Office for Civil Rights Wants Guidance On HITECH EHR Disclosure Rule

Dom Nicastro, May 3, 2010

Covered entities and patients will have a say in the Office for Civil Rights' (OCR) proposed rulemaking on the HITECH provision some healthcare providers deemed a logistical nightmare.

OCR today published a notice in the Federal Register asking for help crafting a proposed rule on accounting of disclosures on electronic health records (EHRs) per HITECH.

HITECH expands an individual's right to request accounts on disclosures of his/her health record. In its semi annual regulatory report, OCR said it expects to produce these regulations in June.

In the Federal Register today, OCR writes that the comments from providers and patients will "help us better understand the interests of individuals with respect to learning of such disclosures, the administrative burden on covered entities and business associates of accounting for such disclosures, and other information that may inform [our] rulemaking in this area."

Current law exempts disclosures to carry out treatment, payment and healthcare operations. But HITECH changed that, allowing patients to request these types of disclosures through an EHR.

Because of the expansion of disclosure rights to patients, when President Obama in February 2009 signed HITECH into law some providers called the accounting of disclosures provision a logistical nightmare.

In order to get ahead of the game, covered entities should document their uses, disclosures, and storage of PHI with EHRs or any other system or data repository, Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, says in the HCPro, Inc. April 2009 HIPAA and the HITECH Act whitepaper.

Keep audit logs of who accessed records, and what their role is. Besides the future requirement to track and make available PHI disclosed from an EHR, the HIPAA Security Rule requires the generation and review of audit logs.

Use a database to ensure all uses and disclosures are tracked as required by the HIPAA Privacy Rule and plan to maintain similar information related to disclosures when the future EHR accounting of disclosure requirements become reality.

In today's Federal Register posting, OCR asks questions such as:

  • What are the benefits to the individual of an accounting of disclosures, particularly of disclosures made for treatment, payment, and healthcare operations purposes?
  • Are individuals aware of their current right to receive an accounting of disclosures? On what do you base this assessment?
  • If you are a covered entity, how do you make clear to individuals their right to receive an accounting of disclosures? How many requests for an accounting have you received from individuals?
  • For individuals that have received an accounting of disclosures, did the accounting provide the individual with the information he or she was seeking?
  • What is the feasibility of an [EHR] module that is exclusively dedicated to accounting for disclosures (both disclosures that must be tracked for the purpose of accounting under the current HIPAA Privacy Rule and disclosures to carry out treatment, payment, and healthcare operations)? Would such a module work with covered entities that maintain decentralized electronic health record systems?
  • Is there any other information that would be helpful to [OCR] regarding accounting for disclosures through an [EHR] to carry out treatment, payment, and healthcare operations?
Dom Nicastro Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
Facebook icon
LinkedIn icon
Twitter icon