The number of entities reporting breaches of unsecured PHI affecting at least 500 individuals to the Office for Civil Rights, the enforcer of the HIPAA privacy and security rules, reached 265 as of Friday.
By the middle of March, 249 entities had reported breaches, meaning a spike of 16 in the last 45 days, behind the pace established since OCR began posting the breaches more than a year ago.
OCR, per a provision in the Health Informational Technology for Economic and Clinical Health (HITECH) Act, began posting the entities and information about their large breaches in February 2010. In 15 months, an average of about 18 reports per month – or a little more than one every other day -- has surfaced on the OCR website.
Health insurance giant Health Net, Inc. earned the spot as the largest on the list after it reported its potential breach affecting the health records of 1.9 million past and current enrollees to OCR in March. On the Health Net report, the "type of breach" is "unknown," and the "location of breached info" is listed as "other."
At No. 2 is a breach in Manhattan that affected 1.7 million patients. On February 9, The New York City Health and Hospitals Corporation (HHC) reported that it began to notify the affected patients, staff, contractors, vendors, and others who were treated by and/or provided services during the past 20 years.
Prior to that, the breach affecting the most individuals for a large chunk of time was AvMed, Inc. of Florida, whose Dec. 10, 2009, breach involving a laptop affected 1.22 million individuals.
Blue Cross Blue Shield of Tennessee, whose Oct. 2, 2009 breach affected 998,442 individuals, owns the fourth spot on the list. That incident involved the theft of hard drives.
OCR's breach list required by HITECH, the American Recovery and Reinvestment Act of 2009 privacy subpart that includes greater breach notification requirements and more public scrutiny and increased fines for HIPAA violations.
The latest social media gaffe by the healthcare industry comes from Rhode Island, where a physician was fined $500 this month for posting online, information about her experiences at work. The 48-year-old emergency department physician also had her privileges terminated at Westerly Hospital, after the board determined that she had "used her Facebook account inappropriately to communicate a few of her clinical experiences at the hospital's emergency department."
So, control the urge to post any information on Facebook, Twitter or any other social media sites that could indirectly identify your patients. Or, just never post anything about your hospital duties at all in any public venue.
Easier said than done, right? Of course.
The Rhode Island incident reminds healthcare leaders that organizations must have a social media policy in place, and that management must make it transparent.
Here is a quick checklist of questions to ask regarding a social media policy at your hospital. It is provided by Phyllis Patrick, MBA, FACHE, CHC, and business partner Angel Hoffman, RN, MSN, cofounders of the AP Health Care Compliance Group:
Does your organization already have a policy addressing social media?
Does the policy reflect the viewpoints and needs of various stakeholders (e.g., patient care, research, education)?
How does the policy support the mission, vision, and values of your organization?
Is your primary interest restricting or enabling the use of social media?
Does your organization view social media as a highly effective information gateway?
Have you asked your workforce how the organization can take advantage of the benefits of social media and avoid the pitfalls
Have you developed a strong business case for social media use, supported at the appropriate level for each department and functional area, considering the organization's mission, vision, and values; possible threats; technical capabilities; and potential benefits?
Does your IT staff understand that the goal should not be to say "no" to social media, but to follow good security guidance, with effective and appropriate security and privacy controls?
How does the policy affect your relationship with business partners and vendors/contractors?
How do you conduct training on the appropriate use of social media (on- and off-site)? Are you including appropriate use of social media in your overall security and privacy awareness training program?
How will you capture social media traffic and audit, analyze, and use it for security and privacy investigations, as appropriate?
Have you reviewed the Financial Industry Regulatory Authority's (FINRA) Regulatory Notice 10-06, Guidance on Blogs and Social Networking Web Sites, to determine its applicability to your organization and how you might use its recommendations to strengthen your organization's social media program? (Note: FINRA provides guidance on the responsibilities of companies to supervise the use of social networking sites. You can find the guidance here).
How does your organization plan to use social media to generate new strategies, engage, and learn?
Healthcare privacy and security teams watch closely for new rules and regulations from the government that will modify the HIPAA privacy and security rules.
However, they should also keep an eye on another security standard that last month cost a Boston restaurant chain $110,000. The Payment Card Industry (PCI) Data Security Standard (DSS), first released in 2004, requires any entities that accept credit cards to protect that information from theft.
In Boston last month, The Briar Group LLC, which runs popular restaurants in the city, agreed to pay $110,000 in a settlement after it was charged with not taking reasonable steps to protect diners' personal information from credit and debit cards.
Healthcare entities must take caution here, too. Those that take plastic, must comply with PCI DSS. And not all entities are aware of the standard, says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
"I think healthcare organizations - and many others - are still unaware of PCI DSS," Borten says. "They may or may not be directly affected by DSS, depending on circumstances, but in any case, the security requirements are, like ISO (International Organization for Standardization), HIPAA, and other regulations and frameworks, simply good practice."
PCC DSS standards require organizations who take plastic to:
Build and maintain a secure network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
Requirement 5: Use and regularly update antivirus software
Requirement 6: Develop and maintain secure systems and applications
Implement strong access control measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly monitor and test networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an information security policy
Requirement 12: Maintain a policy that addresses information security
Borten says she used the news out of Boston to help students in her security class understand the importance of protecting firewalls.
