Parallels between HIPAA and 21st Century Cures Act
When the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted, one of the key goals was to promote electronic exchange and patient access to data, while also taking into consideration the security and privacy of Protected Health Information (PHI).
The HIPAA Privacy and Security Rules focused on the confidentiality, integrity, and availability of PHI.
In an effort to promote consumer-driven healthcare and encourage competition among HIT vendors, 21st Century Cures Act (Cures Act) further emphasizes the importance of the ease of access and exchange of Electronic Protected Health information (EPHI) for the benefit of both patients and providers.
At first glance, it may seem that HIPAA and the Cures Act are contradictory, as HIPAA was built on the premise of permitting certain disclosures of PHI and the Cures Act actively requiring disclosures of PHI. The Cures Act not only requires disclosures, but it even more explicitly prohibits “Information Blocking” which is defined as conduct that is “likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.”
Intersection: Patient Access and Patient Data Sharing
Patients already had rights to access their data under HIPAA, and the Cures Act has only enhanced this concept by mandating flexibility in how and with whom patients share their EPHI, making the regulations aligned in the concept of patient access and sharing.
Intersection: Patient Consent/Authorization
The Cures Act is focused on the increase and ease of data flow for the benefit of patients and providers, violating the Information Blocking provisions of the Act may place an actor at risk for potential investigations and steep penalties.
However, the Information Blocking provisions should not be interpreted to mean that unvetted and unconstrained access to data is required.
The Cures Act does allow for eight specific exceptions for activities or actions that otherwise might be considered information blocking, one of which is the privacy exception. At least one of several conditions must be met to rely on the privacy exception, and of those conditions, one is that a precondition has not been satisfied. A precondition in this context could mean proper consents and authorization as required by HIPAA or state law. In other words, the permissibility still must be evaluated, and data sharing is not required when it is prohibited under state or federal privacy law.
Intersection: Consideration of Confidentiality, Integrity and Availability of PHI
The Cures Act also has direct parallel to the HIPAA Security Rule in the fact that it specifically identifies a practice that interferes with the exchange of data that directly relates to safeguarding the confidentiality, integrity and availability of ePHI as one of the exceptions to information blocking.
This likely presents little change for Actors (Healthcare Providers, Developers of Certified Health IT, and HIEs/HINs) that are already accustomed to evaluating the security posture of their business associates.
In addition to the intersections between HIPAA and the Cures Act listed above, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released a proposed rule on December 10, 2020 in an effort to modernize HIPAA so it better aligns with the current healthcare landscape. Like the Cures Act, several of the proposed changes focus on speed and ease related to patients’ rights of access, and clarifies and extends provider access for the purposes of care coordination and mental health services.
Things to consider:
- While only a few of the information blocking exceptions were mentioned here, it will be important for all exceptions to be considered as they relate to an actor’s current operations and practices. Proper documentation will be key.
- The Cures Act, even considering the information blocking provisions, does not erode patient privacy rights. When it comes to data sharing, proper authorizations and consents are still required.
- While HIPAA is the more cited privacy regulation, actors should not lose sight of state laws.
- Actors should review their business associate agreements and notice of privacy practices to make sure that they reflect their current practices.
- Communicate internally, with business partners, and with patients/ consumers, where applicable, about any impacts or changes.
In this continuously changing regulatory environment, MEDHOST is committed to help you meet these HIPAA and Cures Act requirements while providing you with solutions that save time and resources, reduce cost, enhance revenue, and create better experiences for the communities you serve.
To learn more contact us at email@example.com or call 1.800.383.6278.