DoctorLegal and Practical Implications of the CMS and ONC Interoperability Rules

Legal and Practical Implications of the CMS and ONC Interoperability Rules

Beckage attorneys have been busy helping clients understand and prepare for the two rules concerning interoperability issued on March 9, 2020 by the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) (collectively referred to as the “Final Rules”). The Final Rules implement interoperability and record access requirements intended to help patients obtain health records and payment data so they can make informed decisions about healthcare. To help de-mystify these technical rules, Beckage will be releasing a blog series outlining how the Final Rules will impact different organizations in the health sector.  

While future blogs will tackle some of the technical nuances of the Final Rules, this blog will provide some context by answering a few high-level questions:

1. Who should pay attention to these Final Rules? Healthcare providers, health IT developers, health information exchanges, health information networks, electronic health record (EHR) vendors, and insurers participating in CMS programs (for purposes of this blog, these stakeholders are collectively referred to as “health care organizations,” although as discussed in future posts, they often have different interests and obligations under the Final Rules).

2. What is an API? ”API” stands for application programming interface. An API is essentially a software intermediary that allows two applications to talk to each other using standardized language.

3. What does the CMS Final Rule cover? The CMS Final Rule requires states and certain health care organizations to develop APIs that allow patients, medical providers, and insurers to access specific categories of data. The rule is intended to improve patient access to health information and standardize the types of health information that can be shared. For example, patients will be able to request access to their medical records via third-party apps, and payers may deny access only under specific circumstances. The CMS Rule also requires payers to provide information about in-network providers and exchange information with other insurers in the event a patient enrolls with a new insurance company.

4. What does the ONC Final Rule cover? The ONC Final Rule imposes standardized protocols to allow networks and software applications to talk to one another. Basically, the ONC Final Rule requires insurers, medical providers, IT vendors, and health exchanges to speak the same language. This is accomplished through updated and standardized health IT certification requirements, data classifications, and systematic requirements for APIs. The ONC Rule also implements the information blocking provisions of the 21st Century Cures Act.

5. When will the rules take effect? United States Department of Health and Human Services (HHS) recently issued guidance stating that it was extending some enforcement deadlines. Below are just a few of the new compliance deadlines relevant to hospital and payer organizations:

·        Spring 2020: Hospitals must be able to demonstrate that they comply with patient admission, discharge, andtransfer (ADT) event notification procedures required by the CMS Rule.

·        July 1, 2021: Payers must make a PatientAccess API available so patients’ third-party apps can access medical records via the API.

·        July 1, 2021: Payers must make a Provider Directory API available, so patients know which providers are in network.

The Final Rules represent a complete overhaul of well-established standards and an introduction of new and highly technical requirements with compliance deadlines as early as Spring 2021. Now is the ideal time for health care organizations to assess compliance requirements, contract with vendors, and develop a compliance framework. Beckage attorneys are uniquely experienced to help health organizations and tech companies of all sizes to navigate the complicated maze of legal and practical considerations raised by these and other health law regulations.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

TelemedicineOffice of Civil Rights Empowers Health Care Providers to Provide Telehealth Services

Office of Civil Rights Empowers Health Care Providers to Provide Telehealth Services

On March 17, 2020, in light of the COVID-19 nationwide public health emergency, the Office of Civil Rights (OCR) announced that it will refrain from imposing penalties for noncompliance with HIPAA regulations in the context of good faith provision of telehealth. This significant Notification of Enforcement discretion allows health care providers to use“non-public facing” remote communications, such as audio or video communication technology, to provide telehealth to patients during this emergency environment. OCR clarified that the exercise of discretion applies to telehealth provided for any reason, not just for diagnosis or treatment of COVID-19. Providers may use video chat applications via phone or desktop computer, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype. However, “public facing” applications such as “Facebook Live,Twitch, TikTok, and similar video communication applications . . . should not be used in the provision of telehealth.” 

OCR encouraged providers to notify patients that these third-party applications potentially introduce privacy risks, and that they should enable all available encryption and privacy modes when using these applications. Although OCR will not impose penalties against providers for failing to execute a Business Associate Agreement (BAA) with the video communication vendors, OCR suggested that providers should nevertheless seek to provide telehealth services through HIPAA-compliant technology vendors that will enter into a BAA.

For more information about the telehealth Exercise of Discretion, see: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html

Note that this is just one example of the discretion federal agencies may exercise in the context of a national emergency. See also: https://www.phe.gov/Preparedness/legal/Pages/phedeclaration.aspx for more information about regulatory discretion in the context of the Department of Health and Human Service’s recent Public Health Emergency Declaration.

Beckage attorneys, including our seasoned health care attorneys, are at the ready to help your organization navigate the use of telehealth services during these unprecedented times. Our experienced team understands the nuances associated with the intersection of healthcare, law and technology and can provide practical know-how related to the provision of telehealth services.  

*Attorney Advertising. Prior Results Do Not Guarantee A Similar Outcome.

Subscribe to our newsletter.

Medical Devices_ Narrowing the Information Security Threat SurfaceMedical Devices: Narrowing the Information Security Threat Surface

Medical Devices: Narrowing the Information Security Threat Surface

With the ever-expanding technology ecosystems of organizations, including the proliferation of Wi-Fi-enabled technology and interconnected smart devices, it’s no surprise that cybersecurity risks have increased. With a similar expansion of internet-of-medical-things, medical devices are increasingly at the forefront of potential threats. Last June, the U.S. Food and Drug Administration warned patients and health care providers that certain insulin pumps were being recalled because of vulnerabilities that could allow an outsider to connect and change a nearby pump’s settings. Hackers themselves have been sounding the alarm about these kinds of potential attacks, but doctors, hospitals and manufacturers have been slow to respond, due to limited resources and limited understanding of the threats and risks.

Read More