Information Blocking Rules: What They Would Mean for CISOs

) • February 22, 2019     15 Minutes   

Healthcare CISOs and other security and privacy leaders must carefully assess the Department of Health and Human Services' proposed new rules designed to help prevent the blocking of health information sharing and consider how they might "operationalize" the provisions within their organizations, says attorney Jodi Daniel.

CISOs need to consider their current health information sharing activities "and what would have to change if the rules are finalized," says Daniel, a former security and privacy leader at HHS' Office of the National Coordinator for Health IT, which recently issued a proposed rule that addresses secure health information exchange.

Another HHS unit, the Centers for Medicare and Medicaid Services also released a related proposed rule (see: Deciphering HHS' Proposed Information Blocking Rules).

"It is really important, as privacy, security and compliance officers are looking at their practices, to make sure they are documenting what they are doing, that they are implementing their policies in a nondiscriminatory manner and that they are considering what the industry standards are for privacy and security of health information - and that they are as close to those as possible," she says.

Best Practices

In an in-depth interview with Information Security Media Group, Daniel says now is a good opportunity "for the industry to get together to develop some best practices where there is no common approach" to health information sharing.

"It's also very important for folks who are dealing with privacy and security of health information access to think about the arrangements that they have with partners because these rules will likely require changes in those business relationships and changes in their contractual obligations. And those changes may take place in a fairly short period of time."

In the interview (see audio link below photo), Daniel also discusses:

HHS' proposed information blocking provisions, including potential penalties for those violating the requirements; Current barriers to secure health information exchange and patient access to data; Security and privacy exceptions outlined in the information blocking proposals from ONC, and their potential impact.

Daniel is a partner at Crowell & Moring's healthcare group and a director at C&M International, an international policy and regulatory affairs consulting firm affiliated with the law firm. She leads the firm's digital health practice and provides strategic, legal and policy advice to healthcare and technology clients. Before joining the law firm in 2015, Daniel served for 15 years at HHS, including a decade at ONC, where she helped lead health information privacy and security policy development.