Blog, Chirosecure Live Event April 11, 2021

21st Century CURES Act – Mike Miscoe

Click here to download the transcript.

Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors.

My name is Michael Miscoe. I’m a healthcare attorney, and I’m pleased to welcome you to this week’s edition of, uh, ChiroSecure’s Growth Without Risk. Uh, today we’re going to talk about, um, a new regulation that, uh, has generated a bit of buzz. It’s the 21st Century Cures Act regs, uh, related to, um, uh, information blocking and the access exchange and use of electronic protected health information. Now, this is different than, than the health insurance portability and accountability act. It does not modify HIPAA. It in fact, creates separate requirements, you know, additional requirements, separate and distinct from HIPAA. Uh, this regulation, uh, the final rule went into effect yesterday. Um, so if this is the first you’re hearing about it, you’re potentially a little bit behind, um, but not to be worried. Um, hopefully your, uh, electronic medical records vendor is on top of this. Um, but you do need to check and make sure that they are, uh, I want to begin by, uh, indicating that this regulation, um, applies only to electronic medical records.

So if you are, um, a practice that, uh, documents on paper, uh, you don’t care about the, uh, disincentive payment under Medicare for not adopting certified EHR. Uh, you hate computers, uh, whatever your reason is. Um, this does not really apply to you now, for those of you that are cash. I mean, completely cash practices, and therefore do not meet the definition of a covered entity under HIPAA in which HIPAA doesn’t apply, but you nonetheless document your services in electronic medical records. Um, it is very likely, uh, that, that these regulations do apply to you because as I pointed out, this is a separate, uh, an unrelated regulation to HIPAA. So the HIPAA does, and, and the cures act, uh, do two different things. I, cures act was passed in 2016. Um, under president Obama, uh, the regs are just coming out now, um, and, uh, they impose, uh, essentially requirements that preclude well that are designed to do two things.

Um, one update the certification criteria for, uh, uh, electronic health record systems. Uh, that’s done through the office of national coordinator and there’s pages and pages of information about, um, the guidance that they’re going to use. There’s 2014, 2015. You don’t really need to concern yourself with that. Um, what do need to be concerned about is that your EHR system is, is designed in such a way that it is it prevents information blocking and, uh, while I don’t want to bore you with an overly technical definition of what that means it is defined in the regulation. Um, so except as required by the law or covered by an exception, which there are exceptions in the regulation, um, it’s a practice that is likely not practices, and you have a chiropractic practice practices and, uh, an act or an omission, uh, that interferes with the access exchange or use of electronic health information. And, um, there are other requirements for, uh, health information technology developers relative to providers. Uh, if, uh, the, the regulation continues by suggesting that if, uh, the blocking practice is conducted by a healthcare provider and the provider knows that such a practice is unreasonable and likely to interfere with prevent or materially discourage access exchange, or use of health information, you got problems. And there are big fines authorized under this particular, uh, statute and accompanying regulation, um, things where you’re allowed to block as required by law, um,


Uh, pertains to, um, uh, interferences with access exchange or use that is explicitly required by state or federal law. Um, and, and the most common example of this is there are certain, um, psych records, uh, that the law, uh, explicitly protects. Um, those are allowed to be blocked, but I don’t know of any explicit bylaw protection that would apply, uh, in the chiropractic realm. Um,

No, the act

Defines, um, electronic health information, which has a very similar definition to electronic protected health information that you find in the health insurance portability and accountability act regs. And didn’t want to spend a whole lot of time on HIPAA, but just understand it’s essentially the same thing. Um, it’s, uh, the only limitation is electronic health information is EPHI or electronic protected health information defined under HIPAA that is contained in a designated record set. And I’m not even going to go into, you know, the laborious definition of what that means, but essentially when you store information in a patient file in a, in a particular format, um, that is a designated record set. If you documents in a word file on your computer, that is not a designated record set. So, um, you know, so if you have, uh, if your idea of electronic health information is you type your notes in word, or you dictate them in, in a word document through dragon or something like that, that’s not a designated record set.

Uh, and you don’t have to worry now critical to information blocking is understanding terms that I’ve used several times. Um, and, and you need to know what they mean, and those are access exchange and use access means the ability or means necessary to make electronic health information available for exchange or use. So we’re going to have to define those terms again, and I hate when they use defined terms in a defined term, but because now you’ve got to understand all three to understand what access means. Um, but, um, you have to a patient, for example, or another provider has to have free access, uh, to your, your health, uh, your electronic health information. That doesn’t mean, um, unrestricted. It just means they have to be able to get to it so you can have reasonable safeguards to prevent inappropriate disclosure. Uh, but for example, uh, through a patient portal, uh, a patient has to be able to access their electronic health record, uh, or, um, they can authorize someone else to access it on their behalf.

