Monday, June 6, 2011

The Accounting of Disclosures NPRM

On May 31, HHS Published a notice of proposed rulemaking (NPRM) on the HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act (HITECH).

Here's Robin Raiford's bookmarked version of it.

The purpose of the NPRM is to implement the statutory requirement under HITECH to require covered entities and business associates to account for disclosures of protected health information to carry out treatment, payment, and health care operations if such disclosures are through an electronic health record.

Remember that HIPAA did not require disclosure logging for treatment, payment and operations.  This revision does, when such data is disclosed/accessed via an EHR.

In the certification process, demonstrating accounting of disclosures is optional, so it's likely many certified EHRs lack accounting of disclosure functionality.

Wes Rishel wisely warns us that this may be very challenging to implement for hospitals with complex built and bought systems.

Here's Rebecca Herold's blog summarizing the major points of the NPRM.

She also describes the definition of a designated record set.

Under the current provisions of the HIPAA Privacy Rule, covered entities are required to maintain records on disclosures of protected health information for a period of six years, and to furnish an accounting of disclosures to individuals who request them. The HIPAA Privacy Rule included an exemption for disclosures for the purposes of treatment, payment, health care operations, and a variety of other special circumstances, including disclosures to the individual of their own PHI. Collectively, the excepted purposes constituted the vast majority of  disclosure.  HIPAA also covered all PHI, whether in paper or electronic form. HITECH shortened the accounting period to three years, but removed the exemptions for treatment, payment, and health care operations when the disclosure of information is from an EHR.  The NPRM explicitly lists the types of disclosures that are subject to the accounting of disclosure requirement, rather than the prior approach of generally requiring inclusion but enumerating specific exceptions.

The NPRM does exempt disclosures made through a health information exchange, noting that the technology to track such disclosures is still evolving.   The authors state

"as electronic health information exchange expands and standards for such exchange are adopted, we intend to work with ONC to assess whether such standards should include information about the purpose of each exchange transaction. Adoption of such standards may significantly reduce the burden on covered entities to account for treatment, payment, and health care operations disclosures through electronic health information exchange. We then intend to revisit this issue and determine whether the accounting requirements should be revised to encompass such disclosures, in light of the interests of individuals and the reduced burden on covered entities."

The burden of implementing this regulation, especially in complex organizations with many departmental systems, could be very high.

I'll watch the comment period very closely.


Anonymous said...

In reading this I believe they are seeking to expand the requirement far beyond certified EHR systems. The quoted section below is what I am referring to. Thoughts?

"This proposed right to an access report would implement section 13405(c) of the
HITECH Act by providing individuals with information about disclosures through an
electronic health record (EHR) for treatment, payment, and health care operations. While
the HITECH Act provision only addresses “disclosures” and refers to an EHR, we are
exercising our discretion under the more general HIPAA statute to expand this right to
uses of information (e.g., electronic access by members of a covered entity’s or business
associate’s workforce) and to all electronic protected health information about an
individual in any designated record set."

Doc said...

The eDRS could be really nasty to address. Under HIPAA, the DRS was the information (which we summarized in our EHR and Paper HR to provide to the individual). The expansion to the source systems could include all sorts of electronic instruments that do not have the individual level access logging that this NPRM anticipates.