information blocking and hipaa: road to compliance - journal of … · 2020. 9. 29. · member of...

Post on 12-Mar-2021






Click to see full reader


Information Blocking and HIPAA: Road to Compliance



9/28/2020 © 2020 MRO. All rights reserved. 1

Click below to listen to the recording:


9/28/2020 © 2020 MRO. All rights reserved. 2

Today’s Panelists

Angela Rose

VP of Implementation Services

9/28/2020 © 2020 MRO. All rights reserved. 3

Rita Bowen

VP of Privacy, Compliance and HIM Policy

Stephanie Kindlick

Sr. Director of Marketing& Host


9/28/2020 © 2020 MRO. All rights reserved. 4


• All attendees are on mute

• Please use the chat box feature during the presentation • We will be addressing these questions at the end of today’s presentation

• We are recording this webinar and will send the playback along with a survey

• We appreciate your feedback

• Webinar pre-approved by AHIMA for 1 CEU • Participants who were unable to attend the live presentation will still receive 1 CEU

• Certificates of completion are not required – the presentation will be an option in your AHIMA CEU portal

• Register for the rest of the Information Blocking webinar series • Register at:

9/28/2020 © 2020 MRO. All rights reserved. 5

About MRO

9/28/2020 © 2020 MRO. All rights reserved. 6

MRO Overview

9/28/2020 © 2020 MRO. All rights reserved. 7

2ndLargest Disclosure

Management Provider

#1KLAS Category Leader

for 7 Years in a Row

Company Established in 2002

Meet Today’s Speakers

9/28/2020 © 2020 MRO. All rights reserved. 8


VP, Privacy, Compliance and HIM Policy, MRO

In her role as Vice President of Privacy, Compliance and HIM Policy, Bowen ensures new

and existing client HIM policies and procedures are to code. Bowen also serves as the

company’s Privacy and Compliance Officer (PCO), assuring timely reporting of any

disclosure incident. She is also responsible for reviewing legislation to assure industry

response and compliance within MRO. Bowen has more than 40 years of experience in

Health Information Management (HIM), holding a variety of HIM director and consulting

roles. Bowen currently sits on The Sequoia Project Board of Directors and is an active

member of the American Health Information Management Association (AHIMA). She

served as AHIMA President and Board Chair, as a member of the Board of Directors for

six years, and of the Council on Certification for three years. Bowen has also served on

the AHIMA Foundation Board of Directors, serving as its Board Chair. She has been

honored with AHIMA’s Triumph Award in the mentor category; she is also the recipient of

the Distinguished Member Award from the Tennessee Health Information Management

Association (THIMA). Bowen is an established author and speaker on HIM topics and has

taught HIM studies at Chattanooga State and the University of Tennessee Memphis.

Bowen holds a Bachelor of Medical Science degree from Emory University in Atlanta, GA

with a focus in medical record administration and a Master’s degree in Health Information/

Informatics Management Technology from the College of Saint Scholastic in Duluth, MN.

9/28/2020 © 2020 MRO. All rights reserved. 9


VP, Implementation Services and Corporate Policy

As Vice President of Implementation Services for MRO, Rose oversees, and coordinates activities

related to successfully onboarding new clients to MRO’s Release of Information (ROI) platform.

She has more than 25 years of experience in Health Information Management (HIM), with

focused expertise in privacy and security. Prior to joining MRO, she served as Director of HIM

Practice Excellence for the American Health Information Management Association (AHIMA). Rose

is an active member of the American Health Information Management Association (AHIMA) and

currently serves as the Education Co-Chair of the Pennsylvania Health Information Management

Association (PHIMA). Rose is an established author and speaker on various HIM topics. She has

served as adjunct faculty and various HIM Advisory Boards. She currently serves on the

University of Pittsburgh’s and Temple University’s HIM Advisory Boards. She received her

Bachelor of Science in HIM from the University of Pittsburgh and Master’s in Health

Administration from the University of South Florida.