And that’s where things kind of get tricky with HIPPA, where you’re talking about TPO treatment payment, healthcare, operations disclosures, for which an acknowledgment is necessary, uh, is all that’s necessary versus non PA TPO disclosures for which an authorization is necessary when you have to delineate is the patient, you know, accessing the information or is a third party accessing the information, um, based upon the authorization of the patients. So it gets a little tricky. So there is some, uh, HIPAA and cures act overlap that you have to work out in your mind. So if it’s been awhile, since you’ve analyzed your obligations under HIPAA, relative to TPO and non TPO disclosures, uh, TPO again, meaning treatment that’s information that you share among providers. So if you get a request for information from another provider, you don’t need an authorization, they shouldn’t be asking for one from you.

Um, and to the extent that you have both have electronic systems, and that request, uh, is an electronic request for information, uh, based on the portability, uh, components of HIPAA, um, you don’t need, if you were trying to stop that, be requesting, requiring an authorization, that would be, that would potentially constitute information blocking because a HIPAA doesn’t require an op uh, an authorization for a treatment disclosure payment and healthcare operation payment is what allows you to send claims, uh, to an insurance company. Um, and you only need the patient’s acknowledgement of your notice of privacy practices, uh, specifically acknowledgement of quote, unquote, air quotes, receipt of your notice of privacy practices. It can be posted on your website, you can print it out and give it to them. Uh, but they, they have to have the opportunity to review that somehow that is what is what constitutes receipt or your good faith attempt to obtain their receipts.

So if you’ve got a patient, I don’t want to sign anything. Um, uh, let’s say it was a PI patient, whatever, and I’m not signing anything. Uh, that’s fine. You document a good faith attempt and you have the acknowledgement you need for TPO disclosures. The Oh, and TPO is healthcare operations. That’s when insurance companies request records either for a prepayment audit, post-payment audit a utilization review, things of that nature, uh, information that you share for, uh pre-certs. Um, those would all be, uh, pre-certs would potentially be a payment as well, but, um, those are, uh, requests that come from an insurance company. So those are TPO disclosures, non TPO for that access you would have to have. So if the request came from, um, someone other than the patient, uh, you would need, uh, the patient’s authorization to disclose that information, if that someone wasn’t a health plan or a, another provider exchange means the ability for EHI to be transmitted between and among different technologies systems, platforms, or networks.

So, and this is where your, your EMR vendor becomes, you know, significantly critical, um, in so far as you have certified EHR, um, then that system has to be capable of freely exchanging this information in an electronic form that is readable by another persons, uh, electronic medical record system. And we’ll get into some examples of, you know, what is, or might not, or what might be, or might not be information blocking to help flush out some of these definitions. But, um, uh, let’s just get through them for now use means the ability for electronic health information once accessed or exchange to be understood and acted upon. So if you were to send, um, electronic health information, uh, in a electronic format that the recipient couldn’t read, uh, then, um, that would be problematic. That would be information blocking understood is defined by the office of national coordinator to encompass the, as encompassing the ability to comprehend various features such as structure, content, and meaning of the information, but it is not intended to mean that the person is going to understand the, the clinical significance or relevance of the information.

So if you’re popping out diagnosis codes or, uh, test results, and the patient doesn’t understand, let’s say it’s going to the patient and they don’t understand what that stuff means that does not, uh, constitute information blocking. That’s just one of those things. You got to go to doctor school and learn, uh, or look it up on Google. Um, so you’re not obligated to explain the clinical significance of the information for the patient, but they have to be able to be, uh, to, to read it. Um, so, uh, there is a definition of use under the, uh, uh, HIPAA privacy rule, uh, at section one 62, one Oh three, um, ONC considered using that, uh, for consistency, but rejected it, uh, because, uh, the one that they chose, uh, was a little more suitable, uh, for their information blocking rules. Now, there’s, there’s a number of, uh, things where information, um, you know, is appropriately access used or exchanged.

Um, and, and that’s what this rule is intended to promote. So sometimes if you understand what they’re trying to do with this role, it makes it a little bit easier to understand what you might have to do to comply with it, to the extent that you do my guess is, is that many of you are going to call your EMR vendors and say, okay, here’s this new rule. Um, does your system comply? Um, and how, how can I be certain of that? Uh, I wouldn’t take it on faith at saying, Oh yeah, we’re cool with, uh, you know, uh, 21st century cures act, don’t worry. Uh, and then a patient, you know, tries to get information they can’t. Um, so you’re going to need to know a little bit about the role to validate whether your, your system actually is in compliance or not, uh, because that is your obligation to ensure that it is, um, so I would not necessarily take your EMR vendors word for it, have them walk you through it.

