Today, March 9, 2020, the U.S. Department of Health and Human Services (HHS) finalized two sets of regulations that are intended to increase patients' access to health data. As explained by HHS Secretary Alex M. Azar, "These rules are the start of a new chapter in how patients experience American healthcare, opening up countless new opportunities for them to improve their own health, find the providers that meet their needs, and drive quality through greater coordination."
The rules also present significant new opportunities and challenges for providers, payers, and health IT companies. The Final Rule published by the Office of the National Coordinator for Health Information Technology (ONC) (available at: https://www.healthit.gov/curesrule/download) updates the 2015 Edition Health IT Certification Criteria and implements the information blocking requirements under the 21st Century Cures Act. The ONC Final Rule includes several key provisions:
- Definition of Electronic Health Information (EHI). While EHI was previously defined very broadly, the Final Rule narrows the definition of EHI. Under the Final Rule, EHI is limited to electronic protected health information as defined under HIPAA, to the extent that it would be included in a designated record set, regardless of whether the records are used or maintained by or for a covered entity. In addition, EHI will not include psychotherapy notes (as defined at 45 CFR 164.501) or information compiled in reasonable anticipation of, or for use in, civil, criminal, or administrative actions or proceedings.
- Information Blocking Exceptions. The 21st Century Cures Act generally prohibits conduct that is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI. The ONC Final Rule implements eight exceptions to this prohibition on information blocking, and the exceptions are grouped into two categories: (1) those exceptions that involve not fulfilling requests to access, exchange, or use EHI, and (2) those exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI. The Final Rule includes a new Content and Manner Exception, which was not included in the proposed rulemaking and is intended to provide some flexibility regarding the required content and method for responding to requests for access.
- Health IT Certification. For health IT developers, the Final Rule also updates the current 2015 Edition Health IT Certification Criteria. Among various changes, the Rule adds the two technical certification criteria (Electronic Health Information Export and Standardized API for Patient and Population Services) and two privacy and security criteria (Encrypt Authentication Credentials and Multi-factor Authentication).
The information blocking prohibitions will go into effect six months from publication of the Final Rule, and enforcement of the information blocking civil monetary penalties will begin following additional rulemaking from OIG.
In addition to the ONC Final Rule, the Centers for Medicare & Medicaid Services (CMS) Interoperability and Patient Access Final Rule (available at: https://www.cms.gov/Regulations-and-Guidance/Guidance/Interoperability/index) includes additional requirements, primarily for payers, that are also intended to increase interoperability:
- Patient Access API: CMS-regulated payers are required to implement an API that allows patients to access their claims and encounter information as well as certain clinical data. Covered payers will be required to implement the API beginning January 1, 2021.
- Payer-to-Payer Data Exchange. Patients will now have the ability to instruct CMS-regulated payers to exchange certain clinical data with other payers. CMS-regulated payers must implement processes for this data exchange beginning January 1, 2022.
- Reporting on Information Blocking. In late 2020, CMS will begin publicly reporting those providers that may be engaged in information blocking based upon their attestations to certain Promoting Interoperability Program requirements.
- Reporting on Digital Contact Information. In late 2020, CMS will begin reporting those providers that do not provide digital contact information in the National Plan and Provider Enumeration System.
- Event Notifications. CMS is creating a new Condition of Participation that will require participating hospitals to notify other facilities and providers when a patient is admitted, discharged, or transferred. This requirement goes into effect six months after publication of the Final Rule.
These much-anticipated final rules will affect the operations and practices of health care providers, payers, and health IT vendors, and organizations will be required to update their policies regarding patient access. Baker Donelson's Health Information Technology Group will be publishing a series of alerts and hosting future events to discuss these important changes. If you have any questions regarding these issues please contact Alisa L. Chestler, CIPP/US or Andrew J. Droke.