Skip to main content

HHS Sends EHR Disclosure Rule for Review

 |  By dnicastro@hcpro.com  
   February 10, 2011

The Department of Health & Human Services (HHS) pushed forward a HITECH-required proposed rule on accounting of disclosures of EHRs Wednesday.

The rule will lay the foundation for what healthcare providers will be accountable for when patients request disclosures on their electronic medical records. The Office of Management and Budget (OMB) reviews all rules before they are made final. The process could take anywhere from one to 90 days.

HITECH expands an individual's right to request accounts on disclosures of his/her health record.

The Office for Civil Rights (OCR), the enforcer of the HIPAA privacy and security rules, in May 2010 published a notice in the Federal Register asking for help crafting this proposed rule on accounting of disclosures on EHRs.

OCR wrote that it wanted to “better understand the interests of individuals with respect to learning of such disclosures, the administrative burden on covered entities and business associates of accounting for such disclosures, and other information that may inform [our] rulemaking in this area."

Current law exempts disclosures to carry out treatment, payment and healthcare operations. But HITECH changed that, allowing patients to request these types of disclosures through an EHR.

Because of the expansion of disclosure rights to patients, when President Obama in February 2009 signed HITECH into law, some providers called the accounting of disclosures provision a logistical nightmare.

In order to get ahead of the game, covered entities should document their uses, disclosures, and storage of PHI with EHRs or any other system or data repository, Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, says in the HCPro, Inc. April 2009 HIPAA and the HITECH Act whitepaper.

Keep audit logs of who accessed records, and what their role is. Besides the future requirement to track and make available PHI disclosed from an EHR, the HIPAA Security Rule requires the generation and review of audit logs.

Use a database to ensure all uses and disclosures are tracked as required by the HIPAA Privacy Rule and plan to maintain similar information related to disclosures when the future EHR accounting of disclosure requirements become reality.

The questions OCR asked providers last year included:

 

  • What are the benefits to the individual of an accounting of disclosures, particularly of disclosures made for treatment, payment, and healthcare operations purposes?
  • Are individuals aware of their current right to receive an accounting of disclosures? On what do you base this assessment?
  • If you are a covered entity, how do you make clear to individuals their right to receive an accounting of disclosures? How many requests for an accounting have you received from individuals?
  • For individuals that have received an accounting of disclosures, did the accounting provide the individual with the information he or she was seeking?
  • What is the feasibility of an [EHR] module that is exclusively dedicated to accounting for disclosures (both disclosures that must be tracked for the purpose of accounting under the current HIPAA Privacy Rule and disclosures to carry out treatment, payment, and healthcare operations)? Would such a module work with covered entities that maintain decentralized electronic health record systems?
  • Is there any other information that would be helpful to [OCR] regarding accounting for disclosures through an [EHR] to carry out treatment, payment, and healthcare operations?

Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.

Tagged Under:


Get the latest on healthcare leadership in your inbox.