A medical kit is fully packed on Camp Lejeune, N.C., March 18, 2020. (Marine Corps)

As the Oct. 6 deadline nears for the Department of Health and Human Services’ information blocking rules, the Sequoia Project and its Information Blocking Compliance Workgroup released five resources to support healthcare providers with compliance.

Among those guidelines are policy considerations, including privacy and security concerns, and possible overlap among federal, state and local laws.

The Sequoia Project was chosen by the HHS Office of the National Coordinator to develop and support the adoption of TEFCA, which rolled out in January. A May request for comment to industry stakeholders aimed to get industry feedback to implement recommendations to improve the final document. 

The provided comments were used to inform the newly issued resources meant to “inform the transition to a culture of health information sharing that supports health and care within the context of existing rules.”

During this process, the workgroup identified several open and ongoing policy issues. The resources highlight the areas where ONC, and even the HHS Office of the Inspector General, could provide further guidance to support providers with the transition into the data-sharing rules.

Given the keen focus of data sharing and access by the agency, many providers will need the added support.

Different privacy requirements between states, federal government a challenge

In terms of privacy and security, providers will face “an enormous burden” due to the full range of privacy requirements under federal and local laws, which “could lead to significant challenges in operationalizing the regulatory provisions regarding information blocking.”

Among those burdens are the potential expenses of cataloging privacy requirements across the government and through government programs, which is a “major challenge given the complexity and ongoing changes of privacy regulation.”

These added requirements will mean provider organizations must conduct extensive legal analysis across all states and localities. The process of which is “both duplicative and burdensome,” especially for entities that have care sites in multiple states that may not be able to easily identify the “most restrictive” requirements due to the variations in state laws and other requirements.

It may not be likely for these entities to simplify the process as intended by the rule. The insights note “there are also significant operational issues when individuals receive care across borders.” Instead, the privacy rules and its exception “would be best served by a single set of rules.” The exception refers to when interoperability and info blocking could be allowed.

However, the lack of preemption of state laws by Health Insurance Portability and Accountability Act may further add to the challenging variability.

The insights note that HHS should create a consolidated public website able to catalog and allow for targeted searches of federal, state and local privacy and security laws, or provide a template for states to create their own standard “profile” of their privacy and security laws to be used by entities and other healthcare stakeholders.

As it stands, the onus of ensuring compliance is on the provider organizations. To ensure the entity is adhering to all state, federal, and global regulations, the legal, privacy, and/or compliance teams should identify crosswalks between the different requirements and ensure they have documents in place to demonstrate compliance.

For many stakeholders these issues may not be new, but the resources aim to demonstrate where gaps exist and the potential measures that could reduce some of the challenges.