It is the start of a new year and one thing we know for sure; nothing stays the same. Rules change, technology changes, and we must keep up. We wrote about the new Information Blocking Rule last July, but we have found many practices still do not understand what this means to them.
When the EHR Meaningful Use criteria was introduced in 2013, CMS stated that practices did not have to implement specific technology if a patient requested their information in a format that they did not have in place. This has all changed with the Information Blocking Rule that was passed in 2021. Part of the Interoperability Standard requires medical providers and health information companies to share patient data upon patient request. This Rule makes it very clear when it comes to patients and the control they have over their information. This is also known as “right of access”.
In the past EHRs was hesitant to open their portals due to security issues. Now, it is required to have security measures in place and share the data. There are some exceptions, but be forewarned, they are vague, and could be misinterpreted.
Penalty guidelines are in place for IT operators and health information companies, they are still working on the guidelines for medical providers. This gives you a limited amount of time to get ready for heavy enforcement.
Patients are now permitted to request their information be made available in the format of their choice. This includes to a third-party app installed on their mobile devices. These apps should protect patient data by supporting secure access through authentication processes similar to what the financial industries use.
When a patient makes a request and you do not have the technology in place to grant their request, you are obligated to comply with their request if possible or contact your technology vendors to see if this can be accomplished. If you do not, this could be considered Information Blocking. We recommend contacting your EHR and starting a conversation with them to ensure they are working on interfaces with other EHRs and some of the most common mobile apps.
There are some companies working on this technology, from what I have heard, they are limited. I am sure more will be adding this service as we progress. Before you hire a company to “develop” an interface for you, read below.
NOTE: If a patient requests their medical provider to share their information with another entity that is not a covered entity or a business associate, the information is not subject to the HIPAA rules. For example, the covered entity would not have HIPAA responsibilities or liability if such an app that the patient designated to receive their ePHI later experiences a breach. If a patient requests a covered entity to send their ePHI using an unsecure method the covered entity must grant the disclosure if it is readily available in the form and format used by the app. However, it is highly recommended to advise the patient of the lack of security so they can make an informed decision.
On the other hand, if the app was developed for, or provided by or on behalf of the covered entity and it creates, receives, maintains, or transmits ePHI on behalf of the covered entity, the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. For example, if the patient selects an app that the medical provider uses to provide services to their patients involving ePHI, the medical provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received. If you choose to develop or work with a company that has developed an app, be sure to obtain a BA agreement and review their technology security to ensure they are following the HIPAA requirements.
As we venture into this new territory, there will bad actors trying to “jump” on the healthcare wagon. As always, do your research before using any new applications or vendors. Ask your colleagues and most of all, check out their credentials.
If you need more information about the Information Blocking Rule or would like a live demo of our Automated HIPAA Compliance platform, contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Automation, Education, and Support”