Could HHS information blocking rule have unintended consequences on data sharing and security?
The U.S. Department of Health and Human Services has proposed new rules that will have a profound effect on how healthcare providers share patient data. The Office for the National Coordinator of Health IT and the Centers for Medicare & Medicaid Services are each reviewing industry comments on their proposed rules.
HHS clearly intends to transform how patient data is shared among providers and with patients by outlining permissible business practices that will not be considered information blocking and by requiring healthcare providers and their service providers to share data more broadly.
“Section 4004 of the 21st Century Cures Act prohibits ‘information blocking’ and authorizes HHS to identify activities that will not constitute information blocking,” explained Amy S. Leopard, a partner at Bradley Arant Boult Cummings, a law firm that specializes in various industries including healthcare.
Leopard specializes in healthcare privacy and security. She recently worked with HIMSS staff on the comments to the HHS proposed Information Blocking rules.
What exactly is information blocking?
Information blocking is when a healthcare provider, health information technology developer, health information exchange or health information network (collectively, “actors”) engages in a practice likely to interfere with, prevent or materially discourage the access, exchange or use of electronic health information.
ONC developed exceptions that spell out those practices that would not constitute information blocking, but those exceptions are very narrow and contain detailed requirements.
“As a condition of achieving HHS certification on their products, health IT developers cannot information block and must attest to the feds that they will not information block,” Leopard said.
"The broad access entailed here will place tremendous demands on security, and the compliance documentation necessary to support denials of access will be vastly more detailed to avoid allegations of information blocking."
Amy S. Leopard, Bradley Arant Boult Cummings
“Hospitals and professionals eligible to participate in the Medicare and Medicaid Promoting Interoperability Program – formerly known as meaningful use – must attest to CMS that they have not knowingly and willfully limited or restricted the compatibility or interoperability of their certified electronic health record technology,” she added.
The HHS Office of Inspector General will hold health IT developers, health information exchanges and networks, and healthcare providers accountable for both information blocking and false attestations to the government on information blocking. Health IT developers may be subject to penalties of up to $1 million and a ban on their certified products.
“If the OIG determines a healthcare provider committed information blocking, it would refer the matter to the appropriate agency – for example, CMS, OCR, the Justice Department – to be subject to applicable legal authorities,” Leopard explained. “HHS requested comment on whether disincentives already available under current regulations would be sufficiently effective.”
Provisioning of access to EHRs
Leopard believes the rule is currently written so broadly that it would encompass provisioning of access to EHR system access beyond the clinicians to patients and their designated vendors as well as unaffiliated providers.
“Providers would need to provide ‘access’ to their electronic health information systems to allow third parties to locate and retrieve information from any and all source systems in which the provider stores healthcare information,” she said.
“This definition could require healthcare providers to provide anyone with the ability to physically access EHRs used for clinical purposes and financial systems used for patient accounting purposes in order to locate and retrieve patient health info – much broader than patient portal access or transmission to another provider or to a patient or his or her designee,” she explained.
The access contemplated could lead to foreseeable and unforeseeable negative consequences if not managed properly, she added.
Healthcare CISOs and CIOs are confronting growing demands to provide EHR access to more parties while securing the data maintained within the EHR.
“CISOs will immediately see the numerous privacy and security concerns in providing EHR access beyond their own clinicians,” Leopard stated. “If the rule is finalized in the present form, provider organizations must take steps to adopt privacy and security policies that are narrowly tailored to the specific privacy or security risk of concern. This means both understanding and delineating the basis for distinctions made in access policies rather than adopting broad or generic privacy and policies.”
Not sharing for security reasons
Specifically, when a healthcare provider organization determines not to share electronic health information for security reasons, those reasons need to be addressed in a written policy prepared based on a risk assessment with parameters tailored to address the particular risk of concern, Leopard explained.
“No longer will it be sufficient to deny access based on ‘security’ generally,” she said. “Likewise, if the basis for denying a request for access is state or federal privacy laws, the specific basis for that concern needs to be a written policy establishing the specific law and rationale for denying access and how the actor may satisfy the legal requirement so the information may be provided – for example, by seeking consent where necessary.”
Having high-level privacy policies that simply require patient consent for the disclosure without describing how patients will exercise meaningful choice over consent could be considered a pretext or rationalization for information blocking, she stated.
“Further, any restrictions on access must be consistently applied in a nondiscriminatory manner,” she continued. “Privacy and security policies and practices must be applied uniformly to the organization itself, to people with whom it has a business relationship, and to those with whom it has no relationship.
“Healthcare provider organizations that refuse to exchange health information with a competitor or with a patient’s app on the basis of onerous privacy or security practices that did not apply to others would need to strictly justify such an approach,” she added.
As an example, if the organization imposes a requirement that third-party apps seeking information on behalf of a patient utilize multi-factor authentication, the actor would need to follow that authentication requirement for itself and its affiliates accessing that same information, Leopard explained.
“The broad access entailed here will place tremendous demands on security, and the compliance documentation necessary to support denials of access will be vastly more detailed to avoid allegations of information blocking,” she said. “Organizations will need to tie their policies back to their security risk assessment, update their policies to be internally consistent, and provide sufficient training for workforce members involved in EHR provisioning to understand the organization’s access policies.”