Information Blocking Rule: Understanding the ExceptionsPrivacy Attorney Adam Greene on Data-Sharing Rule Compliance Challenges
Although the federal information blocking rule spells out practices that are not considered violations of the regulation, healthcare entities must carefully assess the validity of privacy or security concerns before denying access, exchange or use of patient data, says attorney Adam Greene of the law firm Davis Wright Tremaine.
The Department of Health and Human Services' 21st Century Cures Act information blocking rule, which went into effect for compliance in April, generally prohibits healthcare providers, health IT developers and health information exchanges from knowingly interfering with the access, exchange or use of electronic health information.
The rule, however, contains eight exceptions - including one pertaining to privacy and one to security - that spell out practices that are not considered information blocking.
But not every possible issue involving health data privacy or security is a valid excuse for failing to share patient data, Greene explains in an interview with Information Security Media Group.
For instance, under the security exception, "anything you do that you point to as 'security' as the basis for denying access … you want to be cognizant of the fact that just because the [data] requester may have poor security on their side, that doesn't necessarily mean it falls under the exception," he says. The key factor, he explains, is "whether your sharing of information with that requester creates security issues that you are addressing in a manner consistent with standard security practices."
In the video interview, Greene, who was a featured speaker at the recent 2021 Healthcare Information and Management Systems Society Conference in Las Vegas, also discusses:
- Pending enforcement considerations involving information blocking rule violations, including penalties, that are still being hammered out by HHS;
- Advice to healthcare entities and health IT developers about complying with the information blocking rule while still maintaining strong privacy and security protections for the health information being accessed, used or shared;
- Other upcoming health data privacy and security regulatory issues to watch.
As a partner at Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.