New Regs Aim to Improve Patient Records Access, SharingIt's Official: 21st Century Cures Act Regulations Go Into Effect
Long-awaited federal information blocking and health IT interoperability regulations under the 21st Century Cures Act went into effect this week. They are designed to give patients improved access to their records, including via smartphone apps, and make it easier for organizations to share records in an effort to improve treatment.
The Department of Health and Human Services' Office of the National Coordinator for Health IT, in a blog post said the Monday compliance deadline for the regulations, which were issued in March 2020, marked a "new day" for interoperability.
Under the regulations, healthcare providers, developers of certified health IT and health information exchanges and networks must allow patients to access their electronic health information from an application of their choice.
"Secure, standardized application programming interfaces allow for this access without special effort on the part of the clinician," ONC notes.
For the next 18 months – through Oct. 5, 2022 – providing patient access to a smaller subset of "core" electronic health information, or EHI, is required for compliance with the regulations.
The EHI for which access cannot be blocked is limited to the data elements represented in the U.S. Core Data for Interoperability Version 1, which includes clinical notes, allergy information, immunization records, laboratory results, medications and more. But eventually, providing access to even more data will be required.
"Even well-intended organizational policies, such as routine delay of test results to allow the ordering provider to review before the patient, will implicate the information blocking rule, unless an exception applies."
—Krystyna Monticello, attorney
ONC is partnering with the HHS Office of Inspector General on information blocking enforcement, including conducting investigations and imposing civil monetary penalties for violations. A final enforcement rule is still pending. HHS also is working on disincentives for healthcare providers to participate in information blocking, ONC notes.
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes that patients already have a right of access under HIPAA, so he does not expect the information blocking rule to create a sea change in how patients request their records.
"Rather, I expect that the improvements in API access to health information will lead to an increase in available apps for accessing health information and a slow increase in patients requesting their access through apps rather than requesting paper copies or copies on electronic media," he says.
Regulatory attorney Krystyna Monticello of the law firm Attorneys at Oscislawski LLC says she expects to see an increase in demand from third-party healthcare providers seeking to more easily access health information about their patients from other providers that have had closed systems.
With closed systems, typically only employees and members of the providers’ medical staff have access to electronic medical record systems - due to a combination of technical and operational challenges as well as compliance with federal and state laws that are more stringent than HIPAA, she notes.
"There has also been an uptick from health plans seeking electronic access to health information about their beneficiaries, particularly those who participate in accountable care type programs, which would typically have been obtained in the past through manual chart reviews processes," she says.
"We also expect to see patients increasingly look to applications utilizing APIs and portals, such as Apple Health, in order to collect electronic health information about them from the various healthcare providers that they receive care from and other health data sources."
Monticello notes that healthcare IT developers face specific technical criteria under the information blocking rule that may be challenging for them to meet – despite certain deadlines being extended for developers to the end of 2022 and 2023.
"These include making more than just a subset of a patient’s data available in a standardized electronic format," she says.
Healthcare providers that have operated under closed systems will no longer be able to routinely deny access to electronic health information without going through an information blocking assessment and determining whether there is a basis for them to withhold the information, she says.
"Even well-intended organizational policies such as routine delay of test results to allow the ordering provider to review before the patient will implicate the information blocking rule, unless an exception applies."
Exceptions to the Rule
The HHS regulations includes eight exceptions – including one each pertaining to privacy and security - for what is considered information blocking.
Under the privacy and security exceptions, for example, it will not be considered information blocking if an organization – such as a healthcare provider - does not fulfill a request to access, exchange or use electronic health information in order to protect an individual’s privacy or ensure the security of health information, provided certain conditions are met.
"Good privacy and security practices generally will not result in noncompliance."
—Adam Greene, Davis Wright Tremaine
"The security exception recognizes legitimate security risks that have been identified by an organization in response to a particular type of request or on a case-by-case basis," Monticello says.
Greene predicts that overall, "good privacy and security practices generally will not result in noncompliance."
These new HHS regulations come at a time when HHS' Office for Civil Rights has been aggressively ramping up its enforcement of the HIPAA patient right of access provision, under which covered entities currently must fulfill patient requests for their health records within 30 days.
In the last two years since OCR launched its patient right of access enforcement initiative, the agency has issued 18 HIPAA settlements, ranging from $3,500 to $200,000, in such cases.
"Healthcare providers that fail to provide access could face penalties under HIPAA from OCR and from a state attorney general under HIPAA, penalties under state laws that also require access, and can also face 'appropriate disincentives' from HHS under the information blocking rule," Greene says.
"We are still awaiting a proposed information blocking enforcement rule for healthcare providers, however, so we do not yet know which HHS agency will have enforcement authority with respect to healthcare providers found to be information blocking - and what those disincentives will look like."