– The information blocking provisions of the 21st Century Cures Act officially went into effect this week, putting into focus the Department of Health and Human Services’ regulatory and compliance effort around HIPAA-required data sharing between applicable healthcare entities.
Enacted by the 21st Century Cures Act in 2017 and implemented by a final rule in 2020, Congress defined information blocking and established penalties for providers that engage in practices that interfere with the access, exchange, and use of electronic health information.
The long-awaited info blocking provision established rules and penalties for non-compliance. The law carves out exclusions for providers if they meet an exception established by the HHS Secretary, or for other applicable reasons.
Starting April 5, relevant covered entities and business associates must comply. The Office for the National Coordinator recently released insights on just what the law’s enactment means for those relevant providers, as well as the areas HHS will focus on in the next 18 months.
For now, a smaller subset of electronic health data is in scope.
“Specifically, the electronic health information that cannot be blocked is limited to the data elements represented in the US Core Data for Interoperability,” ONC officials explained. “This initial 18-month period and limited scope gives the regulated community time to grow more experienced with the information blocking regulation, including when and how to meet an exception, before the full scope of the regulation’s EHI definition comes into effect.”
“Of course, those who are able to share more EHI than is represented by the USCDI need not wait to begin doing so,” they added. “Similarly, as a way to prepare for October 2022, we strongly encourage the regulated community to make all EHI available as if the scope of EHI were not currently limited.”
As the US surpasses its one-year milestone of the COVID-19 national emergency and subsequent Department of Health and Human Services’ HIPAA liability waivers, it’s the ideal time for providers to assess the health of their privacy governance and compliance programs.
Information Blocking Provisions
To Sean Sullivan, a senior associate attorney with the Health Care Group of Alston & Bird, the industry should consider this period as breathing room: the enforcement arm of the rule hasn’t been fully enacted and the HHS liability waivers put into place for COVID-19 remain intact—for now.
The info blocking provisions signal a sea of change for the industry, he explained. Providers had the last year to prepare for these drastic changes, and now ONC has stressed it will be focusing on this compliance area moving forward.
While the rules won’t immediately change things, it does provide new rights to accessing data between providers and other covered entities through authorized requests. Sullivan stressed that it overlays HIPAA’s information sharing requirements that merely suggested providers may share data with other covered entities.
The new provisions make data sharing a requirement, or those efforts could be considered info blocking and a direct violation of the provisions.
The timeline for data sharing has also changed from the previous 30-day requirement to “on a timely basis and without necessary delay.” There’s no strict deadline, rather an expectation that the data be immediately available, he explained.
The idea is to allow other healthcare providers to use their EHR or the platform of the connected covered entity to download the needed information.
“The expectation is that now data should be instantaneously available as long as it’s electronic,” Sullivan said. “And a lot of providers who miss those new timeframes are going to continue to fall back on that 30-day timeline. It’s a mistake.”
Instead, providers need to review their policies and procedures for all electronic data within their possession and determine whether the tech in place is capable of adhering to the provisions. They will also need to assess how to provide electronic data on a timely basis, via the EHR or even a patient portal.
“Frankly, the government has been struggling with [data sharing and info blocking] for some time,” Sullivan said. “But the financial services industry figured it out years ago.”
Sullivan also mused that providers, insurers, and specialists are operating within similar environments, but still the data sharing process has remained stagnant—with the healthcare industry, as a whole, reluctant to change.
Previous arguments have stressed the sensitive nature of the data, while others have pointed to a lack of resources to invest in needed tech. There’s also an anti-competitive factor, where some providers worry that its patients may shop around at a competitor’s care site.
Meanwhile, EHRs can make it extremely difficult to talk with other platforms. Sullivan stressed that this spotlights the need for better standards around EHRs and health IT, in general.
But no matter the reason, ONC has made it clear that the time to stop hindering data sharing is now.
“A lot of providers who miss those new timeframes are going to continue to fall back on that 30-day timeline. It’s a mistake.”
If HHS’ HIPAA Right of Access Initiative is any indication of what providers can expect for info blocking compliance, the need to review compliance concerns is now. In recent years, enforcement actions for failing to comply with the HIPAA right of access standard have been frequent and violations have often been costly, no matter the size of an entity.
Since its launch in 2019, HHS has settled with 18 providers of varying sizes for failing to comply with the privacy provision. So, although HHS has yet to equip its enforcement arm to regulate these info blocking changes, the agency has stressed the importance of these rules.
Compliance Concerns for COVID-19 Waivers
Adding to compliance concerns are the host of HHS waivers for telehealth, remote work, and business associates introduced in 2020 in response to COVID-19 set to end once the national emergency is lifted.
Those enforcement discretions included allowing business associates to share data prior to notifying the covered entity, leniency for community care sites, and even allowing providers to use technologies for telehealth and remote care that typically fall outside of HIPAA.
For example, many providers suddenly implemented telehealth programs, but may not have established the needed enterprise policies to reduce privacy and security risks. For others, some are leveraging these technologies without a robust infrastructure in place to prevent a number of risks.
“For many providers, I don’t think privacy has been top of mind for the technologies implemented during the response,” said Sullivan. “A lot of healthcare providers clients, basically, had the assumption that we should provide the treatment no matter what, and the government will [understand].”
“But it wasn’t meant to be a free for all,” he continued. “In the beginning, all of the waivers and flexibility came out, but there were specific rules on how to do it. There was definitely a lot of confusion about how far the waivers went for providers and telehealth companies in particular.”
For Sullivan, the real question remains of just how much of these waivers and policies will remain in place after the national emergency ends.
As such, providers who’ve rapidly stood up telehealth programs, new workplace operations, and other policies and procedures implemented in response to the pandemic, should use this time wisely to methodically review how each operates and the type of policies and procedures in place.
The end goal is to ensure that when the national emergency ends, barring any Congressional action, providers should be able to flip the switch and go back into compliance mode of action—before it’s too late, Sullivan stressed.
“There have been rumblings that regulators have already let the toothpaste out of the tube,” he said. “But the statutes that set perameters around remote healthcare remain in place and haven’t changed.”
Administrators should look at any discovered security or compliance gaps and determine what needs to be drafted in terms of policies to address those issues now, but also for when the emergency ends.
These measures should include drafting policies for telehealth programs and tech, rapidly deployed amid the COVID-19 response. Administrators should consider whether the right security measures have been implemented for these platforms, and if not, they should assess what infrastructure is needed from a privacy and security perspective to protect patients.
Business associate agreements should also be reviewed for all applicable vendors and products.
Covered entities should leverage free resources, such ONC’s security risk assessment, COVID-19 privacy and security guides, and NIST to reduce threats to privacy, security, and compliance.