With all of the chaos and stress from the COVID-19 pandemic, HIPAA covered entities (CEs) might be forgiven if they haven’t given much thought to implementing the provisions of an information blocking rule that went into effect this spring, after several delays.
So now may be a good opportunity to review the basic concepts in the rule, as well as to become familiar with exceptions that the rule provides for privacy and security, which CEs may need, or want, to invoke. Published Nov. 4 —which may seem like ages ago—the interim final rule went into effect April 5, but some provisions have compliance dates further into the future.
Building a foundation for implementing the regulation begins with understanding definitions in the rule, what might trigger a violation and the eight exceptions that may apply, according to Jaime James, senior health information management consultant for legislative policy and compliance for the Midwest Medical Records Association Inc.
In terms of ensuring compliance, James’ “best advice” is to “start from the beginning” and acknowledge “this is going to be a continual journey.”
Putting Patients ‘at the Center’
Officials will also need to be familiar with FAQs and all other resources issued by the Office of the National Coordinator for Health Information Technology (ONC), which published the rule with the HHS Office for Civil Rights (OCR). Ultimately, OCR is also expected to issue guidance but to date has not done so.
As James explained during a recent conference sponsored by the Health Care Compliance Association, publisher of RPP, the purpose of the rule is to “implement certain provisions of the 2016 Cures Act that will enhance interoperability and support the access, exchange and use of electronic health information, or EHI.” The information blocking rule applies only to electronically held information.
HHS and ONC “make it really clear that the patient is at the center of the Cures Act,” James pointed out. “HHS wants patients in the driver’s seat, and that starts with putting patients in charge of their own health records.”
She added that the intent of the final rule is to “provide patients with ease of access to their health records, through the use of smart phones and modern software apps and applications, similar to what we’re used to using in other industries.”
In addition to giving patients “convenient access,” the government hopes to “create an environment where there’s no special effort by providers to provide this information, really reducing the burden on providers,” according to James.
But the goal of easy access doesn’t mean sacrificing privacy protections. “The final rule continues to protect patient privacy and security. It’s absolutely critical and important, and it does so by using authentication tools again, similar to what we see in other industries,” James said.
Additionally, the final rule “also protects patient privacy and security by allowing patients to authorize the applications they want to use…patients will choose those third-party applications.”
Moreover, “the final rule also promotes the ability to shop for care and manage costs,” she said. “It’s doing that through the sharing of increased data and more transparency of the data…this will ultimately provide patients with more information to expand their choice of payers and providers,” said James.
The rule also gives patients the ability to “choose research studies that they want to participate in,” she added.