Proposed HIPAA Disclosure Rule, Explained
"There is uncertainty about what qualifies as a breach since it's left up to the individual organization. That's a big loophole," Borten says. "The NPRM example of PHI outside a DRS (hence, not subject to this reporting) is PHI in a peer review report. But how confident are we that a covered entity would know of unauthorized use or disclosure of a peer review report and would deem it a breach?"
A shorter reporting period? The proposed rule would have providers account for disclosures going back three years, instead of the current six. Herold says it's probably an attempt on the part of the lawmakers to help save storage space, about which many organizations have expressed concerns. The three-year timeframe was also established within Sec. 13405 (c) of HITECH, so it is not a new idea. Borten calls it "a bit puzzling."
Organizations already keep accounting information for six years, and since the statute of limitations for civil action is six years, Borten says, "I don't see a good reason to reduce the reporting period to only the past three years. Some hospitals with user access logs already keep them for at least six years and even longer. The hard part of meeting the current requirement is setting up and following the process, not data storage, and the process as stipulated in the privacy rule should already be in place."
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
- Antibiotic Overuse a 'Huge Threat' to Patient Safety, Says CDC
- CFO Exchange: Smartphones Poised to Disrupt Healthcare, Says Topol
- Consumerism Drives Healthcare Branding, Rebranding Efforts
- 3 Traits Personality Assessments Can't Reveal
- PA Ranks See 'Phenomenal Growth,' Lack of Diversity
- CHS Hacked, 4.5M Patient Records Compromised
- CFO Exchange: Healthcare Leaders Share 5 Innovative Ideas
- Business Roundup: M&A Activity Down Slightly in First Half of 2014
- Large Employers Trimming Healthcare Spending
- Carondelet to Pay $35M to Settle Fraud Allegations