Let’s talk about your EHR needs: 1.800.383.6278 MEDHOST Community Login
The newly proposed HIPAA electronic private health information (ePHI) rule from the U.S. Department of Health and Human Services may place more stringent requirements and compliance issues upon providers.
One of the primary goals the U.S. Department of Health and Human Services (HHS) identified for the Meaningful Use (MU) initiative was a more consumer-driven healthcare delivery model. Electronic health information interoperability was a key element in achieving that goal. Codification of ePHI and adoption of standards that defined transport and message structures have provided the technical pillars for successful ePHI interoperability, but expanded requirements are ongoing.
To further meet HHS’s stated consumer-driven goals, policy changes are being enacted to strengthen patients' rights to access ePHI.
Initial changes in HIPAA policies regarding access to ePHI include shortened timeframes to respond to a patient’s request for their medical record. Currently, HIPAA requires that providers fulfill patient requests for their medical records within 30 days of making the request. HHS is proposing the maximum time be shortened to 15 days. HHS cites several states that have successfully adopted timeframes shorter than the proposed 15 days.
The Office for Civil Rights (OCR) is also conducting complaint-based audits on medical record fulfillment requests. So far in 2021, OCR has levied over a dozen fines related to providers not responding in a timely manner to a patient’s request for their medical records.
Near real-time access to ePHI is also being promoted by HHS through patient portals, APIs, and patient-led ePHI capture via smartphone tools. Acknowledging the advances in consumer technology, HHS proposes new guidelines which specifically allow patients to access and capture ePHI in photos, videos, and audio through the capabilities embedded in their personal devices. Proposed policy changes will allow patients to make a separate appointment to review ePHI where they can use these capture tools. This policy change would also allow the patient to review and collect procedural ePHI when the procedure is performed. Many, if not most providers, discourage or prohibit digital recording today by policy or practice.
Emerging API technologies will blur the “form and format” of ePHI from the “manner” of producing and transmitting the data. As stated in OCR’s Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement rule:
“if a covered entity or its EHR developer business associate has chosen to implement a secure, standards-based API—such as one consistent with ONC’s Cures Act certification criteria…that is capable of providing access to ePHI in the form and format used by an individual’s personal health application, that ePHI is considered to be readily producible in that form and format, and that is also the manner by which the ePHI is transmitted. Where ePHI is readily producible in the electronic form and format requested by the individual, the covered health care provider must provide that access, including when the individual requests access to the ePHI through a secure, standards-based API via the individual’s personal health application.”
These policies are being introduced in the quest to actively engage patients in the decision-making process of their healthcare. The resulting policy changes will require new provider workflows to account for the realization of patients receiving ePHI results simultaneously or even before the provider has reviewed the information.
To find out how MEDHOST can help you prepare and respond to the newly proposed rule, reach out to us at inquiries@medhost.com or call 1.800.383.6278
When the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted, one of the key goals was to promote electronic exchange and patient access to data, while also taking into consideration the security and privacy of Protected Health Information (PHI).
The HIPAA Privacy and Security Rules focused on the confidentiality, integrity, and availability of PHI.
In an effort to promote consumer-driven healthcare and encourage competition among HIT vendors, 21st Century Cures Act (Cures Act) further emphasizes the importance of the ease of access and exchange of Electronic Protected Health information (EPHI) for the benefit of both patients and providers.
At first glance, it may seem that HIPAA and the Cures Act are contradictory, as HIPAA was built on the premise of permitting certain disclosures of PHI and the Cures Act actively requiring disclosures of PHI. The Cures Act not only requires disclosures, but it even more explicitly prohibits “Information Blocking” which is defined as conduct that is "likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information."
Patients already had rights to access their data under HIPAA, and the Cures Act has only enhanced this concept by mandating flexibility in how and with whom patients share their EPHI, making the regulations aligned in the concept of patient access and sharing.
The Cures Act is focused on the increase and ease of data flow for the benefit of patients and providers, violating the Information Blocking provisions of the Act may place an actor at risk for potential investigations and steep penalties.
However, the Information Blocking provisions should not be interpreted to mean that unvetted and unconstrained access to data is required.
The Cures Act does allow for eight specific exceptions for activities or actions that otherwise might be considered information blocking, one of which is the privacy exception. At least one of several conditions must be met to rely on the privacy exception, and of those conditions, one is that a precondition has not been satisfied. A precondition in this context could mean proper consents and authorization as required by HIPAA or state law. In other words, the permissibility still must be evaluated, and data sharing is not required when it is prohibited under state or federal privacy law.
The Cures Act also has direct parallel to the HIPAA Security Rule in the fact that it specifically identifies a practice that interferes with the exchange of data that directly relates to safeguarding the confidentiality, integrity and availability of ePHI as one of the exceptions to information blocking.
This likely presents little change for Actors (Healthcare Providers, Developers of Certified Health IT, and HIEs/HINs) that are already accustomed to evaluating the security posture of their business associates.
In addition to the intersections between HIPAA and the Cures Act listed above, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released a proposed rule on December 10, 2020 in an effort to modernize HIPAA so it better aligns with the current healthcare landscape. Like the Cures Act, several of the proposed changes focus on speed and ease related to patients’ rights of access, and clarifies and extends provider access for the purposes of care coordination and mental health services.
In this continuously changing regulatory environment, MEDHOST is committed to help you meet these HIPAA and Cures Act requirements while providing you with solutions that save time and resources, reduce cost, enhance revenue, and create better experiences for the communities you serve.
To learn more contact us at inquiries@medhost.com or call 1.800.383.6278.
