December 14, 2020

HIPAA Compliance and the 21st Century Cures Act

The upcoming new year means new regulatory compliance changes for hospitals, health systems and physician practices. One especially important rule relates to the 21st Century Cures Act and information blocking.

What Is the 21st Century Cures Act?

A bipartisan law passed in December 2016, the 21st Century Cures Act aims to take health information exchange to the next level by promoting interoperability and giving patients greater access to their own health information. One of the legislation’s key requirements prohibits information blocking.

What Is Information Blocking?

The Cures Act defines information blocking as any business, technical or organizational practice that is likely to interfere with, prevent or materially discourage access to, exchange of or use of electronic health information (EHI).

Who Can Be an Information Blocker?

The Cures Act specifies four types of “actors” that must comply with the information blocking rule:

  1. Healthcare providers
  2. Health information technology companies that have a certified health IT system
  3. Health information networks (HINs)
  4. Health information exchanges (HIEs)

To be considered an information blocker, an entity must recognize that its actions would interfere with EHI use. Providers can experience information blocking when they try to obtain patient health data from another provider and are denied access to all or part of the requested information. The issue can also arise when a patient aims to retrieve their personal health information and are prevented from doing so. Blocking can be as overt as directly thwarting information exchange or as subtle as making health IT so complex that it all but eliminates the possibility of information sharing.

The law also prescribes penalties for information blocking, the most serious of which apply to health IT vendors, HINs, and HIEs. These entities can incur monetary penalties up to $1 million per violation and may be banned from certifying health IT going forward. Healthcare providers could also be penalized but the Office of the National Coordinator (ONC) has not fully defined what those penalties would entail.

How Does the Information Blocking Rule Relate to HIPAA Compliance?

While healthcare organizations should avoid information blocking, they also must remain focused on keeping confidential patient health information private and secure to maintain compliance with HIPAA . The ONC addresses this concept in two of the information blocking rule’s eight exceptions.

The Privacy Exception

The privacy exception indicates an activity will not be considered information blocking if an actor does not fulfill an EHI request in order to protect an individual’s privacy, provided certain conditions are met. This exception suggests that an actor should not be required to use or disclose EHI in a way that is prohibited under state or federal privacy laws.

For example, if the provider is required to obtain consent before sharing patient information with another healthcare entity, it may delay sharing the information until it receives consent. This delay is not information blocking. Similarly, if a patient has requested that their information not be shared, the provider has the right not to share the information.

The Security Exception

The security exception also pertains to HIPAA. This exception states that an activity will not be considered information blocking if it is done to protect the security of EHI, provided certain conditions are met. This exception is intended to cover all legitimate security practices but does not prescribe a maximum level of security or dictate a one-size-fits-all approach.

To fit within the security exception, an activity must be directly related to safeguarding EHI’s confidentiality, integrity, and availability; tailored to specific security risks; and implemented in a consistent and non-discriminatory manner.

How to Prepare Your Healthcare Organization for Cures Act and HIPAA Compliance Changes

There are many nuances involved in the interpretation of the information blocking rule, especially when you consider its evolving relationship with HIPAA. The Department of Health and Human Services (HHS) has not yet released revised rules regarding HIPAA in the context of information blocking.

That said, here are a few things organizations should be doing now to prepare for this critical part of the Cures Act and whatever associated HIPAA changes may go along with it:

Understand the requirements.

Taking time to read about the rule and what it entails is a good first step to set the context for updating your compliance processes and procedures. The federal government has a comprehensive site that details the legislation and its various components.

Review your current compliance program.

After getting up to speed on the legislation, you should examine your compliance policies to determine where additions or corrections may be necessary. To help with this, you may want to pull together a team of experts. This group may include legal resources familiar with the Cures Act, IT professionals that understand the intricacies of information exchange, and privacy and security compliance experts that fully understand the implications from a HIPAA perspective. Team members may be internal or external, depending on your organization’s size and compliance resources.

Plan for increased compliance training.

Once you have new policies in place, you will also need to implement compliance training that walks staff through the details of the information blocking rule and how they can preserve patient privacy and security while facilitating patients’ access to their health information. Although you can develop training programs in-house, there will likely be external offerings available as the compliance deadline approaches.

Stay tuned for updates.

With the pandemic impacting all facets of healthcare, the deadlines for compliance may shift. As of this writing, healthcare providers, vendors, and other actors must comply with information blocking rules and regulations starting on April 5, 2021. However, that may change as the time gets closer. As such, it’s important to stay abreast of new developments to make sure you are on track to remain in compliance.  

Partner with Stericycle to Manage Your Healthcare Organization’s HIPAA Compliance

One of the challenges with the information blocking rule is that it applies to all healthcare organizations, even those that don’t have a large compliance department that can review policies, assess risk, make updates and offer training. That’s where Stericycle comes in. Our compliance experts are committed to helping customers think through the implications of the information blocking rule and how to meet the intent of both the Cures Act and HIPAA. We will be offering several resources in the coming months to guide customers through their compliance journey.

Learn more about how Stericycle helps organizations manage HIPAA compliance.

Receive Stericycle’s latest content, including news and regulations on how you can maintain business compliance.

Form Received - Thank You

Submission Error - Please Refresh and Try Again