Search results for: "information blocking"

On May 14, 2021, CMS published FAQs addressing questions that have been raised regarding the Interoperability and Patient Access final rule published May 2020.  CMS is careful to note that the FAQs “do not have the force and effect of law and are not meant to bind the public in any way, unless specifically incorporated into a contract, as directed by a program.”  CMS has provided links and other guidance, including regarding technical standards, best practices, and privacy and security resources, and has directly addressed questions raised by trade associations and others.

We summarize some of the key points addressed in the FAQs.  We encourage you to review the full CMS response where questions arise in your implementation. Continue Reading CMS Issues First FAQs on the CMS Interoperability and Patient Access Rule

On August 20, 2020 the Department of Health and Human Services (HHS) published a notice of proposed rulemaking (85 Fed. Reg. 51397) on good practices for the release and maintenance of agency guidance documents. Comments must be posted by 11:59 pm on September 16, 2020.

As instructed in the October 9, 2019 Executive Order 13891 (EO), titled ‘‘Promoting the Rule of Law Through Improved Agency Guidance Documents (84 FR 55235 (Oct. 15, 2019)), HHS proposes to issue regulations to ensure (i) there is proper notice of any new guidance, and (ii) that the guidance does not impose obligations on regulated parties that are not already reflected in duly enacted statutes or regulations.

This proposed rule appears to follow the Office of Management and Budget, “Final Bulletin for Agency Good Guidance Practices,” issued on January 25, 2007 (72 Fed. Reg. 3432) with respect to the significant guidance document that may, for example “adversely affect in a material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or State, local, or tribal governments or communities” or “materially alter the budgetary impact of entitlements, grants, user fees, or loan programs or the rights and obligations of recipients thereof” and generally requires a 30 day notice and comment period.

Background

Continue Reading HHS Proposes a New Rule to Govern Release and Maintenance of Agency’s Guidance Documents

Last week, the Center for Medicare & Medicaid Services (CMS) finalized long-awaited regulations on Interoperability and Patient Access (the “CMS Rule”) to require Medicare Advantage plans, Medicaid and Children’s Health Insurance Program (CHIP) managed care plans, state agencies, and Qualified Health Plan (QHP) issuers on federally-facilitated exchanges (“CMS Payers”) to provide patients easy access to their claims and encounter information, as well as certain clinical information, through third-party applications of their choice. On the same day, the Office of the National Coordinator for Health Information Technology finalized its rules on Interoperability, Information Blocking, and the ONC Health IT Certification Program (the “ONC Rule”) related to the 21st Century Cures Act (Cures Act). The CMS Rule and ONC Rule have far-reaching impacts.

As individuals and organizations covered by the rules are considering how they may facilitate their access to health information to support patients, health care providers, and others, it is important to understand when provisions in the rules will be effective and timing and what acts may constitute violations of these rules.  To help clients get familiar with these deadlines, we are providing this summary chart of compliance requirements and applicable deadlines to help your organization prepare for upcoming enforcement of the ONC Rule and the CMS Rule.  For legal advice tailored to the specific needs of your organization, please reach out to Jodi Daniel, head of the firm’s Digital Health Practice at jdaniel@crowell.com.

As you read the chart, you should keep the following in mind:

Continue Reading Compliance Reference Chart for ONC and CMS Interoperability Rules

On Monday, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) announced an enforcement action against Bayfront Health St. Petersburg (“Bayfront”) for allegedly failing to provide a mother timely access to her unborn child’s prenatal medical records. The enforcement action is noteworthy in that it marks OCR’s first enforcement action under its Right of Access Initiative, announced earlier this year to focus more on enforcing patients’ rights to access their medical records without being overcharged.

After receiving a complaint in August 2018, OCR conducted an investigation indicating that Bayfront, a trauma and tertiary care center based in St. Petersburg, Florida, failed to provide the mother timely access to her unborn child’s fetal heart monitor records in accordance with the Health Insurance Portability and Accountability Act (“HIPAA”). HIPAA generally requires health care providers such as Bayfront to provide patients with access to their medical records, as well as those of their minor children, within 30 days of a request. HIPAA also prohibits charging more than a reasonable cost-based fee for such access.

Bayfront agreed to pay $85,000 to OCR to settle the potential HIPAA violation while not admitting to any wrongdoing. Bayfront also agreed to a corrective action plan including training, updating policies and procedures, and OCR monitoring.

This enforcement action signals a continued push from HHS to hold the health care industry accountable for giving individuals access to their health information. Earlier this year, the Office of the National Coordinator for Health Information Technology released proposed regulations on interoperability and information blocking and CMS released proposed regulations on interoperability also aimed at promoting patient access to their health information. In light of this enforcement action and regulatory activity, we recommend that covered entities carefully review their policies and procedures regarding individuals’ access to health information.

