Health DataOCR Continues its Focus on Patient Access Rights

OCR Continues its Focus on Patient Access Rights

The Beckage Health Law team continues to monitor OCR developments that relate to patient access rights.  In 2020, it became clear that patient right of access to records is a significant priority of the Office of Civil Rights (OCR), under the Department of Health and Human Services (HHS).  Just last month OCR reported on a settlement, audit results, and proposed rules, all focused on patient access to records. 

For example, on December 22nd, OCR announced the settlement of its 13th investigation focused on health records access.  The investigation followed a patient complaint to the OCR after the patient was unable to obtain records from his primary care provider on two separate occasions in 2019.  Emphasizing the importance of workforce training and documentation, the OCR issued a $36,000 fine and required the provider to update its Designated Record Set Policy as part of the Corrective Action Plan. 

In December, we also saw the release of an audit report on health industry compliance for audits conducted during 2016-2017.  The December 17, 2020 report reveals findings for audits of randomly selected entities and business associates.  Of note, most organizations failed to include appropriate content in plain language in their Notice of Privacy Practices, and often missing content related to individual rights.  Moreover, the report notes that many entities did not have appropriate policies, procedures, and documentation to demonstrate compliance with rules about how to respond to requests for records.

Finally, as described more fully in Beckage’s recent blog posted about HHS proposed rules OCR proposed amending the HIPAA Rule, including amendments to expand patients’ rights to access records, increase transparency about these rights, and shorten providers’ time to respond to records. 

These three developments reaffirm OCR’s strong commitment to enforce the patient access rules, which we expect will continue in 2021. 

Beckage health law attorneys work with hospitals, health care providers and business associates to develop a compliance program tailored to mitigate risk.  Our team has significant experience in OCR enforcement matters and investigations.  We recommend that clients prioritize a review of their Notice of Privacy Practices and as well as patient access policies to help mitigate risk.  Reach out to our Beckage Health Law team for assistance analyzing these and other regulatory and legislative matters. 

*Attorney advertising. Prior results to not guarantee a similar outcome.

Subscribe to our newsletter.

Health LawHHS Proposed Rules Could Have Significant Impact on Health Plans and Health Care Providers

HHS Proposed Rules Could Have Significant Impact on Health Plans and Health Care Providers

Beckage’s Health Law Team is monitoring recent developments concerning patient’s right to access health information. Last week, two agencies within the Department of Health and Human Services (“HHS”) announced proposed rules that could have a significant impact on health plans and health care providers. Though applicability of the proposed rules varies, both rules focus on individuals’ right to access health information, a compliance area that has seen increased scrutiny and enforcement actions in recent years.

OCR Proposed Rule

On December 10th, the HHS Office of Civil Rights (“OCR”) announced proposed changes to the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule as part of a new proposed rule (“OCR Proposed Rule”). The OCR Proposed Rule is intended to reduce barriers for patients accessing medical records themselves and for covered entities using records related to care coordination and case management. While the OCR Proposed Rule eases some requirements for covered entities, it also creates a number of new requirements.

Key takeaways include:

  • Patient Access Requests: While covered entities currently have 30 days to respond to patient requests for access to their own health information, the OCR Proposed Rule would shorten this timeframe to 15 days (though it would allow an additional 15-day extension). Additionally, the OCR Proposed Rule would allow patients who are inspecting their records in person to capture images and take notes.
  • Fee Schedules and Notice of Privacy Practices: The OCR Proposed Rule would require covered entities to post their fee schedules for producing health records on their websites. In addition, covered entities would need to modify their Notice of Privacy Practices (“NPP”) to clarify patient rights, including prominent presentation of information about how patients can file HIPAA complaints and clarification that patients may direct release of their detailed records even when only a summary of records is made available to the patient. However, covered entities would no longer need to obtain patient acknowledgement of receipt of the NPP.
  • Use and Disclosure of Protected Health Information: The OCR Proposed Rule also broadens the scope of when and how covered entities can use and disclose protected health information, for the purpose of health care operations, with use and disclosure now permitted for case management and care coordination. Furthermore, there are additional provisions for sharing patient health information among covered entities, including among Armed Services care providers. CMS also updated references to reflect widespread use of electronic health records (EHR).

CMS Proposed Rule

Also on December 10th, the Centers for Medicare & Medicaid Services (“CMS”) announced proposed changes to the CMS Interoperability and Patient Access Final Rule (“Interoperability Rule”) issued earlier this year as part of a new proposed rule (“CMS Proposed Rule”). Visit Beckage’s previous blog on the Interoperability Rule here.

