AHA: Drop HIPAA Access Report Provision
AHA’s letter represented its official comment to OCR regarding the proposed rule; the comment period ended Monday. After OCR considers the comments, it is expected to issue a final rule.
Instead, OCR should first seek more information from the industry in order to determine “the needs of patients who seek to understand how their PHI is disclosed, while simultaneously ensuring that covered entities are technically capable of providing such information without incurring unreasonable burdens to do so,” AHA writes.
- Clarify the discussion of designated record sets, adopt its proposed exclusions to the accounting requirement and maintain existing exclusions.
- Maintain a 60-day response requirement and limit an accounting to three years.
- Retract its HIPAA Security Rule preamble commentary in order to reflect longstanding department guidance.
- Extend the access report compliance date and remove the requirement to name employees.
- Reflect the statutory requirement that covered entities be permitted to direct individuals to a business associate
- Make clear that a covered entity is not liable for unsecure transmissions requested by a patient
- Provide at least 60 days for the provision of an access report
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
- As Medicare Advantage Cuts Loom, Disagreement Over Program's Stability
- Medicare Advantage Carriers See 'No Choice' But to Accept Cuts
- Centralizing the Revenue Cycle Protects the Bottom Line
- CA Fines 8 Hospitals for Medical Errors
- Physicians to Appeal 'Docs v. Glocks' Ruling in FL
- Doctors Feel Pressure to Accept Risk-based Reimbursement
- Surgical Checklists Unused in 10% of Hospitals, CMS Data Shows
- 3 Management Lessons from a Supermarket Debacle
- Employers Weigh Risks, Benefits of Private Exchanges
- Revenue Cycles Get a Boost from Simple JPEG Files