Patient Access Rights - A Snake in the Grass...
Prior to 2020, cyber law was a three-headed snake: information security, privacy, and the judiciary (criminal & civil penalties). In May 2020 (with early murmurings in 2018), the Department of Health and Human Services confirmed cyber law’s fourth head: personal access rights to data.
Earning their pensions and paychecks, the lawyers and policymakers at the Centers for Medicare & Medicaid Services (CMS) and DHHS simultaneously issued two rules in the spring of 2020: 1) Interoperability and Patient Access for … (Federally-Funded Health Care Programs/Entities); and 2) 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program (collectively, the “Interoperability Rules”).
The Interoperability Rules, which begin implementation in various phases starting in April 2021 (NOW!), are designed to promote every patient’s free and open access to his/her electronic health records – including X-rays and other types of imaging. Health care providers and facilities will have to, eventually, provide such information through applications that meet certain security standards, at the provider/healthcare facility’s own expense, as well as deliver “timely, secure, and trusted bi-directional exchange of structured electronic health information” with other providers and third parties at the direction of the patients.
While certain requirements are not yet mandatory (like the application interfaces), the access rights are now mandatory. The Office of Civil Rights is rapidly collecting fines from offenders. To date, DHHS reports 18 different investigations for access rights violations that resulted in settlements with the alleged offender.
Below are examples of the alleged fines, which are all de minimis in comparison to OCR’s previous demands for seven-figure penalties following its recent smack down by the U.S. Fifth Circuit for its “arbitrary and capricious” fines (home team win!):
1. March 26, 2021: $30K fine against Village Plastic Surgery for a SINGLE PATIENT complaint. The New Jersey provider must further provide certain privacy training to all staff and implement pre-approved policies concerning access rights. Legal fees likely exceeded the $30K fine from OCR.
2. March 24, 2021: $65K fine for TWO complaints for untimely access to patient records against Arbour Hospital in Massachusetts. The records were required to be provided to the patient within 30 days – the hospital failed to provide them for 5 months.
3. February 10, 2021: Renown Health, P.C., a private, not-for-profit health system in Nevada, will pay a $75k fine to settle a potential violation of the HIPAA Privacy Rule’s right of access standard and undergo 2 years of monitoring by DHHS to ensure right of access compliance.
The smallest penalty reported was $3,500 in 2020 and the largest fine assessed was in January 2021 against Banner Health ACE, a non-profit health system in Phoenix, AZ for $200,000 following two complaints. According to the DHHS press release regarding Banner Health ACE, one individual failed to receive her requested medical records for six months and another waited a little more than five months. DHHS fines for access rights violations rose between 2020 and 2021 on average; however, the primary indicator of the penalty’s heft appears to be the delay in providing the patient access to the requested records.
The deadlines by which different requirements within the Interoperability Rules must be implemented by the subject providers and health centers were already delayed once by DHHS. Below are the important deadlines that currently apply to Medicare Advantage plans, state Medicaid and Children’s Health Insurance Program agencies, Medicaid and CHIP managed care plans, and qualified health plan issuers in the federally facilitated exchanges:
1. April 5, 2021 (NOW): What CMS defines as “Information Blocking” and will warrant a penalty under 45 C.F.R. part 171. CMS also prohibits Health IT developers from undertaking any “information blocking” activities under 45 C.F.R. § 170.401 (developers must be able to “attest” as such to CMS as well as state that all information blocking standards and exceptions are complied with by the developer).
2. December 15, 2021: In accordance with 45 C.F.R. § 170.405, Health IT developers must publish a plan via a publicly accessible hyperlink for their Health IT Module (programs that perform clinical care and data exchange functions in accordance with interoperability standards and user-centered designs, see 45 CFR § 170.102) and by March 23, 2022, demonstrate that the module was successfully tested in a “real world” scenario that mimics the intended use of the technology.
3. December 31, 2022: Get those EHR application interfaces done, implemented, and online in accordance with HL7 FHIR, 45 C.F.R. § 170.215, and 45 C.F.R. § 170.315.
4. December 31, 2023: Allow patients to be able to export electronic health information in accordance with 45 C.F.R. § 170.315(b)(10).
For application development, a year or even 18 months, is not a lot of time to develop an application interface and migrate hundreds of thousands of records across different platforms, which will likely present conflicts between old v. new operating systems and digitizing files. Fortunately, based on CMS’s commentary, they only expect to see records post-dating 2015 uploaded into digital platforms. Good luck HealthTech!