Key takeaways include:

  • Payer Requirements: The CMS Proposed Rule requires payers to provide patients with access to information about pending and active prior authorization decisions through their Patient Access API, which payers are required to implement under the Interoperability Rule. The CMS Proposed Rule also clarifies that payers can and must implement an attestation process for third-party apps to attest to security and privacy safeguards prior to accessing the payer’s Patient Access API on behalf of the member. Additionally, it specifies technical requirements for the Payer-to-Payer API, which must now be implemented using Fast Healthcare Interoperability Resources (“FHIR”) standards.
  • Provider Requirements: The CMS Proposed Rule requires providers to develop a Provider Access API for providers and payers to share claims and encounter data, certain types of clinical data, and pending and active prior authorization decisions.

Though the proposed rules will likely change during the 60-day public comment period, they underscore HHS’s commitment to individuals’ right to access health information. We encourage covered entities to review the proposed rules carefully to understand how the changes will potentially impact daily operations and procedures.

The experienced Health Law team at Beckage can help to distill these lengthy and complicated rules so organizations can understand practical implications on daily operations. Our seasoned health law attorneys are uniquely positioned to advise on regulatory compliance matters, as they have also worked in health care settings, are certified privacy professionals, and are technologists.

Call Beckage at 716.898.2102 for assistance analyzing these and other regulatory and legislative matters.

*Attorney advertising. Prior results to not guarantee a similar outcome.

Subscribe to our newsletter.

ONCHHS Announces Last-Minute Changes to Compliance Deadlines

HHS Announces Last-Minute Changes to Compliance Deadlines

The US Department of Health and Human Services’ (“HHS”) Office of National Coordinator for Health IT (“ONC”) recently extended a few key compliance deadlines relevant to developers of certified health IT products, healthcare providers, and health information networks and exchanges (HIEs/HINs). Specifically, ONC pushed back certain requirements related to certification of certified health IT products and Information Blocking found in the ONC Cures Act Final Rule (ONC Rule), a rule that promotes seamless and secure access, exchange, and use of electronic health information through standardized health IT requirements. HHS stressed that it has extended these compliance deadlines to provide the healthcare industry additional time to implement the ONC Rule as the healthcare industry continues to grapple with the myriad challenges presented by COVID-19.

Developers of certified health IT are required to certify their products under the ONC Health IT Certification Program (“Program”). The Program now incorporates numerous new administrative and technical requirements outlined in the ONC Rule. The updated compliance deadlines give developers of certified health IT more time to update their currently certified products or build new products to comply with the new certification requirements, as well as more time to test those products. These developers also have additional time to attest under the Program that their products are compliant with specific conditions (known in the industry as the Conditions and Maintenance of Certification (“COC”)) that were updated by the ONC Rule.

Additionally, under the updated deadlines, developers of certified health IT, as well as healthcare providers and HIEs/HINs, have more time to comply with the new Information Blocking obligations required under the ONC Rule. Information Blocking is defined as any practice that is likely to “interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” There are eight narrow exceptions to these practices that allow an entity to engage in this type of behavior, most notably where the practice is intended to prevent harm, safeguard the security of electronic health information, or safeguard the privacy of the individual’s electronic health information.

The following is a summary of some key deadlines: 

Requirement Deadline 
Developers of certified health IT, healthcare providers, and HIEs/HINs cannot engage in Information Blocking. April 5, 2021 
Developers of certified health IT must attest that they comply with the CoC that were updated by the ONC Rule. May 1, 2022 
All products certified under the Program must align with the ONC Rule’s new technical certification requirements. December 31, 2022 (except with respect to a requirement related to electronic health information exports, which is not required until December 31, 2023) 
Developers of certified health IT must successfully test their certified health IT under real world conditions.Initial Plan for testing due December 14, 2021; Initial Results of testing due March 15, 2023 

For more information regarding the specific deadline updates, please see HHS’s official press release regarding the changes.

We anticipate that the updated compliance deadlines will be a welcome change given the many technical and compliance challenges presented by the ONC Rule. With this extra breathing room, now is the ideal time for companies to evaluate their compliance posture with respect to the ONC Rule and begin to develop strategies for adopting and implementing the new requirements under the ONC Rule, as implementation will require consultation with technical and legal teams. Beckage attorneys will continue to follow the evolving regulatory compliance guidance on deadlines and substantive requirements to assist clients in the health IT and healthcare industry as they navigate these and other new regulatory requirements. Beckage attorneys are uniquely experienced to help health organizations and tech companies of all sizes to navigate the complicated maze of legal and practical considerations raised by these and other health law regulations. Please do not hesitate to reach out if you are interested in discussing the ONC Rule’s potential impact on your business.

*Attorney Advertising. Prior results do not guarantee future outcomes. 

Subscribe to our Newsletter.