Health technology companies have a little extra time before risking hefty penalties for withholding patient heath information—and they should spend it getting ready for the new rules, a health attorney recommended.
In a proposal hitting the Federal Register Friday, the Inspector General’s Office at the Department of Health and Human Services said it will hold off on enforcing the data-sharing rules. The Office of the National Coordinator for Health Information Technology’s final rule ensuring patients have access to their health data won’t be published until May 1. Companies will get an additional three months to prepare for the standards as a result of the coronavirus crisis, that agency has said.
The announcement doesn’t mean the new requirements are going away, and companies should prepare now, Colin J. Zick, a partner at Foley Hoag LLP and co-chair of the firm’s Health Care Practice and Chair of Privacy and Data Security Practice, said.
“They will go easy on you if you are trying to comply, but the pandemic makes it difficult or impossible,” Zick said. “Providers need to focus on these cited issues sooner rather than later, and not wait for five months and 29 days.”
According to the proposal, the Inspector General will first focus on health technology company actions that could harm patients, affect doctors’ ability to provide care, or knowingly prevent patients from accessing their own information.
“OIG is working to meet its mission while minimizing burdens on providers and being flexible where possible during the Covid-19 public health emergency,” Christi A. Grimm, the principal deputy inspector general, said in a statement.
Health IT developers, health data exchanges, and networks face penalties up to $1 million for each violation once the rules are in effect.
That specific penalty doesn’t apply to health-care providers, who will be dealt with through a separate, future rule for improperly block a patient’s access to their data, the agency said. Hospitals have complained the upcoming rule is full of confusing definitions and exemptions, as well as data privacy and security concerns.
“For providers, this means a little more breathing room, in terms of personnel bandwidth and finances, both of which are needed at this time that is stress-testing providers like nothing in the last 100 years,” Zick said.