The 21st Century Cures Act required the Department of Health & Human Services, Office of the National Coordinator for Health Information Technology (ONC) to adopt rules preventing health care providers, developers of certified health information technology and health information exchanges from interfering with the access, exchange and use of electronic health information (EHI). Originally, the information blocking (IB) rules applied only to data elements included in the Core Data for Interoperability. Effective October 6, 2022, the IB rules now apply to all EHI included within the Designated Record Set (DRS) as defined in the Health Insurance Portability & Accountability Act (HIPAA) rules. (HIPAA defines the DRS as including medical and billing records, or records used by the health care provider to make decisions about individuals.)
Since the rules now apply much more broadly, ONC recently published a blog post with reminders about important features of the IB rules. Notable reminders include:
- The IB rules apply not only to affirmative acts, but also omissions. For example, a provider's failure to comply with state law requiring reporting of contagious diseases could be an interference with access, exchange or use of EHI that violates the IB rules.
- The eight exceptions to the IB rules are not "one size fits all", but rather are intended to apply to individual facts and circumstances. For example, there is an exception for a provider that is unable to provide access to EHI because it is infeasible. ONC points out that "What's infeasible for an IB actor in October 2022, may not be a year later."
- The IB rules apply to all EHI, not only EHI contained in certified electronic health records.
- Some of the exceptions to the IB rules require a response to the party requesting EHI (such as a patient requesting access to the health record) if the request is delayed or denied. For example, if a provider denies a request to access EHI on the grounds that the request is infeasible, the provider must provide an explanation to the requestor within ten days explaining in writing why the request is infeasible.
- Published: 11 October 2022 11 October 2022
- Last Updated: 11 October 2022 11 October 2022
The Department of Health & Human Services (HHS) and the Civil Rights Division of the Department of Justice (DOJ) have jointly published guidance on how telehealth providers can comply with nondiscrimination laws. The Americans with Disabilities Act (ADA) and other federal laws require health care providers to make their services accessible to people with disabilities (such as vision, hearing or intellectual disabilities) and people with limited proficiency in English. The new guidance describes how these antidiscrimination laws apply to telehealth services.
The departments discuss the example of a physician who offers telehealth services to patients generally, but excludes patients with intellectual disabilities. The physician can't make the blanket assumption that such patients will be unable to use the online platform required for telehealth. Office staff may need to discuss the patient's needs in advance of the appointment and adjust customary procedures, such as allowing the disabled person to have a support person assist with the telehealth appointment.
Patients who have hearing or visual disabilities may also require accommodation. The guidance provides several examples:
- A physical therapy practice that provides remote training sessions to patients may need to make sure the telehealth platform allows a sign language interpreter to join the session
- A mental health provider may need to ensure that the provider's telehealth platform can support real-time captioning for patients who are hard of hearing
- A dietician who uses a web-based platform to provide written dietary recommendations may need to assure that the instructions are compatible with a blind patient's screen reader
- A physician who provides remote consultations through a video platform may need to provide a consultation by phone for a visually disabled person who requests that option.
Health care providers that receive federal financial assistance, such as federally qualified health centers, are required to take reasonable steps to provide meaningful access to their services for patients who have limited proficiency in English (LEP). In the context of telehealth, this may require selecting a telehealth platform that can include a telephone or video remote interpreter as part of the patient's telehealth appointment.
Ensuring access is not a new issue for health care providers, who have long experience with the need to assure that physical facilities and office procedures accommodate patients with disabilities. The new guidance makes clear that telehealth raises unique issues, and providers should devote careful attention to how they can best serve these populations with new technologies.
- Published: 13 September 2022 13 September 2022
- Last Updated: 13 September 2022 13 September 2022
On July 15, 2022, the Office for Civil Rights (OCR) announced that it has resolved eleven more investigations in its Right of Access Initiative. This initiative, which began in 2019, enforces the patient right of access to health records under the Health Insurance Portability and Accountability Act (HIPAA). Thirty-eight investigations have been completed under this program.
The Right of Access investigations have involved many types of providers. The most recent announcement includes:
- A civil money penalty of $100,000 imposed on a podiatry practice that failed to provide a former patient with requested medical records, and ignored data requests from OCR.
- A settlement of $3,500 with a psychiatry practice that withheld access to the patient's record because the patient had an outstanding balance.
- A settlement of $55,000 with a health care provider which did not provide a personal representative with timely access to medical records, mistakenly believing that the power of attorney did not allow for access.
- A settlement of $240,000 with a health system for failing to timely respond to an access request.
The HIPAA Privacy Rule generally requires that a health care provider respond within thirty days to a request for access to health records from the patient or personal representative. This applies to both medical records and billing records. All health care providers should make sure their procedures for requesting records do not impose barriers that are not permitted under the Privacy Rule, and that they record when the patient or representative requests the record and how long it takes to respond.
- Published: 01 August 2022 01 August 2022
- Last Updated: 01 August 2022 01 August 2022
The Office for Civil Rights (OCR) has published guidance discussing how the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies to release of information concerning abortion. Most health care providers are covered entities under HIPAA, and are permitted to disclose protected health information (PHI) only as expressly permitted or required under the Privacy Rule. The guidance discusses several scenarios involving the Privacy Rule provisions concerning disclosures required by law, disclosures to law enforcement and disclosures to avert a serious threat to health or safety.
Disclosures of PHI required by law include only disclosures where the health care provider is compelled to disclose PHI, and the disclosure is limited to what the law requires. OCR gives the example of a patient in a hospital emergency department experiencing complications related to miscarriage in the tenth week of pregnancy, where a hospital staff member suspects that the patient may have taken medication to end the pregnancy. If state law prohibits abortion after six weeks but does not expressly mandate health care workers to report suspected violations to law enforcement, disclosure would be prohibited.
Concerning disclosures for law enforcement, OCR notes that the Privacy Rule permits disclosure only where law enforcement presents a legally enforceable mandate, such as a court order. If a law enforcement official requests a reproductive health care clinic to provide information on abortions at the facility but the official does not present a court order or other binding legal process, the clinic would violate the Privacy Rule by disclosing the requested information. In contrast, if the official presents a court order requiring the clinic to provide that information, the Privacy Rule would permit the clinic to disclose only the PHI expressly covered by the order.
Finally, OCR discusses a scenario where a pregnant patient in a state that bans abortion informs their health care provider that they intend to seek an abortion in another state. OCR concludes that disclosing this information to law enforcement would violate the Privacy Rule, because the patient's statement would not qualify as a serious and imminent threat to the health or safety of a person or the public, and would be inconsistent with professional ethical standards.
- Published: 07 July 2022 07 July 2022
- Last Updated: 07 July 2022 07 July 2022
- Information Blocking Rules now expand to all electronic health information
- Telehealth Modernization Act - H.R. 1332 and S.368
- HHS and DOJ provide guidance on nondiscrimination in telehealth
- OCR announces resolution of more HIPAA Right of Access Initiative cases
- OCR publishes guidance on releasing PHI related to abortion