9/28/2020 © 2020 MRO. All rights reserved. 10


9/28/2020 © 2020 MRO. All rights reserved. 11


• Recent Action and Timelines

• By Definition

• The 8 Exceptions

• Compliance

• Implementation Planning

• HIPAA and Information Blocking

• Summary

9/28/2020 © 2020 MRO. All rights reserved. 12

Recent Actions/Timelines

9/28/2020 © 2020 MRO. All rights reserved. 13

Information Blocking to Date

• 2014 – ONC received 60 reports of potential information blocking

• 2015 • ONC report released

• Medicare Access and CHIP Reauthorization Act

• 2016 – 21st Century Cures Act signed into law

• March 4, 2019 – ONC Proposed Rule

• March 9, 2020 – CMS and ONC Final Rule

• May 1, 2020 – ONC Final Rule• Effective June 30, 2020

9/28/2020 © 2020 MRO. All rights reserved. 14


• ONC• Publication in Federal Register 5-1-2020

• Enforcement discretion for Final Rule certification (not information blocking)

• CMS• Final Rule modified from March version ADT CoP pushed out by six months

• As a result of COVID-19, and to provide additional flexibility – enforcement of 42 CFR Parts 422, 431, 438, and

457 until July 1, 2021.

• CMS finalized the Patient Access API for Qualified Health Plan (QHP) issuers on the individual market Federally-

Facilitated Exchanges (FFEs) beginning with plan years beginning on or after January 1, 2021. CMS will not

enforce the new requirements under 45 CFR Part 156 until July 1, 2021.

• Enforcement discretion – some provisions

• OIG• Proposed Rule – information blocking civil monetary penalties 4-24-2020

• Limited enforcement discretion and delayed effective date

• Comments were due 6-23-2020

9/28/2020 © 2020 MRO. All rights reserved. 15

Information Blocking Final Rule

9/28/2020 © 2020 MRO. All rights reserved. 16

By Definition§ 171.102 - § 171.103

9/28/2020 © 2020 MRO. All rights reserved. 17

What is Information Blocking?

• Information Blocking • To interfere with access, exchange, or use of electronic health information (eHI) by an

actor as defined

• EHI means: • (i) electronic protected health information (ePHI) as defined in 45 CFR 160.103 to the

extent that it would be included in a designated record set as defined in 45 CFR 164.501, regardless of whether the group of records are used or maintained by or for a covered entity as defined in 45 CFR 160.103, but EHI shall not include:

• (1) Psychotherapy notes as defined in 45 CFR 164.501; or

• (2) Information compiled in reasonable anticipation of, or for use in, a civil, criminal

9/28/2020 © 2020 MRO. All rights reserved. 18

What is Access, Exchange, and Use?

• Access • the ability or means necessary to make eHI available for exchange or use.

• Exchange • the ability eHI for electronic health information to be transmitted between and among

different technologies, systems, platforms, or networks.

• Use • the ability for eHI, once accessed or exchanged, to be understood and acted upon.

9/28/2020 © 2020 MRO. All rights reserved. 19

What is an Actor?

Actors must comply with the rule!

9/28/2020 © 2020 MRO. All rights reserved. 20

Balancing Patient Access and Privacy Copyright © 2020 AHIOS


9/28/2020 © 2020 MRO. All rights reserved. 21

Blocking and Enforcement Discretion: ONC

9/28/2020 © 2020 MRO. All rights reserved. 22

Requirement Effective Date

Compliance – IB, APIs, Assurances 11/2/2020

Enforcement (Delayed 3 months) 2/2/2021

Attestation (Delayed) 7/30/2021

*Per May 1 Federal Register publication

Enforcement Discretion: CMS

All other dates remain enforced.