Electronic health record (EHR) vendor Allscripts recently disclosed on an earnings call that it has reached a tentative agreement with the Department of Justice (DOJ) to pay $145 million to settle an investigation into the regulatory compliance of one of its recent acquisitions, Practice Fusion. This news, combined with DOJ’s other recent successful enforcement actions against EHR companies, represents a trend and should be a warning that compliance is a priority when it comes health IT. We anticipate that there will be more Anti-Kickback, HIPAA, and False Claims Act cases against similar health IT targets in the pipeline.

Allscripts acquired Practice Fusion, also an electronic health record company, in February 2018. According to the company’s public SEC filing from the first quarter of 2019, the investigation “relates to both the certification Practice Fusion obtained in connection with the U.S. Department of Health and Human Services’ Electronic Health Record Incentive Program and Practice Fusion’s compliance with the Anti-Kickback Statute and HIPAA.”

Continue Reading Allscripts Close to Reaching Deal with DOJ for Health IT Certification, Anti-Kickback Statute, and HIPAA Issues

The HHS Office of Civil Rights (“OCR”) closed out the month of April with some updates to HIPAA civil monetary penalty (“CMP”) limits and clarifications to OCR’s stance on the Privacy Rule’s application to transfers of electronic protected health information (“ePHI”) to third-party applications and application programming interfaces (“APIs”).

Differential CMP Caps Based on Enforcement Discretion

Under the current HIPAA Enforcement Rule, HHS employs a four-tier level of culpability scale in line with the HITECH Act. These four tiers correspond to appropriate CMPs ranges for violations by covered entities and business associates of the HIPAA Privacy and Security Rules. These penalty tiers are adjusted for inflation pursuant to the cost-of-living formula set forth in the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.

For instance, if a person did not know and, by exercising reasonable diligence, would not have known that the person violated the applicable HIPAA provision, the CMP range the person could be levied was $100-$50,000 for each identical violation, up to a maximum of $1.5 million for all such violations annually (before adjusted for inflation). The $1.5 million annual cap on CMPs for HIPAA violations applied across all four tiers, even though the minimum penalties for each tier increased in amount.

Since HHS began using this four-tier structure, however, there has been debate about whether the HITECH Act mandates different annual CMP caps for each of the tiers. OCR’s April 30, 2019 Federal Register Notice changes HHS’s prior position on this, and now imposes the following annual caps on CMPs for HIPAA violations:.

Continue Reading HIPAA Spring Cleaning! Tidying Up Penalty Limits and FAQs on Patients’ Right of Access

On March 6, 2018 at the Healthcare Information and Management Systems Society (HIMSS) 2018 conference, Centers for Medicare & Medicaid Services (CMS) Administrator Seema Verma announced a new initiative furthering the current Administration’s focus on value-based care and increasing patient access to healthcare data. The initiative — called MyHealthEData — will be led by the White House Office of American Innovation, in collaboration with the Department of Health and Human Services (HHS), CMS, the Office of the National Coordinator for Health Information Technology (ONC), the National Institutes of Health (NIH), and the Department of Veterans Affairs (VA). (CMS press release here.) Continue Reading Liberating Data to Transform Value-Based Care: MyHealthEData, Blue Button 2.0, and Price Transparency

The HHS Office of Civil Rights published a new FAQ response (OCR FAQ) detailing the agency’s position that generally information blocking will violate the HIPAA Privacy and Security Rules if it affects a covered entity’s access to its own protected health information (PHI) or its ability to respond to requests for access to PHI from patients. This follows a series of similar policy documents from HHS over the past 18 months that focus on preventing business arrangements or practices that would be defined as information blocking, and thereby, frustrating the goal of interoperability. Specifically, according to the OCR FAQ:

  • An electronic health records (EHR) vendor or cloud provider’s actions to terminate a covered entity’s access to its own electronic PHI (ePHI) (e.g., in a payment dispute) would violate the HIPAA Privacy Rule because those actions would constitute an impermissible use of PHI.
  • An EHR vendor or cloud provider’s refusal to ensure the accessibility and usability of a covered entity’s ePHI upon demand by the covered entity or to return a covered entity’s ePHI upon termination of the agreement, in the form and format that is reasonable in light of the agreement, would violate the HIPAA Security Rule.
  • A business associate may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if necessary to provide individuals with access to their PHI under the HIPAA Privacy Rule.
  • A covered entity that agrees to terms within a business associate agreement (BAA) that would prevent the covered entity from ensuring the availability of its own PHI as required would not be in compliance with the HIPAA Privacy and Security Rules.

OCR has increasingly ramped up its enforcement of violations of the HIPAA Privacy and Security Rules related to noncompliant BAAs, so the new OCR FAQ signals that information blocking provisions could be the source of future enforcement actions.

Continue Reading Blocking Access to Health Information May Violate HIPAA

A key event in Congress affecting health information technology occurred last week when two members of the Senate HELP Committee issued a discussion draft of their bipartisan legislation on health information technology (health IT).  This ambitious bill addresses many of the same areas as other recent bills, including information blocking, transparency, a star rating system for electronic health records (EHRs), usability, and interoperability. It also contains provisions on governance of health information exchange, safety, and patient access to data. If it passes, the bill will impact both users and producers of health IT and EHRs, including providers and technology companies.  To learn more, click here.