HHS Adds New Teeth to Information Blocking Law for Health Care Providers

July 3, 2024October 17, 2024 Kathie McDonald-McClure Cures Act and Program Interoperability, Electronic Health Records, Health Information Technology, HITECH Law, Meaningful Use Accountable Care Organizations, ACOs, civil penalties, Critical Access Hospitals, eligible hospitals, health information blocking, Health Information Technology, meaningful use of certified EHR, Medicare, Merit-based Incentive Payment System, MIPS, MSSP, ONC, Promoting Interoperability Program, Shared Savings Program

by Margaret Young Levi, Kathie McDonald-McClure, and Drayden Burton (Wyatt Summer Associate)

On July 1, 2024, the U.S. Department of Health and Human Services (HHS) published a final rule entitled “21st Century Cures Act: Establishment of Disincentives for Health Care Providers That Have Committed Information Blocking,” 89 Fed. Reg. 54662 (Final Rule) establishing “disincentives” for health care providers who commit information blocking. Importantly, the 21^st Century Cares Act explicitly delegated the authority to HHS to establish “appropriate disincentives” for information blocking through notice and comment rulemaking. 42 U.S. Code § 300jj–52(b)(2)(B). Previously, on October 23, 2023, HHS published its proposed rule seeking comments on the proposed appropriate disincentives (Proposed Rule).

In general, “information blocking” means knowingly and unreasonably interfering with, preventing, or materially discouraging the access, exchange, or use of “electronic health information” (EHI) unless such blocking is required by law or permitted by regulatory exceptions. To learn more about information blocking and the permitted exceptions, see our article “Information Blocking Rule Effective April 5, 2021: Are Providers Ready?,” which provides an overview of the Rule’s key elements and requirements. The prohibition on information blocking went into effect on April 5, 2021, but until now did not contain any penalties for health care providers who engage in information blocking. Previously, on June 27, 2023, the HHS Office of Inspector General (HHS-OIG) established civil monetary penalties of up to $1 million per information blocking violation by developers of certified health information technology and for health information networks (HINs) and health information exchanges (HIEs). (88 Federal Register 42820).

This Final Rule adds some teeth, aiming to ensure that individuals and their health care providers always have access to the individual’s health information. Some of the comments that HHS had received to its Proposed Rule supported disincentives that incentivize an exchange of EHI across care settings on the basis that this will lead to better patient outcomes. In issuing its Final Rule HHS stated, “When health information can be appropriately accessed and exchanged, care is more coordinated and efficient, allowing the health care system to better serve patients.”

The “Disincentives”

The Final Rule establishes certain “disincentives” for several categories of health care providers that HHS-OIG finds to have engaged in activities that interfere with or prevent access to EHI that constitute information blocking. These disincentives are as follows:

Can blockchain technology solve healthcare IT security and interoperability challenges?

March 21, 2017March 22, 2017 Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, Electronic Health Records, Health Information Technology, HIPAA, Privacy & Security BLOCKCHAIN, Health Information Technology

On March 20-21, 2017, multiple healthcare technology companies came together in Washington, D.C. to host The Healthcare Blockchain Summit. Blockchain, the technology that underpins bitcoin technology, keeps data secure in a “distributed, encrypted ledger” while allowing control over who can access that ledger. This is the hottest technology being discussed today as a way to secure confidential or sensitive data.

The on-line technology publication, Wired, describes blockchain’s security method in a February 1, 2017 article as follows: “Rather than having one central administrator that acts as a gatekeeper to data—a list of digital transactions—there’s one shared ledger, but it’s spread across a Continue reading →

Kathie McDonald-McClure to present at Health Enterprises Network/HIMSS event on HIPAA in integrated healthcare

January 11, 2016January 11, 2016 WyattLLP Data Privacy & Security Bluegrass HIMSS, Health Information Technology, Healthcare integration and HIPAA, Louisville Health Enterprises Network, privacy and security of protected health information

Kathie McDonald-McClure, member of Wyatt’s Data Privacy & Security and Health Care Service Teams, will be speaking at an event presented by the Health Enterprises Network and Bluegrass Healthcare Information and Management Systems Society (Bluegrass HIMSS) entitled, “Whose Data Is It Anyway?” Ms. McDonald-McClure will share strategies for achieving a “Yes-Yes” as well as avoiding the “No-No’s” under the Health Information Portability and Accountability Act of 1996 (HIPAA) with the exchange of health information in an integrated healthcare setting.

