4. The change of six years to three years for accounting of disclosures. This is likely meant to help save storage space for CEs and BAs, in addition to the stated reasons within the NPRM. "However, an impact already being heard is the concern that there are still other standing requirements to maintain certain other documentation, such as policies/procedures, for at least six years," Herold says. "CEs and BAs now wonder if they HAVE to change the disclosures to three years, or can keep current logging practices the same (at six years) so they can have one less thing to do with implementing the final version of this NPRM."
5. New duties for BAs. Herold cites the need for BAs to not only get into compliance with the accounting for disclosures requirements, but also to create new ePHI access reports. They have to do this while they are still trying to get into compliance with the other HITECH requirements that most have not made much progress with to date, she adds. BAs must now comply, per HITECH, with the HIPAA Security Rule.
6. It's not too soon to start. These changes would go into effect, if accepted as proposed, for the access reports beginning January 1, 2013, for electronic DRSs acquired after January 1, 2009, and beginning January 1, 2014, for electronic DRSs acquired as of January 1, 2009. "So, with all the probably programming/systems changes these will bring, CEs and BAs will need to get started on the changes sooner rather than later," Herold says. "Certainly as soon as the final version of the Accounting for Disclosures NPRM is released. Determining where all DRSs exist now would be prudent; even if the NPRM is not finalized as is, entities need to have this information documented any way, and most do not."