by Kelly McLendon, RHIA, CHPS
Managing Director, CompliancePro Solutions, LLC
The 21st Century Cures Act ONC information Blocking and CMS Interoperability and Patient Access rules in regards to patient education about the mobile health apps that request electronic patient information (EHI) through the APIs (Application Programmer Interfaces) that work connect to certified or non-certified EHR (Electronic Health Record) or other ancillary systems that contain patient records are very complex to understand.
Payers under the CMS Interoperability and Patient Access rules are allowed to ask for attestation by the mobile health app developer or company about their privacy and security, but if the company or the patient does not respond to the request for attestation, this can only be grounds for inclusion in the information provided to the patient, perhaps as a general recommendation not to use apps that have not completed an attestation, but ultimately it is the patient’s choice whether to use any app to request and manage their EHI.
The only way a payer can refuse to provide the information is through the use of an information blocking exception, perhaps for either privacy or security, but there are conditions that must be met in order to invoke the exceptions and they should be used with care. Whether the CMS rules also could or should apply to providers of care and other HIPAA covered entities is a choice for legal counsel to weigh in on.
Covered entities should implement and continually prepare for the 21st Century Care Act and use of mobile health apps by their patient’s. Start by building the presentations to be delivered to patients as well as your workforce and then begin to post educational material on your website and train your employees on how to address the topic.
The 21st Century Cures Act rules do have certain requirements, such as posting links to regulators and basically informing patients of their rights under the law. Covered entities must also decide when and how to evaluate mobile health apps for their patients. Do they verify, vet and/or ask for attestations?
All of these questions will take time to answer, so now is the time to begin to work these materials. It is of note that the API requirements take effect on May 1, 2022 and although there is a need for patient education prior to this date, once APIs begin to be used, it is projected at that point patient questions and internet will increase substantially.
HIPAA Privacy & Security Training
Libman Education is proud to partner with CompliancePro Solutions™ to offer this HIPAA Privacy and Security training course. Up-to-date with the latest Privacy and Security Rule versions, including Omnibus, this course is compliant with all HIPAA and related Meaningful Use criteria. Learn more here.