9/28/2020 © 2020 MRO. All rights reserved. 23

Requirement OLD

Effective DateNEW

Effective Date

Patient Access API (including exchange QHPs) 1/1/2021 7/1/2021

Provider Director API 1/1/2021 7/1/2021

Condition of Participation - ADT notifications Spring 20216-12 months post final publication*

*CMS moved ADT COP from 6 months to 12 months after Final Rule publication

OIG Investigations

• Caused or could cause patient harm

• Significantly impacted a provider’s ability to provide patient care

• Persist over a long duration

• Cause financial loss to Federal health care programs, other government or private entities

• Actual knowledge by the Actor

9/28/2020 © 2020 MRO. All rights reserved. 24

Expected Focus

OIG - Violation

• Defined as a practice (each occurrence) that is “information blocking” using the definitions in ONC Final Rule

• OIG points to ONC examples of conduct that would meet definition of information blocking

• OIG 1002.1410 codifies maximum OIG penalty PER violation of regulatory language

9/28/2020 © 2020 MRO. All rights reserved. 25

OIG Examples of a Single Violation

• A health care provider notifies its health IT developer of its intent to switch to another EHR system and requests a complete electronic export of its patients’ EHI via the capability certified to in 45 CFR 170.315(b)(10). The developer refuses to export any EHI without charging a fee. The refusal to export EHI without charging this fee would constitute a single violation.

• A health IT developer (DI) connects to a health IT developer of certified health IT (D2) using a certified API. D2 decides to disable DI’s ability to exchange information using the certified API. DI requests EHI through the API for one patient of a health care provider for treatment. An automated denial of the request if a violation.

9/28/2020 © 2020 MRO. All rights reserved. 26

OIG Enforcement

• OIG investigation of information blocking will use ONC regulatory definitions and exceptions to access “ACTORS” conduct

• OIG will not bring enforcement actions for “innocent mistakes”

• Allegations to be evaluated per facts and circumstances unique to the case

9/28/2020 © 2020 MRO. All rights reserved. 27

OIG Enforcement

• The Information Blocking Final Rule identifies:• WHO is subject to the rule “ACTORS”

• WHEN blocking “exceptions” might occur

• ENFORCEMENT framework

• ONC enforces for developers of certified health IT re: certification

• OIG investigates not-provider actors subject to CMP and Provider actors subject to referral to other agencies/other “disincentives”

• OIG NPRM proposes investigative framework and basis for imposing CMPs

9/28/2020 © 2020 MRO. All rights reserved. 28

CMP Penalty Determination

• Nature and extent of information blocking

• Harm from information blocking

• Number of people affected

• Number of providers affected

• Duration of information blocking calculated as the number of days the blocking persists

9/28/2020 © 2020 MRO. All rights reserved. 29

Up to $1 Million “Per Violation”

The 8 Exceptions of Information Blocking

9/28/2020 © 2020 MRO. All rights reserved. 30

The 8 Exceptions

1. Preventing Harm

2. Privacy

3. Security

4. Infeasibility

5. Health IT Performance

6. Content and Manner

7. Fees Exception

8. Licensing

9/28/2020 © 2020 MRO. All rights reserved. 31

Implementation Planning

9/28/2020 © 2020 MRO. All rights reserved. 32

Why is Compliance Important?

• Foster culture of adherence to organizational, federal, state, and other requirements

• Ensures and enhances consistency

• Mitigate risk/financial harm

• Build and maintain trust

• Demonstrates organizational commitment

• Responsibility and Accountability

9/28/2020 © 2020 MRO. All rights reserved. 33

Information Blocking Compliance Program

• Actors subject to CMP• Healthcare Providers

• Developers of Certified Health IT

• Health Information Exchanges/Health Information Networks

• Actors not subject to CMP• Individual Providers

• Non-Actors• MRO

9/28/2020 © 2020 MRO. All rights reserved. 34

Who Needs One?

