Compliance With 2 New Health Data Regs: Avoiding PitfallsPrivacy Attorney Adam Greene Describes the Challenges
As the compliance dates approach for the Department of Health and Human Services' information blocking and health IT interoperability final rules, organizations need to avoid potential pitfalls, says privacy attorney Adam Greene.
The two rules, issued earlier this year by the HHS Office of the National Coordinator for Health IT and the Centers for Medicare and Medicaid Services, implement the interoperability, secure health data exchange and patient access to records provisions of the 21st Century Cures Act.
For healthcare provider organizations, compliance with the new regulation prohibiting the blocking of healthcare providers sharing patients' health information will be particularly difficult, predicts Greene, a partner at law firm Davis Wright Tremaine who's a former senior adviser at HHS' Office for Civil Rights, which enforces HIPAA.
"I can't overestimate how big of a challenge it is to implement this," he says. "For decades ... we've been told, 'Don't disclose medical information.' But now we suddenly have a regulation that says, 'If you don't disclose certain medical information, you will be information blocking and subject to potential penalties.' It's a complete reversal from traditional health information privacy and security regulations."
Among the challenges for healthcare provider organizations will be identifying all the possible instances and current organizational practices that could potentially be considered information blocking because they interfere with access, exchange or use of electronic health information, Greene says.
Examples, he says, could include "refusing to provide access to a patient or a third party ... to certain medical record information. It could be delaying test results because there's a feeling the clinician should have an opportunity to speak with the patient first and anything that could discriminate against access by an application programming interface."
The compliance deadline for ONC's information blocking and health IT interoperability final rules is set for Nov. 2. But the Office of Management and Budget recently indicated it was reviewing a potential extension to the rules' compliance timeline because of the ongoing national COVID-19 public health emergency.
In the interview (see audio link below photo), Greene also discusses:
- What compliance with the HHS final rules will mean for healthcare CISOs and their teams;
- The significance of a recent modification to the California Consumer Privacy Act involving HIPAA de-identified information;
- Other health data privacy and security regulatory issues to watch.
As a partner at Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at HHS OCR, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.