"PCI DSS Requirement 1 deals with firewalls and includes many, many detailed good practices for any healthcare organization today," Borten says. "Not only is DSS good advice, but simply the existence of such standards makes it harder for any organization to defend itself in case of a breach and the organization isn't following them."
Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, in Des Moines, IA, agrees with Borten that many healthcare entities are not aware of PCI DSS.
She also cautions that despite the fact that President Obama in December 2010 removed some of the entities that had to follow the Red Flag Rule, many, and perhaps most, healthcare providers completely removed Red Flag Rule from their area of concern. However, they need to know this change did not exclude all healthcare providers.
"It only excluded those healthcare providers that do not regularly request credit reports for credit transactions from needing to comply with the Red Flags Rule," Herold says. "There are still many providers who, because of the way they accept payments, must still follow the Red Flags Rule."
The Boston restaurant incident should highlight to hospitals that they need to go beyond the boundaries of HIPAA and the HITECH Act, Herold adds. They must ensure they are appropriately safeguarding all the information related to payment processing, and the associated credit checks that go along with it.
"Hospitals are, by their nature, open environments with an abundance of patients, visitors and other non-workers constantly going into the many different areas of the hospital," Herold says. "I know that it is increasingly common for hospitals to accept credit card payments beyond their gift stores and cafeterias."
At a high level, a basic strategy hospitals should take to reduce their risks, Herold says, include the following:
Assign a position or person to be responsible for ensuring the security of credit card information, and appropriate controls for using credit cards
Implement policies and procedures covering how credit cards can, and cannot, be used, in addition to how the related information may be used, shared, stored, destroyed, and generally safeguarded
Implement technological, operational and administrative controls to protect digital credit card data, as well as hard copy data, and even credit cards themselves that may be obtained
Provide regular training and ongoing awareness communications to personnel who collect, process, store, and otherwise have access to credit card information
Consistently enforce and sanction non-compliance, along with having strong executive support for the policies and related actions.
Further, Herold says, take these specific actions to reduce risks:
Make sure only those who have responsibilities for credit card payments can access credit card information
Make sure personnel who have possession of credit cards keep those cards from others, and maintain control and security for them at all times
Do not throw away hard copy credit card slips without finely shredding them, or putting into secured trash receptacles
Do not allow non-personnel and others without responsibilities for credit card payments to be able to access the payments systems. This includes keeping stations that access such payment systems well-secured and locked when no-one authorized is around.
Do not keep credit card payment information within patient files, or with patient papers posted in or outside of patient rooms
Health insurance giant Health Net, Inc. has formally reported its potential breach affecting the health records of 1.9 million past and current enrollees to the Office for Civil Rights (OCR), officially making the March breach the largest published on the OCR website.
OCR began posting entities that report breaches affecting 500 or more individuals in February 2010, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
On the Health Net report, the "type of breach" is "unknown," and the "location of breached info" is listed as "other."
Last month, for the second time in less than a year, Health Net announced an investigation into the potential loss of nine server drives that included personal health information and personal information of past and current enrollees from its data center operation in Rancho Cordova, CA.
The insurer, which serves 6 million, did not initially release the number of affected individuals.
The information in the breached may include:
Names
Addresses
Health information
Social Security numbers
Financial information
IBM, a business associate of Health Net that manages its IT infrastructure, notified the insurer that it could not locate several server drivers. IBM manages Health Net's IT infrastructure.
The OCR previously listed the New York City Health and Hospitals Corporation (HHC) as having the largest breach. HHC's breach affected 1.7 million affected patients, staff, contractors, vendors, and others who were treated by and/or provided services during the past 20 years after personal information was stolen from a van of a business associate in Manhattan.
The Office for Civil Rights, the enforcer of the HIPAA privacy and security rules, is asking for an increase of $5.6 million in its Fiscal Year 2012 budget proposal, mostly to adhere to HIPAA compliance and enforcement requirements.
Nearly half ($2.283 million) is needed because of OCR's requirement to hire "regional privacy officers" who offer guidance and education to covered entities, business associates, and individuals regarding HIPAA privacy and security.
OCR is requesting another $1.335 million to help investigate HITECH breach reports. As of September, 30, 2010, OCR has received a total of 9,300 breach reports -- 191 impact more than 500 individuals and 9,109 impact fewer than 500 individuals.
The numbers have increased since the report. As of Wednesday, March 16, 249 entities have reported breaches affecting 500 or more individuals to OCR.
OCR says it needs help investigating the small breaches. It needs additional full time equivalent employees and resources to "ensure it is able to conduct investigations of potential small- and mid-sized breaches."
The new breach reports represent a 109% increase in OCR's HIPAA workload – and they are in addition to the nearly 9,400 HIPAA privacy and security rule complaints that OCR received in FY 2010.
"Based on OCR's current HIPAA case load, almost all breach reports that impact [fewer] than 500 individuals are not investigated," OCR writes.
OCR's other budget requests are:
Enforcement of the HIPAA Security Rule ($1 million). Helps support OCR's new delegated authority for the administration and enforcement of the security standards in the HIPAA Security Rule.
