Two new rules enacted in 2020 affect healthcare providers, insurers, and other healthcare industry constituents by preventing information blocking, enabling patient access using smartphones, promoting interoperability, and other provisions. This introduction outlines what you need to know about the new requirements to begin working toward compliance.
Since the enactment of the Health Insurance Portability and Accountability Act (HIPAA) in 1996, hospitals, medical centers and other healthcare providers have learned to understand the regulations, apply them to their organizations, maintain and prove their compliance, and remain up-to-date with changes and additions to the law.
The primary objective of HIPAA was to enable healthcare records to accompany patients as they changed health insurance plans and doctors throughout the course of their lives. This objective led, logically, to the creation of digital or electronic health records, which have made that portability much easier and more seamless over time.
Even today, however, the healthcare industry struggles with the twists and turns of HIPAA, its Privacy and Security Rules, and new rules enacted to clarify or reinforce existing rules. It’s complicated, sometimes redundant, and very difficult to navigate, especially for smaller healthcare practices.
Among many other provisions aimed at protecting individuals’ healthcare records, the HIPAA Privacy Rule also gave patients the right to inspect, review and receive a copy of their medical records and billing records held by health insurers and healthcare providers.
Patients have a right to access both paper and electronic medical records, with the two notable exceptions of psychotherapy notes and any information collected for use in a civil or criminal proceeding. The rule enables modest fees to be charged for reproducing paper records. Generally, electronic records have been provided at no charge.
Despite having a legal right to do so, some patients have experienced problems in accessing their records.
The HIPAA Privacy Rule allows healthcare providers and insurers up to 30 days to supply patients with the requested records.
Since compliance with the Privacy Rule became effective in 2004, some patients have experienced difficulty in accessing their medical records. Some providers have denied access or extended the length of their response far beyond the 30-day window. This form of non-compliance is known as information blocking.
According to the Office for Civil Rights (OCR), an agency of the U.S. Department of Health and Human Services (HHS), patient problems in obtaining access to their own records is the third most common consumer complaint received by the OCR.
Consider just two examples of hundreds of information blocking incidents. In 2015, the Connecticut State Attorney General investigated information sharing practices at Epic Systems after they were accused of using electronic health records (EHRs) to control patient referrals and send patients back to their networks. As a result, in a state law that took effect on October 1, 2015, Connecticut became the first state to make information blocking illegal.
In 2019, HHS levied its first fine for information blocking when a patient complained that her Florida hospital took nine months to fulfill her request for her child’s prenatal records. Bayfront Health St. Petersburg was required to pay a fine of $85,000 to the Office for Civil Rights and submit to monitoring by the OCR for one year. In 2020, OCR settled numerous other investigations on the right of access, to support individuals' right to timely access to their health records, and levied fines of tens of thousands of dollars on each healthcare entity involved.
Information blocking incidents and information sharing problems have not gone unnoticed by Health and Human Services. This is why, in February of 2019, two agencies of HHS proposed two new rules aimed at ensuring smoother interoperability among insurers, healthcare providers, and electronic health records systems, and eliminating information blocking to ensure patient access. The rules were enacted in 2020 and the first is already in effect.
Issued by the Office of the National Coordinator for Health Information Technology (ONC), the program rule on Interoperability, Information Blocking, and ONC Health IT Certification implement the 21st Century Cures Act passed in 2016. Known officially as the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, in this post we’ll refer to it as the ONC Rule.
Together, the new rules reinforce current requirements for interoperability and patient access and take them a step further by requiring public and private healthcare entities to share health information with patients and other parties electronically, or digitally, while keeping that data private and secure, as required by the HIPAA Privacy and Security Rules.
The new rules require the healthcare industry to adopt standardized application programming interfaces (APIs), which are fundamental to smartphone applications, to help individuals easily access their electronic health information using their smartphones.
As of September of 2019, there were more than 260 million smartphone users in the U.S. At the same time, Millennials became the largest generation in America. More so than Baby Boomers, Millennials are tethered to their smartphones and mobile applications, as generations following them are expected to be.
The widespread use of smartphones and other highly portable digital devices, by patients as well as by doctors and nurses, have given rise to trends in telehealth, virtual appointments, and remote care services. During the COVID pandemic, healthcare providers have had to rapidly expand these services in order to continue to provide medical care.
In this digital realm where the smartphone is king, it is vital that healthcare providers adopt the use of APIs that can support electronic health information sharing securely and privately. While APIs have spurred innovation in many industries, the healthcare industry has lagged behind, according to an article in the HIPAA Journal.
The new HHS rules mandate the development of APIs in healthcare to advance the objectives of interoperability and patient access, stating that the use of APIs will:
Most members of the healthcare industry need to be aware of the implementation dates for the new rules, as the timeframe is fairly short. This includes hospitals, medical centers, healthcare practices and other healthcare providers, health information exchanges, health information networks, EHR systems, health insurers, and developers of certified health information technology. The impact is industry-wide.
The ONC Rule took effect on June 30, 2020.
The CMS Rule takes effect on January 1, 2021.
Following are some other important elements of the ONC Rule as outlined by the HHS press release announcing the final rules. It is not an inclusive list.
Following are some other important elements of the CMS Rule noted in the HHS press release, although not an inclusive list.
The new rules from the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS) were enacted primarily to further promote interoperability among healthcare providers, insurers, and other stakeholders; prevent information blocking; and enable patient access to electronic health information by smartphone. There are other provisions as well, and exceptions to the rules, of course.
The new rules are known as the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program and the CMS Interoperability and Patient Access rule, respectively. The ONC Rule took effect on June 30, 2020, and the CMS Rule will become effective on January 1, 2021. Timeframes for initial compliance are short.
If you are affected by either rule, but aren’t sure what actions to take, the 24By7Security team can help you better understand, effectively navigate, and successfully implement the required actions. Our analysts and auditors are highly experienced in healthcare regulations and can help you achieve compliance. With the clock already ticking, the time to act is now.