notes that the Guidance was issued: “to highlight how HIPAA supports the use of health information exchanges in sharing health data to improve the public’s health, particularly during the COVID-19 public health emergency.”. Although much of the Guidance document simply reiterates the controlling…
Late last week, two new proposed rules were released which will affect the exchange of health information and HIPAA, among other things.  The CMS and OCR proposed rules come in at over 347 and 357 pages respectively – so that’s a lot of meat to digest!  At a high level, the CMS Proposed Rule aims to “improve the electronic exchange of health care data among payers, providers, and patients,” and “streamline processes related to prior authorization to reduce burden on providers and patients.” The OCR proposed changes to HIPAA take a bite out of patient access, minimum necessary, the HIPAA…
On Monday, ONC posted a new Information Blocking Frequently Asked Questions resource!  Here are a few of the highlights from all of the FAQs responded to by ONC: Q:  Are health plans or other payers subject to the information blocking regulation? Q: For the period of time when Information Blocking is limited to USCDI data, how is an Actor expected to fulfill a request for USCDI data if they do not yet have certified health IT in place that includes an API with the USCDI standard? Q: Is an Actor required to fulfill a request for access, exchange or use of EHI with all…