Intelligence Unit
Special Reports
Special Events
Subscribe
Sponsored
Departments
- Leadership
- Finance
- Technology
- Physicians
- Community Hospitals
- Health Plans
- Marketing
- Quality
- Nursing
- HR
Follow Us
Proposed HIPAA Disclosure Rule, Explained
Covered entities and business associates finally have an idea what the accounting of disclosures provision in HITECH is all about. The Department of Health & Human Services publically released a proposed rule governing privacy disclosures related to electronic health records May 27 and published it in the Federal Register May 31. Comments must be submitted on or before August 1, 2011. See also: 6 Things to Know About the HIPAA Disclosures Proposed Rule.
What: The HITECH-required proposed rule is formally known as "HIPAA Privacy Rule Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act." The HITECH Act requires CEs and BAs to provide an accounting of disclosures of personal health information (PHI) through an EHR, for treatment, payment, and healthcare operations (TPO) dating back three years from such a request.
The proposed rule implements this requirement through the right to an "access report," which includes an accounting of who accessed electronic health information in a designated record set (DRS), for any reason. This includes both uses and disclosures, regardless of the purpose.
Why accounting of disclosures: "The intent of the accounting of disclosures is to provide more detailed information (a 'full accounting') for certain disclosures that are most likely to impact the individual," according to the proposed rule.
Why access reports: "The intent of the access report is to allow individuals to learn if specific persons have accessed their electronic DRS information (it will not provide information about the purposes of the person's access)," according to the proposed rule.
Compliance dates: For new accounting of disclosures requirements, if the rule becomes final in its current form, compliance would be mandatory 180 days after the effective date of the final regulation (i.e., 240 days after publication). For the access reports provision, compliance would be effective January 1, 2013, for electronic DRS systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic DRS systems acquired prior to 2009.
- Primary Care Docs Average More Hospital Revenue Than Specialists
- 69% of Employers Plan to Offer Healthcare Coverage After 2014
- How Chargemaster Data May Affect Hospital Revenue
- Building a Better Healthcare Board
- ED Physicians Key to Half of Hospital Admissions
- Q&A: Catholic Health Initiatives' New Senior VP for Capital Finance
- Insurer's App Aims to Lower Healthcare Costs, Securely
- Hospital Pricing Irks Nurses; More Jobs, Less Pay
- Don't Let Nurses Sink Your Bottom Line
- House Lawmakers Grill CMS Over Health Exchange Navigators
Comments are moderated. Please be patient.
Dan Berger (6/9/2011 at 11:37 PM)
In mid-to-late 2012, business associates and their subcontractors will have the same obligations as covered entities under the HIPAA Security Rule [INVALID] and therefore must conduct their own HIPAA security risk assessments. Sue McAndrew, Deputy Director for Health Information Privacy at the Office of Civil Rights (OCR), has called the extension of direct liability to business associates "a sea change" in the regulations. http://wp.me/pymfm-J2
Kim Corrigan (6/3/2011 at 10:34 AM)
The intent of HIPAA was to protect individuals' health care information. The intent of EMR was to streamline and coordinate care across systems. The concept of disclosure should already have been built into the systems if the true intent was/is to protect the individual. Any other intent would defer on the side of government and/or for-profit health care plans having access and ability to manipulate the delivery of care without an individual's knowledge. Any access/changes/decisions to an individual's health records in any form should be visible to the individual (and any designee) with a look back period of 3 years. If we can see who accessed a credit report, we should certainly be able to see who accessed our health records.