As the October 6 deadline approaches for the Department of Health and Human Services’ information blocking rules, Project Sequoia and its Information Blocking Compliance Task Force have released five resources to help healthcare providers to comply.
Among these guidelines are policy considerations, including privacy and security concerns, and possible overlaps between federal, state, and local laws.
Project Sequoia was selected by the HHS National Coordinator’s Office to develop and support the adoption of TEFCA, which was rolled out in January. A request for comments sent to industry stakeholders in May sought input from industry to implement recommendations to improve the final document.
The comments provided were used to inform newly released resources intended to “inform the transition to a culture of health information sharing that supports health and care within the context of existing rules”.
During this process, the working group identified several open and ongoing policy issues. The resources highlight areas where the ONC, and even the HHS Inspector General’s Office, could provide additional guidance to help providers transition to data sharing rules.
Given the agency’s focus on sharing and accessing data, many vendors will need additional support.
Different privacy requirements between states, the federal government is a challenge
In terms of privacy and security, vendors will face “an enormous burden” due to the full range of privacy requirements under federal and local laws, which “could lead to significant challenges in operationalizing regulatory provisions regarding the blocking of information”.
Among these burdens are the potential expense of cataloging privacy requirements across government and across government programs, which is “a major challenge given the complexity and ongoing regulatory changes in matters of confidentiality”.
These additional requirements will mean that provider organizations will need to carry out a thorough legal analysis in all states and localities. The process is “both redundant and cumbersome,” especially for entities that have care sites in multiple states who may not be able to easily identify the “most restrictive” requirements due to variations in laws states and other requirements.
These entities are unlikely to simplify the process as intended by the rule. The information notes that “there are also significant operational issues when individuals receive care across borders”. Instead, the confidentiality rules and its exception “would be better served by a single set of rules”. The exception refers to when interoperability and information blocking may be permitted.
However, the lack of preemption of state laws by the Health Insurance Portability and Accountability Act may further add to difficult variability.
The information notes that HHS should create a consolidated public website capable of cataloging and enabling targeted searches of federal, state, and local privacy and security laws, or providing a template for states to create their own ” profile” standard of their privacy and security laws. to be used by entities and other health actors.
As things stand, the responsibility for ensuring compliance rests with provider organizations. To ensure that the entity meets all state, federal, and global regulations, legal, privacy, and/or compliance teams should identify the crossing points between the various requirements and ensure that they have documentation proving conformity.
For many stakeholders, these issues may not be new, but the resources aim to demonstrate where gaps exist and potential actions that could reduce some of the challenges.
#Interoperability #guides #highlight #impact #overlapping #privacy #security #laws