21st Century Cures Act: Avoiding information blocking for treatment purposes

By Erin MacLean, JD, CHC, CHPC

Erin MacLean (emaclean@fandmpc.com, emaclean@compliagent.com) is Attorney/Managing Shareholder at Freeman & MacLean PC, located in Helena, MT, and Regional Compliance Director at Compliagent LLC, located in Los Angeles, CA.

Healthcare providers have an obligation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)[1] to protect the confidentiality of protected health information (PHI), but this obligation does not grant them ownership or exclusive control over the PHI. Further, when a provider requests PHI for treatment purposes and that request is improperly delayed or denied, the withholding provider may be liable for information blocking under the 21st Century Cures Act (Cures Act)[2] unless the information is otherwise protected by law, such as in the case of substance use disorder patient records under 42 C.F.R. § 2. This article addresses the evolution of access and exchange of PHI for treatment purposes with the passage of the Cures Act in 2016 and the Office of the National Coordinator for Health Information Technology’s (ONC) issuance of its Cures Act final rule in March of 2020.

Background

HIPAA modernized the flow of healthcare information. It changed how providers and patients access records, especially health information stored and shared electronically. An unintended consequence of HIPAA’s privacy restrictions is information blocking, a result of the reluctance of providers to exchange PHI with other providers for treatment purposes. In 2015, the ONC’s Report to Congress defined information blocking as “knowingly and unreasonably interfer[ing] with the exchange or use of electronic health information.”[3] The ONC stated that the secure, efficient, and effective sharing and use of electronic health information (EHI) is a key component of healthcare delivery system reform. Nonetheless, in the era of the Affordable Care Act, where billions of dollars of incentives have been given to providers to implement systems of managing electronic health records (EHRs), “challenges continue to limit the widespread and effective sharing of [EHI] across the health care continuum.”

HIPAA and important exceptions

One objective of HIPAA was to permit secure electronic exchange of information for treatment purposes. Despite this objective, some providers have instituted practices that frustrate this goal, such as requiring outside treatment providers to obtain patients’ authorization to access PHI, which is unnecessary and can constitute information blocking. Covered entities may disclose PHI to other providers for treatment purposes without patient authorization.[4] This is one of the clearest exceptions to HIPAA’s rules, which otherwise prohibit a covered entity from using or disclosing PHI, unless authorized by patients.

Any healthcare provider transmitting health information in connection with certain transactions is a covered entity under HIPAA and subject to the HIPAA Privacy Rule.[5] The HIPAA Privacy Rule standards dictate how providers may use and disclose PHI. A major goal of the Privacy Rule is to assure PHI is protected, while still allowing for the necessary flow of information to promote high-quality healthcare and protect the public. The Privacy Rule states, “A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.”[6]

Ask yourself, “What steps can I take to ensure that my organization is disclosing PHI in a timely manner to all authorized providers that request PHI for treatment purposes?”

The U.S. Department of Health and Human Services (HHS) provides guidance to covered entities, stating that they may rely on professional ethics and best judgments in deciding which disclosures to make. HHS also maintains that a healthcare provider’s primary responsibility under HIPAA is to disclose PHI in a secure, permitted manner. A covered entity may use and disclose PHI for its own treatment, payment, and healthcare operations activities. Additionally, a covered entity is also permitted to disclose PHI for the treatment or payment activities of any other covered entity.[7]

Treatment is defined as “provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.”[8] Patients expect their health information to be disclosed, as necessary, for treatment, billing, and the operations of the covered entity’s healthcare business; such transactions are permitted under HIPAA. Providers seem to understand that they may disclose PHI for treatment purposes to outside providers; however, recurring information blocking demonstrates that providers may be unwilling to do so for various reasons, including an intent to keep the information from perceived or actual competitors in the healthcare field.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings