Electronic Healthcare Records , Governance & Risk Management , Healthcare Information Exchange (HIE)
HHS Delays Enforcement of New Info Sharing RulesCOVID-19 Crisis Cited in Putting Interoperability and Secure Information Sharing Rules on Hold
Federal regulators are delaying implementation and enforcement of certain provisions of the interoperability and secure information sharing final rules that were issued in March, citing the COVID-19 public health emergency that is overwhelming many healthcare organizations.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
On Tuesday, the Department of Health and Human Services announced “a policy of enforcement discretion to allow organizations flexibility regarding the implementation of the interoperability final rules” that were announced by the Office of the National Coordinator for Health IT and the Centers for Medicare and Medicaid Services on March 9 (See: HHS Releases Final Data Sharing Rules).
The rules were called for under the 21st Century Cures Act that was signed into law in 2015 with the aim of advancing medical innovation.
In addition, the HHS Office of Inspector General on Tuesday issued a proposed rule for enforcement of the information blocking provisions of HHS’ final rules.
”The proposed information blocking enforcement regulations are intended to help improve coordination within the healthcare system and patients' access to their health care data by addressing the negative effects of information blocking,” the HHS OIG said in a statement Wednesday. “OIG is seeking comment on when information blocking enforcement should begin.”
Revised ONC Timetable
The 1,244-page ONC final rule issued in March sets a range of new requirements. For example, it calls for certified health IT developers to establish secure, standards-based application programming interfaces for use by providers for health information exchange and to support a patient's access to core data in their electronic health records.
ONC now says it intends to exercise enforcement discretion for three months for certain health IT compliance requirements associated with its new rule.
This move “will provide flexibility while ensuring the goals of the rule remain on track,” Don Rucker, M.D., head of ONC, says in a statement.
ONC also issued on Tuesday a new timetable for the various compliance and enforcement dates identified in its rule.
The 747-page CMS interoperability rule, also issued in March, requires hospitals to send electronic notification to patients' primary care providers when patients are admitted, transferred or discharged. That provision, which was expected to go into effect six months after publication in the Federal Register, will be delayed another six months.
”Now more than ever, patients need secure access to their healthcare data,” said Seema Verma, CMS administrator in a statement. “Hospitals should be doing everything in their power to ensure that patients get appropriate follow-up care. Nevertheless, in a pandemic of this magnitude, flexibility is paramount for a healthcare system under siege by COVID-19. Our action today will provide hospitals an additional six months to implement the new requirements.”
Reaction to Delay
The College of Healthcare Information Management Executives, which represents healthcare CIOs and CISOs, says its members support any effort to enable healthcare organizations to maintain their focus on the COVID-19 pandemic.
”The healthcare system is still in the midst of fighting the pandemic, and it is unclear what the rest of the year will bring in terms of strain on the healthcare system,” says Andrew Tomlinson, CHIME’s director of federal affairs.
“While we are still working to digest the impacts of these new rules and compliance dates, it is important to remember the enforcement delays outlined at this point in time only apply to certain actors and does not provide any information on when enforcement for providers will begin. Without knowing the timeline for disincentives for providers, it is hard to fully understand the full scope of any delay."
Tomlinson also notes that HIPAA already requires that patients be offered the opportunity to access and share their health data.
“We agree that the rules stand to improve patients’ access to their healthcare information in a more facile manner through third-party apps, but time will be needed for providers and vendors to facilitate these changes. And the pandemic has diverted both staff and resources away to address the public health emergency and wrestle with implementing other priorities, such as access to personal protective equipment and standing up telehealth systems.”
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine offers a similar assessment.
“While I think that the rules will provide important benefits to patients and plan members, I think delaying is the right move under the circumstances,” he says
“Healthcare providers’ resources are obviously stretched thin, and health plans have to adjust to huge changes right now, both with respect to changing rolls due to unemployment, and remote operations,” he notes. “Even with these delays, attention to the rules has been overshadowed by COVID-19, and I expect many will still find themselves behind on building out compliance.”
Earlier, HHS made other moves to ease regulatory requirements during the COVID-19 crisis.
For instance, HHS’ Office for Civil Rights issued a variety of “enforcement discretion” notices and limited HIPAA waivers in recent weeks (see COVID-19: HHS Issues Limited HIPAA Waivers).
One regulatory expert says HHS has been sending mixed messages to the healthcare sector with its recent regulatory moves – including issuing complex interoperability regulations in March during the pandemic, and then delaying their implementation just a few weeks later.
“These regulations are being implemented at the moment where the priorities of many healthcare organizations are focused primarily on the war against the COVID-19 pandemic,” says privacy attorney David Holtzman of the security consultancy CynergisTek.