Bradley Partner Amy Leopard Quoted in Healthcare IT News on New HHS Rules

Bradley attorney Amy Leopard was quoted in Healthcare IT News on the new rules proposed by the U.S. Department of Health and Human Services (HHS) that will transform how patient data is shared among providers and with patients. The rules outline permissible business practices that will not be considered information blocking and require healthcare providers and their service providers to share data more broadly.

“Section 4004 of the 21st Century Cures Act prohibits ‘information blocking’ and authorizes HHS to identify activities that will not constitute information blocking,” explained Leopard.

“As a condition of achieving HHS certification on their products, health IT developers cannot information block and must attest to the feds that they will not information block,” Leopard said.

“Hospitals and professionals eligible to participate in the Medicare and Medicaid Promoting Interoperability Program – formerly known as meaningful use – must attest to CMS that they have not knowingly and willfully limited or restricted the compatibility or interoperability of their certified electronic health record technology,” she added.

“If the OIG determines a healthcare provider committed information blocking, it would refer the matter to the appropriate agency – for example, CMS, OCR, the Justice Department – to be subject to applicable legal authorities,” Leopard explained. “HHS requested comment on whether disincentives already available under current regulations would be sufficiently effective.”

Leopard believes the rule is currently written so broadly that it would encompass provisioning of access to EHR system access beyond the clinicians to patients and their designated vendors as well as unaffiliated providers.

“Providers would need to provide ‘access’ to their electronic health information systems to allow third parties to locate and retrieve information from any and all source systems in which the provider stores healthcare information,” she said.

“This definition could require healthcare providers to provide anyone with the ability to physically access EHRs used for clinical purposes and financial systems used for patient accounting purposes in order to locate and retrieve patient health info – much broader than patient portal access or transmission to another provider or to a patient or his or her designee,” she explained.

The access contemplated could lead to foreseeable and unforeseeable negative consequences if not managed properly, she added

“CISOs will immediately see the numerous privacy and security concerns in providing EHR access beyond their own clinicians,” Leopard stated. “If the rule is finalized in the present form, provider organizations must take steps to adopt privacy and security policies that are narrowly tailored to the specific privacy or security risk of concern. This means both understanding and delineating the basis for distinctions made in access policies rather than adopting broad or generic privacy and policies.”

Specifically, when a healthcare provider organization determines not to share electronic health information for security reasons, those reasons need to be addressed in a written policy prepared based on a risk assessment with parameters tailored to address the particular risk of concern, Leopard explained.

“No longer will it be sufficient to deny access based on ‘security’ generally,” she said. “Likewise, if the basis for denying a request for access is state or federal privacy laws, the specific basis for that concern needs to be a written policy establishing the specific law and rationale for denying access and how the actor may satisfy the legal requirement so the information may be provided – for example, by seeking consent where necessary.”

Having high-level privacy policies that simply require patient consent for the disclosure without describing how patients will exercise meaningful choice over consent could be considered a pretext or rationalization for information blocking, she explained.

“Further, any restrictions on access must be consistently applied in a nondiscriminatory manner,” she continued. “Privacy and security policies and practices must be applied uniformly to the organization itself, to people with whom it has a business relationship, and to those with whom it has no relationship.

“Healthcare provider organizations that refuse to exchange health information with a competitor or with a patient’s app on the basis of onerous privacy or security practices that did not apply to others would need to strictly justify such an approach,” she added.

As an example, if the organization imposes a requirement that third-party apps seeking information on behalf of a patient utilize multi-factor authentication, the actor would need to follow that authentication requirement for itself and its affiliates accessing that same information, Leopard explained.

“The broad access entailed here will place tremendous demands on security, and the compliance documentation necessary to support denials of access will be vastly more detailed to avoid allegations of information blocking,” she said. “Organizations will need to tie their policies back to their security risk assessment, update their policies to be internally consistent, and provide sufficient training for workforce members involved in EHR provisioning to understand the organization’s access policies.”

The original article, “Could HHS Information Blocking Rule Have Unintended Consequences on Data Sharing and Security,” first appeared in Healthcare IT News on September 13, 2019.