HIPAA Blog

[ Wednesday, February 03, 2021 ]

 

 21st Century Cures Act impact on HIPAA documentation.  The Cures Act imposes a lot of general rules designed to prevent information blocking.  I just happen to be revising some standard HIPAA documentation (hint: if you're a member ot the Texas Medical Association and use the HIPAA forms provided by them, some slightly revised documents will be rolling out sometime in  2021), and thought it might be a good idea to point out that a couple of semi-hidden provisions of the Cures Act might trigger a good reason to revise some of your documents.

The underlying purpose of the Cures Act, for these purposes, is to prevent "information blocking."  While HIPAA is about protecting PHI, it also allows (and sometimes requires) PHI to be shared when appropriate.  Many EHR providers intentionally try to limit the ability of their EMRs to communicate with other EMRs (they want to put up hurdles to keep their customers from easily migrating to a competitor EMR), and some health care providers try to prevent patients from sending their PHI to other providers, who they consider competitors.  That type of information blocking is the focus of recent rules from CMS and ONC.  

There's an obvious tension between HIPAA's requirement to generally prevent uses and disclosures of PHI, and the Cures Act Rules prohibiting most activities that could be considered information blocking (data privacy is, by definition, information blocking).  It should be noted that the ONC Cures Act Rule recognizes that nondisclosures because they are prohibited by law (e.g., a general refusal to provide PHI to an unknown requestor due to HIPAA Privacy Rule prohibitions) are not information blocking, the ONC Rule is careful to say that only applies for disclosures that are actually prohibited.  Thus, if a provider withholds data because it is permitted to do so, it will be in compliance with HIPAA, but could be in violation of the ONC data-blocking rule.  It's tricky.  

For health care providers, the general requirement is to not engage in activities that could be information blocking; at its most basic level, if a provider is granting patients access to their records in the manner required by HIPAA, it's unlikely they could be considered to be engaging in information blocking, but it's probably a good idea to make sure your documentation doesn't unintentionally commit you to activities that could be considered information blocking by a disgruntled patient.

Consider revising your BAA: Section 4006 of the Cures Act itself revised HITECH (which revised HIPAA), to include a requirement that might make you want to consider revising your standard form BAA.  HITECH now says: 

"If the individual makes a request to a business associate for access to, or a copy of, protected health information about the individual, or if an individual makes a request to a business associate to grant such access to, or transmit such copy directly to, a person or entity designated by the individual, a business associate may provide the individual with such access or copy, which may be in an electronic form, or grant or transmit such access or copy to such person or entity designated by the individual."

Due to this, you might consider amending the "Access" provision of your BAA to allow the business assocate to make the disclosure of an individual's PHI directly to the individual or to the person indicated by the individual, if the individual approaches the business associate directly.  Most BAAs simply require the business associate to provide the PHI to the covered entity upon request, and many require the business associate to communicate to the covered entity before providing the PHI to the patient.  In fact, most business associates don't want to be responsible for making the decision about whether they should grant access to the patient.  If you are a health care provider, you should consider revising your BAA to allow the business associate to make the disclosure directly, with a requirement that the business associate notify you if they have done so.

Consider revising your NoPP (all providers): The CMS and ONC Cures Act Rules prohibit covered entities from refusing to disclose PHI if doing so would be information blocking.  In other words, if the covered entity is asked to disclose the information and refusing to do so is data blocking, then in fact the covered entity is now required by law (the Cures Act) to make the disclosure.  While this might not have a real practical impact, you should consider revising the "required by law" section of your Notice of Privacy Practices to include a reference to disclosures required to avoid information blocking.

Consider revising your NoPP (Medicare/Medicaid hospitals): The CMS Cures Act Rule revises the Medicare/Medicaid Conditions of Participation (CoPs) for hospitals to require that the hospital automatically send electronic notifications upon a patient's admission to (including ER registration) or discharge or transfer from the hospital ("ADT Notice").  The ADT notice should be automatically sent to appropriate post-acute care service providers, as well as to the patient's primary care provider or group and any other provider designated by the patient.  Since these notifications will happen automatically, and the patient might be surprised to hear that their primary care doctor (who maybe they didn't like that much anyway) found out they were admitted, or annoyed to get calls from post-acute providers seeking to provide the patient with services, it might be a good idea for hospitals to revise their NoPPs to warn the patients about these disclosures.

Food for thought.  

Jeff [7:12 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012 February 2012 March 2012 April 2012 May 2012 June 2012 July 2012 August 2012 September 2012 October 2012 November 2012 December 2012 January 2013 February 2013 March 2013 April 2013 May 2013 June 2013 July 2013 August 2013 September 2013 October 2013 November 2013 December 2013 January 2014 February 2014 March 2014 April 2014 May 2014 June 2014 July 2014 August 2014 September 2014 October 2014 November 2014 December 2014 January 2015 February 2015 March 2015 April 2015 May 2015 June 2015 July 2015 August 2015 September 2015 October 2015 November 2015 December 2015 January 2016 February 2016 March 2016 April 2016 May 2016 June 2016 July 2016 August 2016 September 2016 October 2016 November 2016 December 2016 January 2017 February 2017 March 2017 April 2017 May 2017 June 2017 July 2017 August 2017 September 2017 October 2017 November 2017 December 2017 January 2018 February 2018 March 2018 April 2018 May 2018 July 2018 August 2018 September 2018 October 2018 November 2018 December 2018 January 2019 February 2019 March 2019 April 2019 May 2019 June 2019 July 2019 August 2019 September 2019 October 2019 November 2019 December 2019 January 2020 February 2020 March 2020 April 2020 May 2020 June 2020 July 2020 August 2020 September 2020 October 2020 November 2020 December 2020 January 2021 February 2021 March 2021 April 2021 May 2021 June 2021 August 2021 September 2021 October 2021 November 2021 December 2021 January 2022 February 2022 March 2022 April 2022 May 2022 June 2022 July 2022 August 2022 September 2022 October 2022 November 2022 December 2022 February 2023 March 2023 April 2023 June 2023 July 2023 August 2023 September 2023 October 2023 November 2023 December 2023 January 2024 February 2024 March 2024 April 2024

[ Advertisers ]

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
PracticeSuite Practice Management Blog
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here