Quick Feedback Request
Highlighted Resources & Events
Need Assistance?
Would you like more assistance regarding Privacy and Security strategies or support in using any of the included resource sets?

  Request Support

 

The Quadruple Aim
Quadruple Aim

A Conceptual Framework

Improving the U.S. health care system requires four aims: improving the experience of care, improving the health of populations, reducing per capita costs and improving care team well-being. HITEQ Center resources seek to provide content and direction aligned with the goals of the Quadruple Aim

Learn More

Resource Overview

General cybersecurity guidance would suggest that Health IT breach should not be considered a matter of "If", but rather a matter of "when". How an organization prepares and responds to an episode of breach is just as important as defending itself from breach. Unfortunately, Health Centers are seen as a domain with high potential for data breach and consequently it is critical for Health Center leadership to embrace breach mitigation across their entire organization vs being a matter to be addressed by their Health IT team.

Breach can occur through both internal and external network leaks, through malware such as Ransomware, and through physical means on site. The resources provided below are meant to provide general knowledge about breach mitigation and methods for mitigating against breach incidences.

Breach Mitigation and Response Resources

FAQ: How can health centers comply with both 42 CFR Part 2 and the Information Blocking Rule?

FAQ: How can health centers comply with both 42 CFR Part 2 and the Information Blocking Rule?

July 2023

 

 

What are the HIPAA guidelines related to PHI and PII?

What is 42 CFR Part 2?

What is the Information Blocking Rule?

How can my health center comply with both 42 CFR Part 2 and the Information Blocking Rule?

How can my health center safeguard EHI on the patient portal following 42 CFR Part 2?

How can I find out if 42 CFR Part 2 applies to my health center?

Where can I find sample Information Blocking policies, procedures, and templates?

 

What are the HIPAA guidelines related to PHI and PII?

According to the Health Insurance Portability and Accountability Act (HIPAA) guidelines (Summary of the HIPAA Privacy Rule|HHS.gov), Protected Health Information (PHI), is personal information regarding a patient’s health. A patient has the right to determine if information regarding their health can be shared. Patient consent is required before Personal Identifiable Information (PII) about their medical information can be disclosed to anyone, including family members, other healthcare providers, and law enforcement agencies. Exceptions to this requirement are limited and must comply with strict standards, such as in response to a court order.

 

What is 42 CFR Part 2?

42 CFR refers to the Code of Federal Regulations Title 42, which contains regulations related to public health. 42 CFR Part 2: Confidentiality of Substance Use Disorder Patient Records (Substance Abuse Confidentiality Regulations|SAMHSA) establishes strict confidentiality requirements for disclosure of information associated with treatment for substance use disorders (SUD). It applies to all federally assisted programs that provide diagnosis, treatment, or referral for SUDs, including mental health programs that also provide SUD treatment. Specifically, regulations defined in 42 CFR Part 2 provide protection for patients receiving treatment for SUD. Provisions in the regulation prohibit disclosure of any information that would identify a person as receiving treatment for an SUD, unless that person provides written consent. Part 2 specifies a set of requirements for consent forms, and associated penalties for failing to implement them. View more resources on Substance Use Regulations here. 

 

What is the Information Blocking Rule?

The 21st Century Cures Act, signed into law in 2016, includes provisions related to health information technology (health IT) and electronic health records (EHRs). Part of this law, known as the Information Blocking Rule, requires healthcare providers to offer patients timely and easy access to their electronic health information through a patient portal or other electronic means. The Cures Act defines information blocking as business, technical, and organizational practices that prevent or materially discourage access, exchange, or use of electronic health information (EHI) or any practice that could interfere with access, exchange, or use of EHI while not violating any existing regulations.1 The Information Blocking Rule applies to all healthcare providers, including behavioral health providers, and is enforced by the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS). This rule applies to any entity or individual that meets the definitions outlined in 45 CFR 171.102 for “health IT developer of certified health IT,” “health care provider,” or a part of a “health information network or health information exchange.”

