Archive for category: Data Privacy

Healthcare Providers: Beware New Information Blocking Rule

/in , , ,

By Kim Stanger

Healthcare providers focusing on COVID-19 may have missed the final Interoperability and Information Blocking Rule that was published May 1, 2020 and takes effect November 3, 2020. (45 C.F.R. Part 171). The Rule implements the 21st Century Cures Act and furthers the government’s efforts to enable the exchange of electronic health information (“EHI”) to facilitate better outcomes, lower costs, and greater patient access to information. In general, the Rule prohibits covered actors from blocking the flow of EHI; violations may result in significant civil penalties as discussed below.

Application to Healthcare Providers. The Rule applies to healthcare providers, health IT developers of certified health IT,1 health information exchanges, and health information networks (collectively referred to as “actors”). “Healthcare provider” is defined to include nearly any entity rendering healthcare, including physicians, practitioners, group practices, hospitals, long term care facilities, clinics, ambulatory surgery centers, and other entities determined appropriate by HHS.2

Prohibited Information Blocking. The Rule generally prohibits “information blocking,” i.e., a practice that the healthcare provider “knows3…. is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information”4 unless (i) the practice is required by law, or (ii) the practice fits within one of the exceptions listed below. (45 C.F.R. § 171.103(a)). Information blocking may occur, for example, when a healthcare provider refuses, ignores, delays, or imposes unreasonable conditions in response to requests to share EHI, including requests from patients, other providers, or payors. (See 85 FR 25811). It may occur when contracts, business associate agreements, license terms, or organizational policies unnecessarily restrict data sharing, or when technology is implemented, configured, or disabled so as to limit system interoperability. (85 FR 82511-12). The Rule generally prohibits any practices that increase the cost, complexity or burdens associated with accessing, exchanging or using EHI, or that limit the utility, efficacy or value of EHI such as diminishing the integrity, quality, completeness, or timeliness of the data. (85 FR 25809). Ultimately, “[a]ny analysis of whether an actor’s practices constitute information blocking will depend on the particular facts and circumstances of the case,” including whether the action rises to the level of an impermissible interference, whether the actor acted with the requisite intent, and whether the actor had control over the EHI or interoperability elements necessary to access, exchange or use the EHI in question. (85 FR 25811 and 25820).5 Read more

Use of PHI for Non-Patient Purposes

/in ,

By Kim Stanger

In an era of decreasing reimbursement and rapidly expanding opportunities associated with “big data”, healthcare entities may be looking for ways to monetize protected health information (“PHI”)1 for their own, non-patient purposes. With limited exceptions, however, HIPAA restricts the use of PHI for non-treatment purposes without the patient’s consent. Failure to comply may subject HIPAA covered entities, business associates, and third parties to significant civil, administrative, and criminal penalties. (See, e.g., 42 U.S.C. § 1320d-6; 45 C.F.R. § 160.404).

Read more

Modified HIPAA Rules for Sending Records to Third Parties

/in ,

By Kim Stanger

Thanks to a federal judge, the Office for Civil Rights has modified its rules for sending records to third parties.  Covered entities are no longer required by HIPAA to send non-electronic protected health information (“PHI”) to a third party at the patient’s request.  In addition, covered entities are no longer limited to charging a reasonable cost-based fee when sending records to a third party. 

The Third-Party Directive.  In 2009, the Health Information Technology for Economic and Clinical Health (“HITECH”) Act modified HIPAA to simplify the process for producing ePHI:

In the case that a covered entity uses or maintains an electronic health record with respect to protected health information of an individual … the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an or person designated by the individual, provided that any such choice is clear, conspicuous, and specific.

(42 U.S.C. §17935(e)(1)). 

Read more

HIPAA, Psychotherapy Notes, and Other Mental Health Records

/in ,

By Kim Stanger

The HIPAA privacy rules give special protection to “psychotherapy notes,” but providers often misunderstand what are and are not covered and how they differ from other mental health records.

I. “Psychotherapy Notes” Defined.

Contrary to popular belief, HIPAA does not provide special protection to mental health records in general, but it does give added protection to “psychotherapy notes”. As defined by HIPAA,

Psychotherapy notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

Read more

Business Associates’ Use of Information for Their Own Purposes

/in ,

by Kim Stanger

Business associates may want to use a covered entity’s protected health information (“PHI”) for the business associates’ own purposes, e.g., for their own product development, data aggregation, marketing, etc. However, with very limited exceptions, HIPAA prohibits business associates from doing so without the patient’s written authorization. Misusing PHI may expose the business associate to HIPAA fines, criminal penalties, breach of contract claims by the covered entity, and perhaps civil liability to individuals whose PHI was improperly used. (Seee.g., 42 U.S.C. § 1320d-6; 45 C.F.R. § 160.404).

Limits on Use or Disclosure of PHI.

The business associate’s authority to use or disclose PHI derives from the covered entity’s authority. The covered entity may only use the patient’s PHI for certain purposes without the patient’s authorization, e.g., for the covered entity’s own treatment, payment or healthcare operations. (45 C.F.R. § 164.502). HIPAA allows covered entities to share PHI with business associates to assist the covered entity in performing authorized activities for or on behalf of the covered entity, but with very limited exceptions, the same limits that apply to the covered entity also apply to the business associate, e.g., absent the patient’s written authorization, it may only use the information for purposes of the covered entity’s treatment, payment, healthcare operations or other permitted use. (Id.). The business associate agreement (“BAA”) between the covered entity and business associate must specify the permissible uses of PHI. 45 C.F.R. § 164.502(e) states:

Read more