Please click here for more information and to register.

Date: January 21, 2016
Time: 5:00 p.m. – 6:00 pm (Cocktail Hour and Registration); 6:00 – 8:00 p.m. (Presentation).

Location:
Kosair Charities Clinical & Translational Research Building
505 S. Hancock Street
Louisville, KY 40202

Stages 1, 2, And Now 3, Meaningful Use Criteria

April 17, 2015 Margaret Young Levi Electronic Health Records, Health Information Technology, HITECH Law, Meaningful Use CEHRT, Centers for Medicare & Medicaid Services, CMS, EHR, Health Information Technology, Meaningful Use, Medicaid Electronic Health Record, Medicare Electronic Health Record, ONC

The Centers for Medicare & Medicaid Services (“CMS”) proposed Meaningful Use criteria to implement Stage 3 and allow eligible professionals, eligible hospitals and critical access hospitals (“CAHs”) to qualify for incentive payments (or avoid downward payment adjustments) under the Medicare and Medicaid Electronic Health Record (EHR) Incentive Program implemented by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009. Then CMS made changes to Stage 1 and Stage 2 Meaningful Use criteria to better align with the proposed Stage 3 criteria just two weeks later.

On March 30, 2015, CMS published a long-awaited proposed rule which, if finalized, would implement Stage 3, making changes to the objectives and measures of meaningful use for providers effective in Continue reading →

NIST Assigns Highest Risk Level to New Cyber Risk: BASH aka Shellshock

September 26, 2014October 9, 2014 Kathie McDonald-McClure Privacy & Security BASH aka Shellshock flaw, cyber risks and cyber crime, Health Information Technology, privacy and security of protected health information

On Wednesday, September 24, 2014, news broke about a newly discovered cyber security threat referred to as the BASH flaw or Shellshock. By Thursday, September 25, 2014, cyber security experts were confirming the cyber vulnerability threat for users of UNIX and Linux based systems, including MAC IO X. The National Institute of Standards & Technology (NIST) has rated the BASH flaw a 10 out of 10 on its vulnerability severity scale. Click here for the NIST alert.

Devices containing the BASH flaw may include millions of stand-alone Web servers and Internet-connected devices. HITRUST issued an alert to healthcare providers urging them to take appropriate steps to safeguard their systems. The HITRUST alert states, in part:

“The HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) has been tracking and reporting on the Remote Code Execution Vulnerability Discovered in Bash on UNIX-based Operating Systems (OS). HITRUST C3 is issuing this alert to ensure healthcare organizations are appropriately informed and taking steps to safeguard their systems and have sufficient information to communicate the background and implications to others in their organizations. HITRUST C3 – Healthcare Sector Cyber Threat Report HI255-14.”

According to Fierce HealthHIT: “The vulnerability happens when Bash is starting up; and it could allow a hacker to create a malicious code that would allow them to gain control of a compromised server.” HITRUST and many other cyber experts are stating that the BASH Shellshock bug is worse than Heartbleed, which was the flaw discovered in the widely used website encryption code, OpenSSL, an issue on which we reported in April 2014. The BASH flaw reportedly allows a hacker to completely take over a computer or server.

This is one of the more complicated cyber risk flaws to try to explain to the public, but this chap from UK has produced a 4-minute You Tube video trying to do just that. We are not vouching for the accuracy of this video (especially given that we are not computer scientists), but we can recommend following his advice at the very end of the video: “Make sure you keep your computers and any servers you run up to date with security patches and security fixes.” If you want a more technical description of BASH, see the article published by Troy Hunt, Software architect and Microsoft MVP, on his blog at troyhunt.com or click here.