Here are some compliance touchstones for regulations stemming from the 21st Century Cures Act.[1] It was developed by Kelly McLendon, senior vice president of compliance and regulatory affairs at CompliancePro Solutions. Contact him at kmclendon@complianceprosolutions.com.
|
Information Blocking - Interoperability and Patient Access Rules |
Implementation Date |
Applies to Organization Type |
Notes |
|---|---|---|---|
|
Patient or Patient Directed Request for USCDI Access or Copies of EHI (ePHI) |
4/5/21 |
Provider, Payer, HIN, HIE |
Update policies and procedures referencing information blocking (e.g., the use of exceptions) and requests for USCDI in electronic format, especially if an exception has to be invoked. Patient access, disclosures to patients and non-patient third parties, notice of privacy practices, incident management and complaints, to name a few, are impacted. Educate workforce members on new process, implement any new forms. Update your notice of privacy practices to include info blocking and interoperability information. Update documentation of your processes and data for each incident or complaint regarding info blocking, possibly for each disclosure. Must be able to create a USCDI report data and documents for each appropriately requested (via HL-7 FHIR) disclosure, IT/EHR vendor. |
|
Patient or Patient Directed Request for USCDI Access or Copies of the Full Designated Record Set (DRS) of EHI (ePHI), Beyond USCDI Data Elements/Documents Only |
10/6/22 |
Providers, Payer, HIN, HIE |
Must be able to allow access, use and exchange of all EHI in the patient's DRS (designated record set) upon request. |
|
Patient Access via APIs with Third-Party App to Entire Set of EHI Certification Requirement |
12/31/22 |
EHR Vendor/Certified IT Developer |
Although this is the last date for EHR certification, the vendors may well supply this functionality ahead of this schedule, check with your HER and other DRS vendors to understand their plans. |
|
EHR EHI Data Export Certification Required |
12/31/23 |
EHR Vendor/Certified IT Developer |
Although this is the last date for EHR certification, the vendors may well supply this functionality ahead of this schedule, check with your HER and other DRS vendors to understand their plans. |
|
Beginning of Penalties and Enforcement of Information Blocking/Interop for Providers and Payers |
? |
Providers, Payer, HIN, HIE |
New rules must be issued for provider and payer enforcement, right now the only penalties for them is “appropriate disincentives,” which could be anything. We are unsure when these rules may be published and/or when enforcement will begin. |
|
Patients Can Submit Info Blocking Complaints |
Now |
Providers, Payer, HIN, HIE |
Be able to document incidents that come from info blocking complaints with all fields captured that might be submitted to HHS via their portal. Vendors can automate this process. |
|
Educate patients about sharing their health information with third parties and the role of OCR (HIPAA) and FTC (Breach Rule) in protecting their rights |
Now |
CMS Regulated Payers, Providers, HIN, HIE |
Patient education about the safety of third-party applications that may be used to request patient data. This education is very important to deliver upon patient request, but defined mostly by CMS Interop and Patient Access rules, be sure to create a compliant program for such education. FTC Breach Rule covers breaches by non-HIPAA entities, but will be less enforced than HIPAA, therefore offers less protections in the long run. |
|
Definition of EHI and DRS |
Now |
Providers, Payer, HIN, HIE |
Define the contents of the DRS (Designated Record Sets) in the context of the new rules and EHI (Electronic Health Information) which is defined as ePHI, whether it comes from a HIPAA CE (or BA). Non-HIPAA organizations should develop DRS with EHI also, but are seemingly not required to by the rules. |