Um, you know, how does a patient get access? How would another provider get access? How do we, you know, exchange information? How does that process work? What does this information look like when we exchange it? Uh, so that you’re certain that, um, you’re not likely to be challenged as an information blocker. So, um, the, uh, um, so if you’re in compliance with the rule, you would be able to provide patients with access to their EHI that’s electronic health information, as well as the ability to exchange and use it without special effort. And this is where things get a little tricky. I mean, of course, under HIPAA, the patient has a Supreme, right, to not only obtain access, uh, download obtained copies of their own protected health information. They’re also free to do whatever they want with it. So if a patient obtains their, their records and they decide to publish them in the New York times, totally fine.

Now you can’t do that, but they can, they can do with their records, whatever they want. Um, but you have to provide them with the ability, uh, to exchange and use their information without any special effort. Now, special effort gets a little dicey. I mean, you know, might they need some training or something about how to use a patient portal to access their records? Uh, yeah, they might. Um, but, um, that wouldn’t necessarily be considered special effort. Um, they wouldn’t have to hire a programmer to say, for example, you know, recompile information or, or get any special tools, uh, get a license from your EMR vendor to read the information, uh, that would be special effort. Um, you also need to ensure that healthcare providers, uh, caregivers, other authorized persons have the EHI they need when and where they need it to make treatment decisions and effectively coordinate, manage patient care, um, and can use the EHI they receive, uh, from you, uh, as well as other sources.

Similarly, as healthcare providers, you have the, should have the ability to access and review records. So the patient had an MRI. You should be able to get online and get that information freely, uh, and without restriction, um, you want to get records from their family practice doc, you should be able to get online and do that. That’s what this is designed to do. Um, ensure that healthcare providers can access exchange, use EHI for quality improvement, population, health management activities. I don’t know how much of that you’re going to do, but you’re supposed to be able to, you’re supposed to be able to ensure that payers and other entities that purchase health care services can obtain the information they need to effectively assess clinical value and promote transparency concerning the quality and cost of healthcare services. Now, this is where things get a little dicey, because now we’re mixing a couple of concepts.

Um, they need to have access. And the question comes, you know, when does that right of access, and this is where these rules are a little fuzzy and cause me significant concern because being in the post-payment business, um, we deal with requests for information from payers, very cautiously one, okay. HIPAA has a requirement that they’re only authorized, uh, you know, to receive a limited data set. And you have to determine how to limit the data set under your obligations under the minimum necessary disclosure rule. And that assumes of course, that you have a legal duty to provide the records in the first place. My concern is, is that, you know, when a non-par payer okay. Requests records. Okay. Um, and, or, uh, you’re, non-participating, you have no contract, no obligation to, uh, participate in their post-payment utilization review efforts, and normally re we resist the documentation requests, uh, on, on that basis.

Uh, HIPAA may permit you to disclose that information, assuming that they’ve stated the purpose of their requests, you can meet your obligations on the minimum necessary disclosure rule and all of that stuff. This rule suggests that they should have free access to do a magical mystery tour in your system relative to services that they’ve paid for. Uh, and that creates some pretty significant challenges because now you’re going to have to, in theory, create pathways to any third party payer, uh, for any third-party payer that you submit claims to so that they can access the EHI relative to those claims in this rule. Um, and I have to spend more time studying, um, is jumping out and telling me the win or the timing that this right of access exists. So, um, we may have to do a up on this, uh, but, uh, this is one of the more troubling aspects of this role, um, because if we block them off, because we have no legal duty to provide that information after payment was made, even before payment is made, you could say, Hey, you know, we’re, we’re strumming this claim on behalf of the beneficiary, you know, and make your payment decision.

You’d want records. We’re not sending them well, that may be considered information blocking, uh, where your records are stored electronically. So if you’re running a cash practice, this is a really good reason, um, or your non-par provider, uh, and don’t want to, um, become subject to this. Uh, any allegations of information blocking now would probably be a really good time to go back to paper. And I’m not suggesting you necessarily dump your EMR system, but this is going to create obligations for you that may compromise I’s, uh, our ability, um, to resist post-payment audit efforts in cases where you’re non-participating, if you’re a cash practice and you don’t submit any claims, of course, that issue is not going to arise. Um, you have to support access in exchange VHI for patients’ safety and public health purposes, um, practices that increase the cost difficulty, or other burden of accessing exchanging using AHI for these purposes will almost always implicate the information blocking rule.

Now, this is potentially horrifying because this suggests that the government, you know, should have free access to all of your healthcare records for patient safety and public health purposes. Um, I don’t know what those purposes are, uh, contact tracing, you know, who owns guns. I have no clue what they want to do with this. Um, but anytime you’ve got the government snooping around in your records that, you know, it gives me cause, uh, for, for concern, um, fees charged, uh, by actors, which would be you to assess exchange or use their EHI is inherently suspect as constituting information blocking. So, um, you know, it’s generally recommended that you not charge. Okay. So that’s, uh, kind of like what they hope the rule is going to do. Uh, they do outline, um, throughout their comments, some things that are likely to interfere formal restrictions, such as, uh, licenses or contract terms, sharing power policies, intellectual property, or other rights, uh, as well as informal restrictions, uh, uh, that, um, cause you to, uh, refuse to exchange or facilitate access, um, is likely going to be a violation.

