<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
Show all

New HHS Rule for better patient data access

New Rule for Interoperability, Information Blocking, and the ONC Health IT Certification Program

The US Department of Health and Human Services (HHS) has proposed a new rule focusing on a patient’s ability to access all of their Electronic Health Information at no cost.   The new rule supports seamless and secure access, exchange and use of electronic health information (EHI).  According to the Office of the National Coordinator for Health IT (ONC), “The proposed rule is designed to increase innovation and competition by giving patients and their healthcare providers secure access to health information and new tools, allowing for more choice in care and treatment. It calls on the healthcare industry to adopt standardized application programming interfaces (APIs), which will help allow individuals to securely and easily access structured EHI using smartphone applications.” 

Patients' right of access - HIPAA provision

For years now, the US Department of Health and Human Services has emphasized the importance of patients’ right of access to their own health data.    Previously, the Director of the Office for Civil Rights (OCR), the enforcement arm of HHS, has highlighted the need for patients to be empowered to take control of their own health information.   Patients have a right to access their own health information, and this is an important part of the information equation for HIPAA compliance.   Security is just one part, patients’ right of access is another.

Proposed changes by CMS

The Center for Medicare and Medicaid Services (CMS) is also proposing changes to increase the seamless flow of health information. As per an HHS press release, for the first time, CMS is now proposing requirements that Medicaid, the Children’s Health Insurance Program, Medicare Advantage plans and Qualified Health Plans in the Federally-facilitated Exchanges must provide enrollees with immediate electronic access to medical claims and other health information electronically by 2020.   CMS would also require these health care providers and plans to implement open data sharing technologies. 

Information Blocking

 With this new rule, if a patient asks for access to their electronic health record, and if it is not given to them electronically and for no cost, that will be considered “information blocking”.  This new rule implements the information blocking provisions in Title IV of the 21st Century Cures Act (Cures Act) which allows for civil penalties on or an investigation into providers or systems who interfere with or prevent the access, exchange or use of electronic health information.   As with any rule, there are exceptions here as well.   ONC has listed seven exceptions to the information blocking rule. For instance, the information blocking provisions may not apply if certain practices are done to prevent patient harm, or to improve the security of the health information, or if the request imposes a substantial burden.  

The CMS rule also proposes to publicly report providers or hospitals that participate in “information blocking,” practices that unreasonably limit the availability, disclosure, and use of electronic health information and undermine efforts to improve interoperability.  Making this information publicly available may incentivize providers and clinicians to refrain from such practices.

Interoperability Standards and Security

The rule also proposes modifications to ONC Health IT certification requirements.  Healthcare systems and vendors seeking certification would be required, among other criteria, to use standardized Health Level 7 (HL7®) Fast Healthcare Interoperability Resources (FHIR®) standards and several implementation specifications.  

This rule could have far-reaching implications by requiring standardization in interoperability. APIs need to be secure and standard, and all healthcare providers and systems would need to adapt to using these APIs.  This could mean a significant transformation in the availability of healthcare data to patients. Today, if a patient visits multiple healthcare providers, there is no guarantee of whether or how that patient could retrieve all their healthcare records from the different providers. Some of them may be on paper, and in most cases, different providers use different Electronic Health Record systems (EHRs).  We hope that with the implementation of changes per this rule, patients may be able to combine data from multiple providers and view everything (test results, appointment records, imaging results, prescriptions, and more) in one single location or app.  From a security and compliance point of view, these new requirements may need to be included as part of the overall security risk analysis and attestations of an organization or healthcare provider.


View the recorded replay of the Medical Device Risk Assessments webinar

Rema Deo
Rema Deo

As CEO and Managing Director of 24By7Security, Inc., Rema is a highly experienced and credentialed information security professional. Among her certifications are PCI Qualified Security Assessor (QSA) from PCI SSC, Health Care Information Security & Privacy Practitioner (HCISPP) from (ISC)2, Certified Information Security Manager (CISM), and Certified Information Security Auditor (CISA) from ISACA. She also holds a certificate in Cybersecurity: Technology, Application, and Policy from the Massachusetts Institute of Technology, and Certified Data Privacy Practitioner (CDPP) from Network Intelligence. She earned her MBA from Symbiosis Institute of Business Management in Pune, India, and her Bachelor of Commerce degree from the University of Bombay. Be sure to follow the 24By7Security Blog for valuable insights from Rema and her colleagues.

Related posts

February, 20 2024
January, 2 2024
October, 17 2023

Comments are closed.

Celebrating National Clean Out Your Computer Day
Preparing for a Cybersecurity Incident in 3 Easy Steps
Subscribe to our Blog!