Important Legal Update
State Legislature Temporarily Suspends Enforcement Provision in the Statewide Health Information Exchange Act
January 1, 2023, Deadline to Connect to NC HealthConnex Remains Unchanged
The North Carolina General Assembly recently enacted laws that impact health care providers and organizations that serve state-funded patients (e.g., Medicaid recipients and State Health Plan members). Specifically, the new state budget and the Statewide Health Information Exchange Act contemplate the following:
- Certain organizations who receive state funds for treating Medicaid recipients and State Health Plan patients remain subject to a January 1, 2023, deadline to connect to NC HealthConnex and submit required data to the state. This deadline is unchanged.
- The enforcement mechanism in the Statewide Health Information Exchange Act that makes connection to the HIE and submission of required data to the state prerequisites for a health care provider to receive state funds is temporarily suspended “until a bill designating a lead agency responsible for enforcement of the Statewide Health Information Exchange Act is enacted into law.”
- In March 2023, the General Assembly will receive a report outlining the status of organizations that met – or failed to meet – the January 1, 2023, connection and submission deadline.
- The N.C. Health Information Exchange Authority’s (NC HIEA) Advisory Board may offer additional recommendations to the General Assembly about enforcement of the Statewide Health Information Exchange Act and about enhancements to NC HealthConnex. These recommendations will supplement a report and recommendations that the NC HIEA Advisory Board submitted to the General Assembly this spring, which focused on data connections, supporting patients, and protecting the networks of providers who serve state-funded patients.
Legal changes and the fast-approaching connection deadline may leave providers with questions about receiving state funding and their connection status. Below, the NC HIEA provides answers to questions that may arise and how the changes may impact specific groups of providers.
Does This Mean I Won’t Receive State Funds for Treating Patients?
The statutory provision that would prevent “unconnected” providers and entities from receiving state funds for treating Medicaid recipients and State Health Plan members is suspended as a matter of law. Providers – even those not yet connected to NC HealthConnex -- may continue to see state-funded patients without fear that the state will enforce the “condition of receiving state funds” provision of the Statewide Health Information Exchange Act at this time.
Do I Still Need To Connect?
It is imperative that providers, health care organizations, pharmacies and others subject to the Statewide Health Information Exchange Act take immediate steps to connect to NC HealthConnex. The connection deadline of January 1, 2023, has not been delayed or extended, and enforcement of the condition of receiving state funds is only suspended temporarily. In March 2023, the NC HIEA will report to the General Assembly on connection status of providers and offer recommendations on how to begin enforcement of the connection mandate.
What If I’m in the Process of Connecting?
Health care organizations that have begun the technical process of connecting to NC HealthConnex are considered to be making good-faith efforts to fulfill the connection mandate. They should continue onboarding or risk losing their order in the queue. Organizations that have signed a participation agreement with NC HIEA but are not yet live and submitting data by January 1, 2023, are considered to be making good-faith efforts to connect as well. As providers are invited to begin the technical connection process, they should be ready to proceed or risk being moved to the back of the onboarding queue.
What If My Connection Project Has Been Put on Hold?
Earlier this year, the NC HIEA prioritized the queue of more than 5,000 organizations onboarding with NC HealthConnex based on a variety of factors. As a result of these prioritization decisions, onboarding for some providers has been temporarily placed on hold. Please be assured that this decision to place your organization on hold will not have an impact on your organization’s good-faith efforts to follow the HIE Act.
Additionally, if your organization has signed a full participation agreement with the NC HIEA and would like to participate in NC HealthConnex, please reach out to the SAS Help Desk at HIESupport@sas.com or 919-531-2700 to request credentials to the web-based clinical portal. If your organization is interested in training on how to incorporate the HIE into your workflow, please see our on-demand training library, or request a training session.
If you are unsure of the status of your project, please email email@example.com.
If I’m an Individual Provider, Do I Need To Connect?
Individual providers typically do not have to initiate or carry out the connection process themselves. The NC HIEA engages in participation agreements with organizations, and employed providers are covered under those agreements. The appropriate contact(s) at your organization(s) should visit hiea.nc.gov/participate to select the agreement suitable to the organization, and then carefully read, review, and complete the agreement. It may be returned either by email to firstname.lastname@example.org (preferred method) or by mail to N.C. Health Information Exchange Authority Mail Service Center 4101 Raleigh, NC 27699-4101.
Do Dental and Chiropractic Providers Need To Connect?
Dentists and chiropractors that serve state-funded patients remain subject to the January 1, 2023, connection and submission deadline. Enforcement of the “condition of receiving state funds” provision in the Statewide Health Information Exchange Act is temporarily suspended with respect to all providers, including dentists and chiropractors.
Of note, in March 2022, the NC HIEA Advisory Board recommended to the General Assembly that dental and chiropractic providers be reclassified as “voluntary” connectors to the NC HIEA.
Do Pharmacies Need to Connect?
