Maintaining a steady flow of electronic data through healthcare organizations, while ensuring the right people have access to the right data, has never been more important. Historically, one couldn’t talk about patient data without acknowledging the Health Insurance Portability and Accountability Act (HIPAA), which was designed to develop a consistent set of standards to protect a patient’s data from disclosure without their consent. Now, the 21st Century Cures Act presents new regulations to ensure that patient safety and privacy remain front and center while making it easier for patients to access their own medical data and preventing industry practices known as “information blocking.”
As described by the federal government, information blocking is a “practice by a health IT developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI).”
A variety of situations may be considered information blocking, including:
- A technology provider who restricts authorized access to or exchange of data between health information technologies.
- An organization that implements technologies in a way that isn’t standard and is likely to increase the complexity of the process or the burden on those trying to either access or exchange healthcare information.
- An organization whose technologies have been deployed in a way that is likely to “Lead to fraud, waste, or abuse, or impede innovations and advancements in health information access, exchange, and use, including care delivery enabled by health IT.”
So, how does HIPAA relate to the Cures Act?
The Cures Act and HIPAA Compliance
The Cures Act focuses on patient data, access to the data, and interoperability using API and FHIR technology; information blocking is a central focus in the context of the Cures Act, with HIPAA requirements around privacy and confidentiality still relevant at the core. The Cures Act does, however; include exceptions to information blocking, including the following:
Privacy exceptions. If a health system doesn’t fulfill a request due to patient privacy, information blocking may not apply. Information may not need to be released immediately if doing so conflicts with state or federal privacy laws. A health organization, for example, needs patient consent prior to sharing information. If a provider is waiting on patient consent to release information, then information blocking would likely not apply.
Security exception. Activity may not be considered information blocking if it’s done to safeguard security. The activity needs to be related to safeguarding the EHI’s “confidentiality, integrity and availability.” This exception must be applied consistently and without discrimination.
Getting prepared for Cures Act and HIPAA Compliance
The Cures Act includes many details, and ensuring compliance requires a thorough understanding of the changes. The federal government created a comprehensive document that outlines everything you need to do to get prepared. Tips include:
Consider the need for unique patient identifiers. These identifiers ensure that an authorized user accesses the right record, which is a critical element of staying HIPAA compliant. This will be a critical component, especially when patients access their own records. A unique patient identifier is a must have, not a nice to have.
Evaluate your existing archive. Patient care hinges on your ability to retrieve data at the point of care and make corrections as needed. An active archive gives staff a complete view of the patient record, which is critical when considering HIPAA compliance and the Cures Act.
Review existing compliance programs. Determine which areas, if any, need attention. Consider gathering a team of experts familiar with the Cures Act, including legal resources, Health Information Management, and IT professionals, to help identify any potential gaps.
Provide ongoing compliance training. Training is critical to prevent information blocking. You need the technology, but you also need staff who understand the regulations. Organizations must have clearly written policies and procedures, especially regarding exceptions. If you don’t release, or you delay the release of, a patient record, you need a policy in place that addresses why. Overall, there are very few exceptions allowed, so be prepared by documenting any and all exceptions. Get your policies in place for those exceptions and stick to them.
Understanding the Cures Act requirements and identifying potential areas that need attention will put you on the path to compliance. Having an in-depth understanding of what is considered information blocking, when exceptions may apply, and how they affect your organization, will ensure success. And ultimately, this will help you provide faster and easier access to patient data and improve the overall patient experience.
*Originally published July 7, 2021 on the Active Archive Alliance