Many healthcare providers, including health centers, are concerned about reconciling the need to protect patient privacy under HIPAA and 42 CFR Part 2 while avoiding interference with electronic health information sharing and violating Information Blocking regulations.

 

How can my health center comply with both 42 CFR Part 2 and the Information Blocking Rule?

Sharing behavioral health information can be complex and requires compliance with various regulations, including the 42 CFR Part 2 additional protections for SUD information. The HITEQ center provides guidance and resources to health centers to navigate regulations and ensure compliance while sharing information. For more information, refer to Sharing Behavioral Health Data over a Health Information Exchange and Behavioral Health Consent Guidelines. 

To ensure compliance, providers must: 

  • Understand the definition of information blocking and ensure their policies and procedures comply with the law. 
  • Implement appropriate technical and organizational safeguards to protect EHI (from unauthorized access, use, or disclosure. 
  • Develop clear policies and procedures that outline how EHI will be shared and accessed, including under what circumstances sharing is required or permitted by law. 
  • Provide training and education to their staff on information blocking and how to comply with the law. 
  • Obtain patient consents before sharing patient information.
  • Establish the necessary Qualified Service Organization Agreement (QSOA) or Business Associate Agreements (BAA) with any participating Health information Exchange (HIE). 
  • Ensure to only share necessary treatment information permitted by law with the appropriate patient consents and authorizations. Some best practices include:
    • Encryption of messaging and exchange platforms.
    • Establishing and maintaining user access roles and responsibilities for accessing or transmitting EHI. 
    • Implementing relevant business agreements for patient and clinical data sharing.
    • Clearly communicating with patients and staff that withholding information not permitted by law (e.g., 42 CFR Part 2) is NOT a violation of information blocking.

 

How can my health center safeguard EHI on the patient portal following 42 CFR Part 2? 

The Information Blocking Rule aims to improve patient access to their health data and promote interoperability between healthcare providers.  It requires healthcare providers to provide patients with a timely and accessible means to their EHI through a patient portal or other electronic means. Providers must offer patients the ability to access, view, and download their EHI, and to transmit it to a third party of their choice, such as another healthcare provider or a mobile application.

In order to safeguard EHI on the patient portal, providers must obtain written consent and inform the patient of the nature and extent of the information to be disclosed, the specific purpose of the disclosure, and the identity of the person or entity to whom the disclosure will be made.

 

How can I find out if 42 CFR Part 2 applies to my health center?

To find out if 42 CFR Part 2 applies to your health center, follow the Decision Tree from the Legal Action Center.

 

Where can I find sample Information Blocking policies, procedures, and templates?

Visit the HITEQ Center: Sample Information Blocking policies, procedures, and templates

 

The HITEQ Center is a HRSA-funded National Training and Technical Assistance Partner operated by JSI Research & Training, Inc. and Westat.This project is supported by the Health Resources and Services Administration (HRSA) of the U.S. Department of Health and Human Services (HHS) as part of awards totaling $693,000 with 0% financed with non-governmental sources. The contents are those of the author(s) and do not necessarily represent the official views of, nor an endorsement, by HRSA, HHS, or the U.S. Government. For more information, please visit HRSA.gov.

References

1 “What is Information Blocking?,” American Medical Association, 2021, https://www.ama-assn.org/system/files/2021-01/information-blocking-part-1.pdf.

Print
6495

Acknowledgements

This resource collection was cultivated and developed by the HITEQ team with valuable suggestions and contributions from HITEQ Project collaborators.

Looking for something different or have something you think could assist?

HITEQ works to provide top quality resources, but know your needs can be specific. If you are just not finding the right resource or have a highly explicit need then please use the Request a Resource button below so that we can try to better understand your requirements.

If on the other hand you know of a great resource already or have one that you have developed then please get in touch with us by clicking on the Share a Resource button below. We are always on the hunt for tools that can better server Health Centers.

Request a Resource  Share a Resource