State law continues to require that pharmacies connect and submit claims data to NC HealthConnex by January 1, 2023. At this time, the NC HIEA is conducting a pilot with several pharmacies for the initial development and integration of pharmacy data into NC HealthConnex. The NC HIEA views pharmacies that have signed participation agreements as acting in good faith to meet the January 1, 2023, deadline, and no additional action needs to be taken at this time.
How Do I Connect?
- Learn more.
- Register for the next monthly informational How to Connect webinar.
- Browse our library of frequently asked questions and answers on a variety of topics.
- See a list of the steps to connect.
- Complete a NC HealthConnex participation agreement. Review the different types of participation agreements available, and select the agreement most suitable for your organization. Carefully read and complete the agreement. It may be returned by email to email@example.com (preferred method) or by mail to N.C. Health Information Exchange Authority Mail Service Center 4101 Raleigh, NC 27699-4101.
- Contact us. For any questions or concerns about participation with NC HealthConnex, please contact us at firstname.lastname@example.org or 919-754-6912.
The NC HIEA is ready to assist providers with understanding how these legislative changes affect them and to begin the onboarding process with interested providers. Please contact us at email@example.com or 919-754-6912.
Full NC HealthConnex Participation Helps Meet New Promoting Interoperability Rules
The U.S. Centers for Medicare and Medicaid Services has issued final rules for the Promoting Interoperability Program. Full participation in NC HealthConnex, the state-designated health information exchange, can help providers meet the updated measures related to the advancement of certified electronic health record technology utilization and improve interoperability.
The U.S. CMS’s Promoting Interoperability Program – formerly the Electronic Health Record Incentive Program – provides financial incentives to providers if they use a certified electronic health record (EHR) to capture and use patient data meaningfully for care coordination, patient engagement and quality improvement purposes.
Changes to the Medicare Promoting Interoperability Program
Final changes to the Medicare Promoting Interoperability Program for 2022 include:
- Maintaining an EHR reporting period of any continuous 90-days for new and returning participants (eligible hospitals and critical access hospitals) in the Medicare Promoting Interoperability Program for CY 2022
- Increasing the bonus points for the Electronic Prescribing Objective’s Query of Prescription Drug Monitoring Program measure from 5 points to 10 points
- Increasing the minimum scoring threshold from 50 points to 60 points
- Adopting the Health Information Exchange Bi-Directional Exchange measure as an alternative to the two existing measures (worth 40 points) under the Health Information Exchange Objective
- Requiring reporting on four of the Public Health and Clinical Data Exchange Objective measures: Syndromic Surveillance Reporting, Immunization Registry Reporting, Electronic Case Reporting and Electronic Reportable Laboratory Result Reporting, which is worth up to 10 points
- The Public Health Registry Reporting and Clinical Data Registry Reporting measures will remain optional for 5 bonus points.
- Requiring eligible hospitals and critical access hospitals to attest to having completed an annual assessment via the Safety Assurance Factors for EHR Resilience Guides measure, under the Protect Patient Health Information objective, beginning January 1, 2022
- Removing attestation statements 2 and 3 due to similarities between practices described in the statements from the Medicare Promoting Interoperability Program’s prevention of information blocking requirements
CMS has provided several resources to learn more about the new final rule policies: review the final rule, a press release, and a fact sheet.
How NC HealthConnex Can Help
A connection to NC HealthConnex alone does not satisfy any single objective for an eligible professional or hospital attesting to the N.C. Medicaid EHR Incentive Program (part of the CMS Promoting Interoperability Program). However, full participation in NC HealthConnex and its features, however, assists providers in meeting specific measures and objectives, particularly those related to prescription drug monitoring, adoption of bi-directional exchange, public health registry reporting, and electronic lab result reporting.
Bidirectional Capabilities Confirmation
- NC HIEA can help determine whether your practice participates in a bidirectional exchange with a health information exchange to support care transitions, which CMS requires to be eligible for the Merit-Based Incentive Payment System.
- Fill out this request form so that the NC HIEA can confirm whether or not you participate in a bidirectional connection.
Health Information Exchange
- Electronic care transitions to outside EHRs via the NC HealthConnex Direct Secure Messaging XDR (EHR-integrated) service
- Provider directory with more than 20,000 searchable providers available through the NC HealthConnex portal and sent to full NC HealthConnex participants directly for use within their EHRs (updated quarterly)
- Query-based retrieval of patient records within NC HealthConnex by providers at the point of care
- Reports on EHR-integrated participants’ delivery notification messages for additional backup documentation/audit logging
Public Health and Clinical Data Registry Reporting
- Automated reporting to the N.C. Diabetes Specialized Public Health Registry, developed in partnership with the N.C. Division of Public Health
- Automated reporting to the North Carolina Immunization Registry (NCIR) from the provider EHR and query from within the EHR patient records of vaccine history and NCIR recommendations
- Daily automated electronic lab reporting from hospitals to the N.C. Division of Public Health
Moreover, NC HealthConnex supports participating providers in achieving the overarching goals of the Promoting Interoperability Program and other quality programs by:
- Protecting contributed electronic patient health information, per applicable federal standards
- Providing access to a more complete medication and health history from other places of care
- Better informing a provider’s choice of patient education materials or clinical support tools through a longitudinal view of a patient’s health record across care settings statewide.