And again, I bring up the commercial payer wants to do a, a utilization review on services. They paid, they have no contractual right to do it. We have legal defenses to stop them from ever recouping, but this suggests that if you have VHI and you resist that request, that’s likely to be a violation and they can come after us and force disclosure, uh, under this cures act regulation, limiting, or restricting interoperability of health, it such as disabling or restricting use of a capability that permits users to share EHI with other systems or configuring technology. So that types of data that may be exported or used is limited except as required by law. So, you know, if you were a psychologist or a psychiatrist, and there are certain information that you needed to block from being accessed fine, uh, that that would be a restriction. There are some other exceptions, um, I’m not sure we’ll have time to go through them all.

Uh, but, um, think about this. I mean, in theory, uh, you have to create these portals or these, you know, uh, the ability to export this data. You need to pretty much export everything. Well, think about, let’s say you have, uh, an insurance company wanting to access EHI and your EHI contains records associated with services that the patient paid entirely cash for, and for which the patient required, uh, signed a restriction on uses and disclosures. So, you know, this concept is the interplay between HIPAA and the cures act is going to create some conflict. And, and I don’t have an answer yet, um, on how that’s going to be resolved. We’ll have to see how that plays out, impeding innovation and advancement, such as exclusionary, discriminatory, other practices that impede development dissemination. These are things that, that an EHR vendor would do, uh, to protect their quote unquote retire, proprietary databases.

I mean, if the government truly wanted to, um, enforce interoperability and data sharing among EHR systems, they should’ve come up with a standard, uh, dataset so that every EHR system operated out of the same database, they did not do that. And there are export formats like HL seven and a number of other, uh, things that allow in theory allow data to move between systems. Uh, those don’t always work very well if you’ve ever been through a, um, uh, a software change, whether it a billing software EMR, and of course you want, uh, you know, the, the new vendor to migrate your old data, even if they agree to do it, it never turns out right. It’s always a disaster. And similarly information sharing does not work very well unless it’s, you know, between the same systems, this is probably gonna force EHR vendors to go back and retool.

You’re probably gonna see updates, um, that they’re gonna make you buy. Uh, so, uh, I would not, not that I’m beating up on software vendors, I used to be one. Uh, but if, if you haven’t gotten an alert that you need a new update and the cost is X, uh, you don’t have support, you need to get supports. You know, I mean, this is going to be, uh, an income opportunity for EHR vendors, but not because they’re being jerks, but because they have to comply with this, uh, opportunistic pricing practices, rent seeking artificially increase in cost of act, uh, inexpensive access or exchange or use the HII. Um, that’s probably not going to hit you, but, um, again, EHR vendors, licensing fees, things of that nature. Um, they need to be cautious in that regard. Um, there, there are some others that, that aren’t going to apply to you, but I’ve highlighted some of the ones that give me, uh, the biggest cause for concern.

Um, we’re almost 30 minutes in and, uh, uh, I’ve covered, uh, most of what I wanted to cover. Just, I want to address two exception or, um, there are two types of exceptions, those, uh, that apply to when you’re not fulfilling requests and, and ones for those that do the most important one is the patient or preventing harm exception. Uh, this allows for reasonable necessary practices to prevent harm to a patient or other person, uh, subject to certain conditions. And you have to have a reasonable basis, uh, that the practice meaning the restrictive practice in terms of not releasing or blocking access, uh, will prevent harm to another patient or another person. Uh, that belief must be reasonable. You have to do a risk analysis, um, and, and document heavily there is going to be, um, a lot more, uh, that is no doubt going to be published by all kinds of people about this. But, um, think about, um, reviewing your understanding of HIPAA, um, you know, think about the interplay between HIPAA and the cures act. I’ve alerted you to a couple of issues that, that are given me some angst and frustration, contact your EHR vendor, have them walk you through, how does a patient get access? How does another provider get access? How would a health plan get access? And we’ll see how that starts shaking out, and then watch to see if you get any of these requests. I mean, um,

This they’re creating

This ability. Um, it remains to be seen how well they educate, especially your patient population as to their ability to access their own information in the medical world. Patient portals are pretty common. I don’t know that that is the case, uh, in the chiropractic or PT world. Um, but look to your systems, talk to your vendors, uh, and come up with a plan, uh, for how you’re going to comply. Um, that’s all we have time for today. Next week. Uh, Dr. Janice Hughes will be here. I’m sure she’s going to have something very exciting to talk about. Thanks for your attention. Sorry. This went a little long, but it’s a big topic. Everybody have a great rest of your day.