• New Rules for HIPAA Privacy and 42 CFR Part 2.
  • OCR Bulletin re: online tracking technologies causes headaches for HIPAA covered entities and business associates. Is OCR enforcment underway?
  • As Health IT vendors inch towards FHIR standards, Information Blocking remains a hot topic.
  • Payors see new replacement Proposed Rule for advancing interoperability and prior authorization processes.
  • Stakeholders continue to watch TEFCA. 

Subscribe to HERE to Legal HIE’s compliance library to gain access to sample policies, documents and tools to help you stay on top of the newest compliance challenges in 2023! 

The New Year is finally here, and I believe that there will be a LOT going on in 2023!  Here are just a few of the things that we are staying on top of for our readers this year:

  • HIPAA Privacy Rule Amendments. On January 21st, it will be two whole years since OCR published its “Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement.” Less than two months later, on March 10, 2021, OCR extended the comment period to its proposed rule to May 6, 2021.  Since then, it’s been, well … *crickets*.  Many were expecting to see a Final Rule in 2022 (including me), but as December came and went, no new rule emerged. Yet, removing barriers to an individual’s ability to access and control his/her ePHI continues to be a top goal for OCR, and FHIR APIs will accelerate patient information access & exchange in 2023 — so, I believe that the need to finalize this rule will become increasingly urgent in 2023. For these reasons, I fully expect to see either a Final Rule or replacement proposed rule this year.
  • 42 C.F.R. Part 2. A new Proposed Rule amending Part 2 is moving us closer to a Final Rule which will, among other things, align Part 2 with HIPAA in critical ways. Federal law governing substance abuse records has changed a LOT over the last few years. New amendments to the 42 C.F.R. Part 2 regulations were adopted in 2017, 2018, and then again in 2020! However, try as they might, SAMHSA’s authority to adequately revamp the Part 2 regulations for a new world involving EHRs, HIEs/HINs, mobile apps, and care coordination was limited by the scope of statutory authority granted to it over 45 years ago. Then, in March of 2020, Congress passed the CARES Act which amended the underlying enabling federal statute 42 U.S.C. 290dd-2 for the first time since 1975 and attempted to better align Part 2 and HIPAA’s standards.  On December 2, 2022 SAMHSA finally fulfilled its duty under the CARES Act and published a Proposed Rule “Confidentiality of Substance Use Disorder (SUD) Patient Records” amending the Part 2 rules in line with the CARES Act’s requirements. The deadline to submit public comments to the Proposed Rule is January 31, 2023.  Hopefully, we will see a Final Rule adopting these changes by the end of 2023.
  • OCR Guidance re: Online Tracking Technologies; Is OCR Enforcement already Underway? On December 1, 2022, OCR issued a guidance Bulletin “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” and gave covered entities and business associates the gift of a BIG headache for the holidays. Although the Bulletin is neutral in its discussion of “tracking technologies” and”tracking technology vendors,” it was undoubtedly spurred by the Meta/Facebook and Google Analytics fiasco that now has numerous hospitals and health care systems named as defendants in class action lawsuits. Among other things, the plaintiffs allege that hospitals/systems either enabled or did not prevent online tracking technologies, which were installed on their websites or patient portals, from collecting identifiable information about patients and disclosing such data to third-party vendors without consent and in violation of state privacy and consumer protection laws.  Now that OCR has officially thrown its hat into this ring with its guidance Bulletin, covered entities and business associates will not only have to worry about being potentially named in such class action lawsuits, but also about receiving a letter from OCR for a HIPAA compliance review concerning these issues (and, the word on the street is that such reviews are already underway). See our prior December post for steps to consider taking in order to mitigate this new compliance risk.
  • CURES Act & Information Blocking. As of December 31, 2022, Vendors of Certified Health IT are now required to make available new HL7 FHIR API capability and other CURES update criteria. On October 6, 2022, the Information Blocking Rule Content Exception for data falling outside of the USCDI subset is no longer at play. Now, ALL Electronic Health Information is subject to prohibited Information Blocking practices by Actors.  HealthIT.gov highlights in its December 28, 2022 News & Updates that “FHIR APIs will Accelerate Patient Information Access in 2023.” In addition, by the end of this year (December 31, 2023), vendors of Certified Health IT must make EHI export capability available. ONC has also reaffirmed that it supports adoption and implementation of bulk data APIs. What does this all mean? In short, electronic health data is going to be requested and exchanged in unprecedented ways this year, making compliance with Information Blocking and HIPAA Privacy & Security Rules an ongoing challenge.
  • NEW Proposed Rule for Payors. CMS published a new Proposed Rule on December 13, 2022, which withdraws and replaces its previous proposed rule, published in December 2020, and addresses public comments received on that proposed rule. The new proposed requirements would generally apply to Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) agencies, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs), promoting alignment across coverage types. The rule addresses challenges with prior authorization process faced by providers and patients, and proposed requiring implementation of an HL7 FHIR standard API to support electronic prior authorization. The new rule also proposes enabling improved access to health data by expanding current Patient Access in severa ways.  For a summary, see the CMS Press Release. The deadline to submit public comments to this new Proposed Rule is March 13, 2023.
  • TEFCA. On December 22, 2022, HealthIT.gov posted in its News & Updates that, according to National Coordinator for Health IT, Micky Tripathi, “health information networks expect rollout of trusted data exchange this year.” ONC notes that a couple of networks are already “live” and hopes are that the first group (among 12 entities that submitted letters of intent) will be officially designated QHINs in early 2023.  But whether stakeholders will rush to “sign up” to become a party to the TEFCA remains to be seen. After years of slugging through two iterations of the DURSA and similar “trust arrangements” at local and regional levels, many are having feelings of déjà vu (if not a touch of PTSD at the thought of onboarding to yet another HIN). So, without first seeing additional concrete carrots (or sticks) from ONC, CMS or some other source, many are likely going to take a “wait and see” approach to see if the time, effort and investment of resources to “get connected” to yet another health information network makes sense for them.