While certified EHRs can produce all the necessary reports and documentation to support achievement of the objectives and measures, NC HealthConnex supports providers with care transitions and public health submission documentation for attestation and other specific documentation requests in the case of a state or federal audit.
For questions or more information about how NC HealthConnex supports providers with Promoting Interoperability requirements, call 919-754-6912.
Federal Government Issues Guidance on HIPPA Privacy Rule for Reproductive Care, Ransomware Alert for Health Care
Federal government agencies have recently released guidance for the health care organizations and providers to navigate HIPPA privacy rules for providers and patients in the post-Roe landscape and a recent cybersecurity threat specifically targeting health care.
HIPPA Privacy Rule
The Supreme Court ruling in Dobbs vs. Jackson Women’s Health Organization that overturned Roe vs. Wade has raised significant questions about patient privacy and health organizations’ data protection responsibilities. The U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) has issued new guidance for how to apply the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to protected health information (PHI), including information related to abortion and other sexual and reproductive health care.
The OCR, which administers and enforces the Privacy Rule, stresses that disclosing an individual’s PHI without their authorization for reasons not related to health care are permitted only in very narrow circumstances. The guidance discusses what disclosures are permitted under HIPPA regarding the requirements of other laws, requests for law enforcement purposes, and situations involving a serious threat to health or safety.
The HIPPA privacy law, however, applies only to health plans, health care clearing houses, most health care providers, and, to some extent, their business associates. It does not cover third-party tools – such as period trackers and health information apps – or health information individuals store or share via their personal cell phones or tablets.
The OCR also provides tips to protect the privacy and security of health information when using personal devices.
Ransomware Attacks Advisory
North Korea-sponsored cyber actors have targeted the U.S. health care and public health sector using a novel strain of malware since at least May 2021, according to a joint alert from the Cybersecurity and Infrastructure Security Agency, FBI and U.S. Department of the Treasury.
The FBI has investigated multiple attacks using Maui ransomware that have encrypted servers for health care services, including electronic health records, diagnostics, imaging, and intranet, and have disrupted health organizations for prolonged periods. The vector of the Maui ransomware attacks is unknown, and unlike most automatically executed ransomware, Maui malware is manually executed by a remote actor who selects which files to encrypt.
Cyber criminals target health care organizations they believe will pay ransoms to avoid disruptions to critical services. However, the federal advisory strongly discourages paying ransoms, which does not guarantee the attackers will restore files and records.
Instead, the advisory shares proactive cyber security steps and mitigation tactics health care organizations can take to protect themselves against Maui ransomware. The advisory also describes the techniques, procedures and indicators of compromise for Maui ransomware.
Read more cybersecurity news and tips in the N.C. Department of Information Technology's Enterprise Security and Risk Management Office's July Cybersecurity newsletter.
Find more cybersecurity and risk management resources from the N.C. Department of Information Technology.
- NC HealthConnex Teletown Hall: Tailored Care Management – Wednesday, Aug. 17, 2022, 12 p.m. to 1 p.m. – Get a better understanding of the role of tailored care management in improving whole-person care and how the HIE can help in this effort. This online town hall is for providers connected and interested in connecting to NC HealthConnex. Learn more and register.
- How to Connect Call – Monday, Aug. 29, 2022, 12 p.m. to 1 p.m. – Learn more about steps to connect to NC HealthConnex and the suite of value-added services available. Register for the call.
- NC HIEA Advisory Board Meeting – Thursday, Sept. 15, 2 p.m. to 5 p.m. – The Advisory Board meets to discuss developments related to NC HealthConnex and the NC HIEA. Learn more.
In the News
USCDI Version 3 Adds Health Status, Insurance Data Classes – The Office of the National Coordinator for Health IT has released the United States Core Data for Interoperability Version 3, which includes new data classes involving health status and health insurance information. HCInnovationGroup.com
Child, adolescent mental health crisis is "next wave of the pandemic" – A Duke physician wants to see a commitment to confronting the teen mental health crisis as the pandemic has only worsened what was already a growing concern. NorthCarolinaHealthNews.org
Healthy Communities Data Tool Provides Insights on SDOH in N.C. – A new Healthy Communities tool is giving North Carolina community members, nonprofits, and government agencies free access to data and analytics tools to drive improvements in 21 key social determinants metrics. HCInnovationGroup.com
The Claims Data Dilemma: 4 Things to Consider – Providers across specialties and geography need global claims data as they struggle to obtain it from payers. MedPageToday.com
N.C. Risk Officer on Zero Trust, Protecting Resident Privacy – Chief Risk Officer Rob Main discusses balancing privacy and security, growing North Carolina's cyber workforce, and how his office is helping local governments build cyber capacity. GovTech.com