The HHS will be exercising enforcement discretion in relation to compliance with the new interoperability and information sharing rules that were finalized and issued by the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health IT (ONC) on March 9, 2020.

The decision to delay enforcement is due to the COVID-19 pandemic. The CMS, ONC, and HHS’ Office of Inspector General (OIG) believe that during a pandemic of the magnitude of COVID-19, healthcare organizations need to be given some flexibility complying with the new interoperability and information sharing rules.

The dates for compliance with the new rules remain unchanged, although both agencies will be exercising enforcement discretion to allow healthcare organizations to continue to focus their efforts on addressing the COVID-19 pandemic.

“ONC remains committed to ensuring that patients and providers can access electronic health information, when and where it matters most. During this critical time, we understand that resources need to be focused on fighting the COVID-19 pandemic,” said Donald Rucker, MD, National Coordinator for Health Information Technology. “To support that important work and the information sharing efforts we are already seeing, ONC intends to exercise enforcement discretion for 3 months at the end of certain ONC Health IT Certification Program compliance dates associated with the ONC Cures Act Final Rule to provide flexibility while ensuring the goals of the rule remain on track.”

The compliance dates and ONC’s enforcement discretion dates and timeframes can be viewed on this link.

The CMS is giving healthcare organizations an additional 6 months to comply with its rule. “Now more than ever, patients need secure access to their healthcare data. Hospitals should be doing everything in their power to ensure that patients get appropriate follow-up care,” said CMS Administrator, Seema Verma. “Nevertheless, in a pandemic of this magnitude, flexibility is paramount for a healthcare system under siege by COVID-19. Our action today will provide hospitals an additional 6 months to implement the new requirements.”

The CMS, ONC, and OIG will continue to monitor the implementation landscape to determine if any further action is needed.

The post HHS Delays Enforcement of New Interoperability and Information Sharing Rules appeared first on HIPAA Journal.

On Tuesday, the HHS’ Office of inspector General (OIG) proposed a rule that amends civil monetary penalty rules to also cover information blocking.

“When implemented, the new CMPs for information blocking will be an important tool to ensure program integrity and the promised benefits of technology and data,” said Christi A. Grimm, OIG Principal Deputy Inspector General.

OIG understands that during the COVID-19 public health emergency, healthcare organizations are focused on providing treatment and follow-up care to patients. OIG is fulfilling its obligations by publishing the new rule but is also trying to be as flexible as possible to minimize the burden on healthcare organizations on the front line dealing with the COVID-19 pandemic. OIG is seeking comment from healthcare organizations and industry stakeholders on when information blocking enforcement should begin.

OIG explained that all entities and individuals required to comply with the new information blocking regulations will be given time to achieve compliance before enforcement begins. OIG has proposed the earliest date for enforcement is the compliance date of the ONC Final Rule published on March 9, 2020 but has proposed a 60-day delay to enforcement due to the COVID-19 pandemic.

The proposed rule does not introduce any new requirements concerning information blocking, instead OIG will be incorporating the regulations published by the National Coordinator for Health Information Technology (ONC) in March, and will be using that rule as the basis for enforcing information blocking CMPs.

OIG said civil monetary penalties will only be imposed on entities and individuals when there have been intentional information blocking violations. OIG will not impose civil monetary penalties on entities and individuals in cases where innocent mistakes have been made. In order to determine intent, OIG will work closely with both the ONC and the HHS’ Office for Civil Rights. The proposed rule also explains the basis for determining whether there have been single or multiple violations of information blocking provisions of the ONC rule.

ONC explained that it will prioritize investigations where conduct has or has potential to cause harm, when information blocking has significantly impacted a provider’s ability to provide care for patients, cases involving information blocking over a long period of time, deliberate information blocking, and when conduct has caused financial loss to Federal healthcare programs or other government or private entities.

The proposed rule also makes changes in two other areas. There are new authorities for civil monetary penalties, assessments, and exclusions related to HHS grants, contracts and other agreements in relation to fraud, and the maximum penalties for certain violations will be increased in accordance with changes made by the Bipartisan Budget Act of 2018.

The OIG proposed rule has been published in the federal register and can be viewed on this link. Comments on proposed rule will be accepted for 60 days from the date of publication in the federal register.

The post HHS’ Office of Inspector General Proposes Rule for Civil Monetary Penalties for Information Blocking appeared first on HIPAA Journal.

The HHS has a further Notice of Enforcement Discretion covering healthcare providers and business associates that participate in the operation of COVID-19 community-based testing sites.