Framework for Compliance Program

1. Written standards of conduct that affirm the organization’s commitment

2. Designation of a Corporate Compliance Officer and other bodies that report directly to the CEO and governance body

3. Ongoing education and training of workforce

4. Strong complaint processa) Protects anonymity of the reporting individual (i.e. “hotline”)

b) Efficient and effective response to complaints

5. Consistent enforcement and discipline of those who break rules

6. Routine monitoring and updates to ensure effectiveness

7. Investigate and remediate systemic problems

9/28/2020 © 2020 MRO. All rights reserved. 35

Creating/Updating a Compliance Program

1. Begin with the end in mind – what is the goal?

2. Determine if your organization is an ACTOR

3. Review current program

4. Determine what modifications are needed to your program

5. Make the necessary changes

6. Implementa) Education and training

9/28/2020 © 2020 MRO. All rights reserved. 36

Creating the Project Plan

9/28/2020 © 2020 MRO. All rights reserved. 37

Define the Project and Scope

Purpose and Desired Outcome

Project Lead/Owner

Executive Sponsor

External Priorities and Other Factors

Identify the Stakeholders

Identify Committee/Resources

Identify Subject Matter Experts

Interviews and Selection

Identify External Resources

Define the Goals Set Timelines and


Evaluate Applicable Exceptions and

Needed Team Actions

Creating the Project Plan - continued

• Identify business opportunities• Enhanced “access,” “exchange,” “use” with other actors

• New ventures

• Create your risk management model/plan• Minimize risk allegations

• Identify risk mitigators• Use HIEs and Interoperability framework

• Standard interfaces, documents, APIs

• Organization’s stance to data access and automatic exchange of PHI

• Stakeholder expectation and satisfaction

9/28/2020 © 2020 MRO. All rights reserved. 38

A Closer Look

HIPAA and Information Blocking

9/28/2020 © 2020 MRO. All rights reserved. 39

HIPAA Privacy

HIPAA has not changed, ALL rules remain in tact.

HIPAA remains an authorization or directive approach (you “shall” if so authorized”)

Interoperability/Information Blocking - implies if you can share information as required (you “must” share information as required)

9/28/2020 © 2020 MRO. All rights reserved. 40

HIPAA Privacy

• Security safeguards for compliance

• Define/Update Designated Record Set (DRS)! • Consider Health Data Set

• New timeline requirement • Infeasibility – written response (including reason) within 10 days from receipt of request

9/28/2020 © 2020 MRO. All rights reserved. 41

Things to Consider

Costs and Fees

• Fees aligns with HIPAA

• Information Blocking fees not permitted• Direct eHI access to an individual

• Export eHI via certified health IT criterion (Certified EHI Export Capability)

• Export of convert data from an EHR (Exception: prior agreement to fee in writing when EHR acquired)

• Information Blocking fees permitted• Based on objective verifiable data

• Based on related costs and not being recovered by a provider or third party

• Consistently applied

9/28/2020 © 2020 MRO. All rights reserved. 42

HIPAA vs. Information Blocking


• HIPAA remains

• Read and understand the final rule

• Determine organizational need

• Create and execute project plan• Review/Update current policies and procedures

• Education and training

• Collaborate to comply

9/28/2020 © 2020 MRO. All rights reserved. 43

Thank You!

© 2020 MRO. All rights reserved. 44

Angela Rose, MHA, RHIA, CHPS, FAHIMAVice President, Implementation Services and Corporate Policy

MRO Corporation

Office: 610-994-7500 x324Twitter: @adrose1014


Rita Bowen, MA, RHIA, CHPS, CHPC, SSGBVice President, Privacy, Compliance, HIM Policy

MRO Corporation

Office: 610-994-7500 x526LinkedIn:



• ONC Final Rule: 21st Century Cures Act:

• Click “View Final Rule on the Federal Register” and click on “PDF” then scroll to page 25,956

• CMS Final Rule:

• CMS Medicare and Medicaid Promoting Interoperability Program Prevention of Information Blocking Attestation Fact Sheet:



• 21st Century Cures Act Health IT and HIM Provisions:

• Health IT provider letter to Congress:

• Sequoia Project Webinars and Publications:

• AHIOS. “Balancing Patient Access and Privacy.” 2020:

9/28/2020 © 2020 MRO. All rights reserved. 45

top related