On October 8th, the Massachusetts Health & Hospital Association (MHA) held a webinar regarding the information blocking aspects of the Office of the National Coordinator for Health Information Technology (ONC) Final Rule under the 21st Century Cures Act. The Cures Act required ONC to develop regulations to improve interoperability and patient access to electronic health information, and deter information blocking. Information blocking is a practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI).
The presentation, which was given by Foley Partner Chanley Howell, focused on aspects of ONC's Final Rule specific to health care providers and steps practices should take in order to comply. Below are some key takeaways from the presentation:
- While the Office of Management and Budget (OMB) is currently reviewing further extensions from the current compliance deadline of November 2, 2020, it is important to keep in mind that the Office of Inspector General (OIG) is working on civil monetary penalties (CMPs) up to $1 million and "appropriate disincentives." However, these penalties will not begin until the OIG has had the opportunity for notice and comment rulemaking on what may constitute "appropriate disincentives." There will also be a three-month enforcement discretion period from ONC until February 2, 2021 to allow health care providers to focus on other priorities during the COVID-19.
- While HIPAA historically has required business associate agreements to establish permissible uses and disclosures of PHI—and prohibit uses and disclosures not permitted or required by law—the new rule now requires the sharing of data where HIPAA permits, but does not require, the disclosure. Additionally, when the law permits the access to or exchange of EHI, a disclosure will often be required.
- The new rule requires that the policies be implemented in a consistent and non-discriminatory manner to put pressure on providers or health IT developers to streamline their data contracting protocols. If delay or denial of information may be considered interference, compliance with an exception may be necessary to avoid information blocking claims.
- Covered entities and their business associates should update their privacy and security policies, as well as modify their release of information and data-sharing practices. In some places, the rule requires that organizational policies be in writing (such as in the Preventing Harm, Privacy and Security Exceptions).
- Although the ONC notes that the information blocking rule does not itself require providers or health IT developers to violate their Business Associate Agreements (BAAs), they cannot use these agreements to limit EHI disclosures, so it is highly encouraged to consider the applicability of BAA language regarding modifications to the law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.