Under the terms of the Notice of Enforcement discretion, the HHS will not impose sanctions and penalties in connection with good faith participation in the operation of COVID-19 community-based testing sites. The Notice of Enforcement discretion is retroactive to March 13, 2020 and will continue for the duration of the COVID-19 public health emergency or until the Secretary of the HHS declares the public health emergency is over.

The purpose of the notification is to help pharmacies, other healthcare providers, and their business associates to provide COVID-19 testing services and specimen collection at dedicated walk-up or drive through facilities, without risking a financial penalty for noncompliance with HIPAA Rules.

While the Notice of Enforcement Discretion has been issued, the HHS’ Office for Civil Rights is encouraging covered entities and their business associates to ensure reasonable safeguards are implemented to protect the privacy of users of the service and prevent the accidental exposure or disclosure of PHI to unauthorized individuals.

Privacy controls such as canopies and barriers should be used to separate the testing area to protect the privacy of users of the service and there should be a buffer zone to prevent members of the public from observing individuals being tested.

Social distancing measures need to be implemented to reduce the risk of transmission of SARS-CoV-2. A distance of at least 6 feet should be maintained between patients. These social distancing will help to ensure conversations between a patient and CBTS staff cannot be overheard. OCR also recommends posting signs prohibiting filming at testing facilities.

A Notice of Privacy Practices should also be posted in a place where it can be easily read by visitors. The NPP should also be published online, with information included in the printed notice explaining how the NPP can be viewed online.

Uses and disclosures of PHI should be limited to the minimum necessary amount to achieve the purpose for which the information is disclosed, other than when disclosing PHI for treatment purposes.

You can view the Notice of Enforcement Discretion on this link.

The post HIPAA Penalties Waived for Good Faith Operation of COVID-19 Community-Based Testing Sites appeared first on HIPAA Journal.

On April 2, 2020, the Department of Health and Human Services announced that with immediate effect, it will be exercising enforcement discretion and will not impose sanctions or financial penalties against healthcare providers or their business associates for good faith uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities for the duration of the COVID-19 public health emergency, or until the Secretary of the HHS declares the public health emergency no longer exists.

The Notice of Enforcement Discretion was issued to support Federal public health authorities and health oversight agencies such as the Centers for Medicare and Medicaid Services (CMS), the Centers for Disease Control and Prevention (CMS), state and local health departments, and other emergency operation centers that require timely access to COVID-19 related data.

While disclosures of PHI by HIPAA-covered entities for public health and health oversight purposes are permitted under the HIPAA Privacy Rule, currently business associates of HIPAA covered entities are only permitted to disclose PHI for public health and health oversight purposes if it is specifically stated that they can do so in their business associate agreement with a HIPAA covered entity. Without the Notice of Enforcement discretion, business associates could face financial penalties for disclosures of PHI for public health and health oversight purposes.

The Notice of Enforcement Discretion applies to the HIPAA Privacy Rule Provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5) but only for a good faith use or disclosure of PHI for public health activities by a business associate for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d). The business associate must inform the covered entity about the use of disclosure no later than 10 calendar days after the use or disclosure occurred.

The Notice of Enforcement Discretion does not apply to any other provisions of HIPAA Rules and the HIPAA Security Rule remains in effect. Should PHI be disclosed to a public health authority or health oversight agency, the business associate must ensure the requirements of the HIPAA Security Rule are met and reasonable safeguards are implemented to ensure the confidentiality, integrity, and availability of ePHI and that the information is transmitted in a secure manner.

“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” explained OCR Director, Roger Severino. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”

You can view the OCR Notice of Enforcement Discretion on this link.

The post OCR Issues Notice of Enforcement Discretion to Allow Business Associates to Disclose PHI for COVID-19 Public Health and Health Oversight Activities appeared first on HIPAA Journal.

The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) has announced a set of sweeping regulatory changes and waivers to give healthcare providers maximum flexibility to treat patients during the 2019 Novel Coronavirus pandemic. The new changes will allow healthcare providers to act as healthcare delivery coordinators in their areas.

The temporarily changes will ease restrictions are intended to create hospitals without walls, which will make it easier for hospitals and health systems to cope with an expected massive increase in COVID-19 patients over the coming weeks.

Under normal circumstances, federal restrictions require hospitals to provide medical services within their existing facilities, but this will cease to be possible as patient numbers increase. As the number of COVID-19 cases grow, hospitals will soon reach capacity. If they do not develop additional sites to provide treatment to patients, they will be overwhelmed.

To ensure all patients can receive treatment and no one is left behind, the CMS has relaxed restrictions and has issued temporary new rules that will allow treatment to be provided in other locations. Many ambulatory surgery centers have taken the decision to cancel elective procedures during the public health emergency. Hospitals and health systems would be permitted to use those locations along with inpatient rehabilitation hospitals, and even hotels and dormitories, and would still be eligible to receive reimbursement for services under Medicare. The new locations could be used to provide medical services to non-COVID-19 patients to free up inpatient beds for COVID-19 patients that require intensive care and respirators.

