Last week, the Center for Medicare & Medicaid Services (CMS) finalized long-awaited regulations on Interoperability and Patient Access (the “CMS Rule”) to require Medicare Advantage plans, Medicaid and Children’s Health Insurance Program (CHIP) managed care plans, state agencies, and Qualified Health Plan (QHP) issuers on federally-facilitated exchanges (“CMS Payers”) to provide patients easy access to their claims and encounter information, as well as certain clinical information, through third-party applications of their choice. On the same day, the Office of the National Coordinator for Health Information Technology finalized its rules on Interoperability, Information Blocking, and the ONC Health IT Certification Program (the “ONC Rule”) related to the 21st Century Cures Act (Cures Act). The CMS Rule and ONC Rule have far-reaching impacts.

As individuals and organizations covered by the rules are considering how they may facilitate their access to health information to support patients, health care providers, and others, it is important to understand when provisions in the rules will be effective and timing and what acts may constitute violations of these rules.  To help clients get familiar with these deadlines, we are providing this summary chart of compliance requirements and applicable deadlines to help your organization prepare for upcoming enforcement of the ONC Rule and the CMS Rule.  For legal advice tailored to the specific needs of your organization, please reach out to Jodi Daniel, head of the firm’s Digital Health Practice at jdaniel@crowell.com.

As you read the chart, you should keep the following in mind:


Continue Reading Compliance Reference Chart for ONC and CMS Interoperability Rules

The HHS Office of Civil Rights (“OCR”) closed out the month of April with some updates to HIPAA civil monetary penalty (“CMP”) limits and clarifications to OCR’s stance on the Privacy Rule’s application to transfers of electronic protected health information (“ePHI”) to third-party applications and application programming interfaces (“APIs”).

Differential CMP Caps Based on Enforcement Discretion

Under the current HIPAA Enforcement Rule, HHS employs a four-tier level of culpability scale in line with the HITECH Act. These four tiers correspond to appropriate CMPs ranges for violations by covered entities and business associates of the HIPAA Privacy and Security Rules. These penalty tiers are adjusted for inflation pursuant to the cost-of-living formula set forth in the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.

For instance, if a person did not know and, by exercising reasonable diligence, would not have known that the person violated the applicable HIPAA provision, the CMP range the person could be levied was $100-$50,000 for each identical violation, up to a maximum of $1.5 million for all such violations annually (before adjusted for inflation). The $1.5 million annual cap on CMPs for HIPAA violations applied across all four tiers, even though the minimum penalties for each tier increased in amount.

Since HHS began using this four-tier structure, however, there has been debate about whether the HITECH Act mandates different annual CMP caps for each of the tiers. OCR’s April 30, 2019 Federal Register Notice changes HHS’s prior position on this, and now imposes the following annual caps on CMPs for HIPAA violations:.


Continue Reading HIPAA Spring Cleaning! Tidying Up Penalty Limits and FAQs on Patients’ Right of Access

On March 6, 2018 at the Healthcare Information and Management Systems Society (HIMSS) 2018 conference, Centers for Medicare & Medicaid Services (CMS) Administrator Seema Verma announced a new initiative furthering the current Administration’s focus on value-based care and increasing patient access to healthcare data. The initiative — called MyHealthEData — will be led by the White House Office of American Innovation, in collaboration with the Department of Health and Human Services (HHS), CMS, the Office of the National Coordinator for Health Information Technology (ONC), the National Institutes of Health (NIH), and the Department of Veterans Affairs (VA). (CMS press release here.)
Continue Reading Liberating Data to Transform Value-Based Care: MyHealthEData, Blue Button 2.0, and Price Transparency

The HHS Office of Civil Rights published a new FAQ response (OCR FAQ) detailing the agency’s position that generally information blocking will violate the HIPAA Privacy and Security Rules if it affects a covered entity’s access to its own protected health information (PHI) or its ability to respond to requests for access to PHI from patients. This follows a series of similar policy documents from HHS over the past 18 months that focus on preventing business arrangements or practices that would be defined as information blocking, and thereby, frustrating the goal of interoperability. Specifically, according to the OCR FAQ:

  • An electronic health records (EHR) vendor or cloud provider’s actions to terminate a covered entity’s access to its own electronic PHI (ePHI) (e.g., in a payment dispute) would violate the HIPAA Privacy Rule because those actions would constitute an impermissible use of PHI.
  • An EHR vendor or cloud provider’s refusal to ensure the accessibility and usability of a covered entity’s ePHI upon demand by the covered entity or to return a covered entity’s ePHI upon termination of the agreement, in the form and format that is reasonable in light of the agreement, would violate the HIPAA Security Rule.
  • A business associate may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if necessary to provide individuals with access to their PHI under the HIPAA Privacy Rule.
  • A covered entity that agrees to terms within a business associate agreement (BAA) that would prevent the covered entity from ensuring the availability of its own PHI as required would not be in compliance with the HIPAA Privacy and Security Rules.

OCR has increasingly ramped up its enforcement of violations of the HIPAA Privacy and Security Rules related to noncompliant BAAs, so the new OCR FAQ signals that information blocking provisions could be the source of future enforcement actions.


Continue Reading Blocking Access to Health Information May Violate HIPAA

The federal government has spent billions to promote adoption and “meaningful use” of health information technology (HIT). There is growing government interest in ensuring that HIT is used to support patient care, but doing so requires electronic exchange of information. Congress, the Department of Health and Human Services (HHS), and States have taken action to identify and prevent “information blocking”—interference with the exchange or use of electronic health information—by health care providers, hospitals, technology developers, and service providers. And there likely will be more guidance, statutory and regulatory changes, and enforcement by federal agencies and states in the coming year.

Congress Requests Information and Takes Action

On December 21, 2014, Congress raised concerns about health information blocking, claiming that such activities “frustrate Congressional intent” under the Health Information Technology for Economic and Clinical Health (HITECH) Act, “devalue taxpayer investments,” and make HIT “less valuable and more burdensome” to hospitals and health care providers. Congress urged the Office of the National Coordinator for Health Information Technology (ONC) at HHS to certify only HIT that does not block health information exchange. Congress also requested ONC publish a detailed report on the scope of health information blocking and a strategy to address it, within 90 days.


Continue Reading Health Information Blocking Leads to New Requirements and May Lead to Enforcement Actions