January-February 2021

HIPAA Challenges: Keep Pace With Disclosure Management Changes
By Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB
For The Record
Vol. 33 No. 1 P. 28

Amid the pandemic and pressure to comply with new rules and regulations, hospitals and health systems are faced with unprecedented challenges. As a result, HIM professionals, who play a critical role in evolving areas such as privacy and security, release of information (ROI), disclosure management, interoperability, and patient matching, are experiencing their fair share of sleepless nights.

Let’s examine these concerns in more detail.

Patient Identification
This issue is a priority that has become more urgent during COVID-19. The pandemic presented more pressing concerns as organizations rushed efforts to establish a remote workforce. For example, creating patient walk-in windows for ROI was a critical requirement. Many facilities developed a virtual means to accommodate patient requests for their health records while ensuring privacy and security protocols.

Providing patients with secure, timely access to their health data remains a top priority as efforts to create a standard to uniquely identify and match patients to their records hang in the balance.

Increased Cybercrime Threats
One of the most critical areas of concern is the increased threat level posed by cybercriminals. According to cybersecurity experts, ransomware attacks have accelerated in recent years because organizations are willing to pay high ransom demands to recover access to protected health information (PHI). With ransomware attacks expected to escalate further as the pandemic continues, health care providers are advised to identify areas of vulnerability and take action to combat the changing nature and frequency of these attacks.

The Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and Health and Human Services (HHS) recently released an advisory that describes the threat and recommends practices to help mitigate the risk posed by ransomware and other cyber threats. The advisory references the joint CISA MS-ISAC Ransomware Guide that provides a ransomware response checklist that can serve as an addendum to an organization’s cyber incident response plan.

CISA, the FBI, and HHS urge providers to take precautions to protect their networks from these threats. CISA encourages users and administrators to review its ransomware webpage for additional information.

Because the health care industry is a prime target for cyberattacks, HHS is focused on efforts to ensure regulatory compliance while protecting providers and their patients. The purpose of the HIPAA Security Rule is to ensure health care entities maintain the confidentiality, integrity, and availability of PHI.

The following are reminders of the practices required by HIPAA privacy and security enforcement policies:

• Conduct an enterprisewide risk assessment on a regular basis.

• Maintain appropriate policies and administrative, technical, and physical safeguards.

• Encrypt all devices that contain PHI.

• Respect a patient’s right of access to PHI at a reasonable cost.

• Respond promptly to known or suspected vulnerabilities or concerns.

• Report breaches in a timely manner as required by law.

• Ensure that business associates adhere to HIPAA rules and regulations.

• Do not disclose PHI on social media platforms.

Interoperability and Information Blocking
The 21st Century Cures Act opened the way to new information blocking policies and regulations with the intention to give patients easier access to health data. On October 29, 2020, the Office of the National Coordinator for Health Information Technology (ONC) released an interim Cures Act Final Rule extending the dates and timeframes for interoperability regulations and health care information blocking. To allow the industry to focus on its response to COVID-19, the applicability date was extended to April 5, 2021. However, ONC is clearly not removing requirements intended to advance consumer access to their health information.

The Information Blocking Rule encourages the flow of information for patient-enhanced management of their health care through the use of health information. As a result, organizations can expect to see increased patient-directed flow of their health information to application programming interfaces (APIs) and other support management tools.

Facilities should make sure they inform patients that the portal is available for easy access to their information. It is important to balance output and use—understanding the purpose of information that is requested. As organizations consider the best course of action moving forward, a recommended resource is The Sequoia Project, which continually updates its list of offerings, including webinars, toolkits, and reports.

Information Blocking Rule Details
While this rule impacts providers, HIT developers, and health information networks/health information exchanges, it may not directly affect business associates—it depends on the specific function with which the business associate is tasked. For example, ROI vendors are not directly an “actor” but they may be tasked to assist in routing requests for exception review. It is imperative that business associates determine whether they are considered an actor and required to comply.

Impacted entities must certify that they observe the following criteria:

• Do not engage in information blocking.

• Provide assurances that the developer or entity will not engage in information blocking.

• Do not prohibit or restrict certain communications.

• Publish APIs and allow health information to be accessed, used, and exchanged without special effort through the use of APIs.

• Conduct real-world testing.

• Ensure attestation is completed.

Despite the delay for applicability and enforcement, health care providers must remain diligent to evaluate readiness, workflows, and information governance. Strong leadership and education are necessary to make interoperability work, placing patients first. Furthermore, sharing patient information between payers and providers will require strict governance as interoperability evolves.

Finally, HIMSS issued a statement that its 80,000 members are advocating for the next Congress and administration to leverage HIT to combat the pandemic and ensure greater health equity through investments in public health infrastructure and continued work on standards-based interoperability.

As health care organizations embrace the new rule, a broad approach is recommended. Begin with an information blocking checklist that includes the following suggestions:

• Create a detailed project plan.

• Review assessments and privacy compliance plans.

• Create in out-of-scope areas.

• Map to timeline requirements.

• Identify risks and begin documentation of mitigations.

• Identify applicable exceptions and document team review.

• Ensure a data access and compliance focus.

• Update policies and procedures.

• Conduct ongoing training and education.

Why a Compliance Program Matters
A compliance program is necessary to reduce risk related to violations, complaints, and enforcement. The Office of Inspector General provides compliance program guidance directed at various segments of the health care industry to encourage the development and use of internal controls to monitor adherence to applicable statutes, regulations, and program requirements.

When creating or updating a compliance program, begin by identifying goals and strategies to overcome barriers and achieve positive outcomes. Successful implementation requires the guidance of a compliance officer to keep a watchful eye on an ever-changing regulatory climate and disseminate information as needed. Finally, it’s important to remember that whatever changes occur with interoperability, information blocking, cybercrime, and other critical updates, HIPAA remains the gatekeeper.

— Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, is vice president of privacy, compliance, and HIM policy at MRO. Bowen ensures new and existing client HIM policies and procedures are to code and serves as the company’s privacy and compliance officer, assuring timely reporting of any disclosure incident. She is also responsible for reviewing legislation to assure industry response and compliance within MRO.