The CMS explained that ambulatory surgery centers have two options. They can either contract with local healthcare systems to provide services on behalf of the hospital or they can enroll and bill CMS as hospitals during the public health emergency declaration, provided that is not in conflict with their State’s Emergency Preparedness or Pandemic Plan. Healthcare providers will not be permitted to operate outside of organized plans at the local level.

To further increase capacity, the CMS has issued a waiver that will allow doctor-owned hospitals to increase the number of beds without facing sanctions. Hospitals are permitted to set up drive-through screening centers for COVID-19, use off-campus testing sites, and coverage will be given to laboratory technicians who need to travel to a Medicare beneficiary’s home to collect samples to perform COVID-19 testing. CMS will be providing additional reimbursement for ambulances, which are likely to be required to transfer patients between healthcare facilities and doctor’s surgeries to ensure they receive the treatment they need. Medicare coverage for respiratory-related devices and equipment has now been extended to cover any medical reason.

Changes have also been made to facilitate the rapid expansion of the healthcare workforce. These changes include making it easier for providers to enroll in Medicare and allowing teaching hospitals to have medical residents provide services under the supervision of a teaching physician. The CMS has also issued a blanket waiver to allow hospitals to provide more benefits to support their medical staff, including multiple daily meals, laundry service for personal clothing, or child care services while the physicians and other staff are at the hospital providing patient care.

Changes have also been made to ease the administration burden on healthcare providers with the CMS putting patients above paperwork by eliminating paperwork requirements to ensure that clinicians can spend more time treating patients.

The CMS has previously announced that there is additional flexibility for the provision of telehealth services, with reimbursement now being provided for all Medicare beneficiaries in all areas. Coverage is now included for more than 80 additional services provided through telehealth, as long as those services are provided by clinicians allowed to provide telehealth services.

These new changes and waivers are only temporary and will last for the duration of the national public health emergency for COVID-19, after which the CMS will evaluate how best to return to the current system.

The post CMS Announces Sweeping Regulatory Changes in Response to Surge in COVID-19 Patients appeared first on HIPAA Journal.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has issued further guidance on HIPAA and COVID-19, the disease caused by the 2019 Novel Coronavirus, SARS-CoV-2. The new guidance document provides examples of allowable disclosures of protected health information (PHI) by covered entities under the HIPAA Privacy Rule to help make sure first responders and others receive PHI about individuals exposed to SARS-CoV-2 or displaying symptoms of COVID-19.

The new guidance document is in Q&A form and explains when covered entities are permitted to disclose PHI such as names and other identifying information to first responders, law enforcement officers, paramedics, and public health authorities without first obtaining a HIPAA authorization.

The document confirms that under the HIPAA Privacy Rule, disclosures of PHI are permitted when the information is required to provide treatment, when a disclosure is required by law, when first responders such as paramedics are at risk of contracting COVID-19 and need information to prevent infection, and when a disclosure could prevent or lessen a serious and imminent threat.

OCR also confirms that a disclosure of PHI is permitted when responding to a request for PHI from a correctional institution or law enforcement official in lawful custody of an inmate or other individual, and PHI is required in order to provide healthcare services to the individual, to ensure the health and safety of the individual or others in the institution, those required to transport the individual, and when PHI is required to maintain safety, security, and good order in a correctional institution.

OCR explains that a hospital is permitted to provide a list of names and addresses of all individuals known to have tested positive for COVID-19 to an EMS dispatch for use on a per-call basis. That information can then be used to ensure that any personnel responding to an emergency at the patient’s location knows they must take extra precautions to ensure their own safety, such as wearing personal protective equipment (PPE).

911 call center staff may ask for information about a patient’s symptoms in order to determine whether there is a risk they have been infected with SARS-CoV-2. Information may then be passed to law enforcement officers and others responding to an incident at the person’s location to ensure they take steps to protect themselves.

In all cases, a covered entity must make reasonable efforts to limit the disclosed information to the minimum amount necessary to accomplish the purpose for the disclosure.

“Our nation needs our first responders like never before and we must do all we can to assure their safety while they assure the safety of others,” said Roger Severino, OCR Director. “This guidance helps ensure first responders will have greater access to real time infection information to help keep them and the public safe.”

The guidance document – COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities – can be found on the HHS website on this link (PDF).

The post OCR Issues Guidance on Allowable Disclosures of PHI to First Responders During the COVID-19 Crisis appeared first on HIPAA Journal.