Compliance review program ($1 million). Supports OCR's establishment of a compliance review program designed to evaluate, educate, and ensure compliance within a sample of the expanded covered programs and providers each year. OCR anticipates that FY 2012 will be the starting point for a steady increase in civil rights complaints requiring investigation and compliance reviews.
"OCR's 2012 Budget Justification highlights that while our workload has increased, we are working smarter and more strategically to fortify our enforcement activities across the board," an OCR spokesperson wrote in an e-mail to HealthLeaders Media. "OCR is the primary defender of the public's right to privacy and security of protected health information and the public's right to non-discriminatory access to federally-funded health and human services, and we take these responsibilities very seriously."
Another HITECH enforcement requirement – OCR's periodic audits – has yet to be released. The last update came last May when OCR announced it had hired an outside firm, Booz Allen Hamilton, to help build its HITECH-required HIPAA auditing plan. OCR told HealthLeaders Media it was "presently engaged in a contract to survey and recommend strategies for implementing the HITECH audit requirement.
State attorneys general will be getting a few lessons in HIPAA. The Office for Civil Rights, the enforcer of the HIPAA privacy and security rules, announced this week training sessions for state AGs to help them in their new authority to enforce the HIPAA privacy and security rules.
The HITECH Act gave state attorneys general authority to bring civil actions on behalf of state residents for HIPAA violations. It also permits the attorneys to obtain damages on behalf of state residents.
Some haven't wasted any time.
Last July, Connecticut attorney Richard Blumenthal's office announced a $250,000 settlement with insurer Health Net and its affiliates regarding a breach of personal health information affecting nearly a half million Connecticut enrollees.
The settlement was a landmark one because Blumenthal's office was the first to cash in on the HITECH-granted authority.
As for the training OCR's sessions will include the following topics:
General introduction to the HIPAA privacy and security rules
Analysis of the impact of HITECH on the HIPAA privacy and security rules
Investigative techniques for identifying and prosecuting potential violations
A review of HIPAA and state law
OCR's role in enforcing the HIPAA privacy and security rules
State AGs' roles and responsibilities under HIPAA and HITECH
Resources for state AG in pursuing alleged HIPAA violations
HIPAA enforcement support and results
The training takes places at the following sites and dates:
Dallas: April 4 and 5
Atlanta: May 9 and 10
Washington, DC (metro area): May 19 and 20
San Francisco: June 13 and 14
Jeff Drummond, health law partner in the Dallas office of Jackson Walker, LLP, puts adding state attorneys general to the HIPAA enforcement mix this way: "There are 50 new sheriffs in town."
"Most state AGs are elected, and almost all of them do everything they can to get re-elected," says Drummond. "That means they'll be much more susceptible to public or political pressure to pursue HIPAA violations, particularly if there's a 'good story' behind the breach. They want to be seen as protecting the little guy, and they're much more incentivized" than OCR.
Cignet Health's failure to cooperate with the government's HIPAA privacy and security enforcer just cost the Maryland hospital system $3 million.
It cost the system another $1.3 million when it failed to provide patients copies of medical records within 30 (and no later than 60) days.
The message can't be any clearer: when the Office for Civil Rights (OCR) knocks, answer the door.
About 48 hours after the Cignet news broke, OCR announced a $1 million settlement against Massachusetts General Hospital in Boston for an incident involving the loss of 192 patient records belonging to Mass General's Infectious Disease Associates outpatient practice, including patients with HIV/AIDS.
Get it? It's a crackdown.
One security officer who "got it" before Cignet's landmark fine and settlement were announced is Greg Young.
Young, the information security officer at Mammoth Hospital in Mammoth Lakes, CA, has worked with OCR on about a handful of investigations.
"I never had the sense they were going to let me get away with anything," Young says. "They were pretty demanding and yet always professional. At one point they reminded me that they have the last word. Though I thought I was cooperating, they wanted more details. I'm amazed that Cignet got away with as much as they did for as long as they did."
One investigation involved a former employee of the hospital who claimed his medical records were accessed inappropriately. OCR's investigation took about five to six months. Federal officials resolved that there was no such inappropriate access.
During the investigation, Young retained all his hospital's communications between the former employee and OCR in an electronic file. And he kept the audit access logs on the employee's medical records, for which OCR asked for copies.
"It was reasonable, and I shared everything with them," Young says. "We documented the incident report and the e-mail exchanges. I created an electronic folder and put copies of emails, phone calls and notes, into it and had an investigative log in there that has the timeline of all related events. They wanted me to produce audits of the complainant's record, and they ended up agreeing with us."
Another OCR investigation with Mammoth involved a patient who claimed a co-worker should not have been allowed in the treatment room; though it could not be corroborated the patient ever expressed that during the stay, Young says.
The end result came when OCR asked Mammoth to change its policies and procedures and be more proactive to ensure patients know they can refuse certain folks' presence in their hospital room.
"OCR wants to see you are taking these things seriously," Young says. "If you don't, they don't hesitate to inform you there are really going to be consequences."
Today, Young is as proactive as ever about training. One big part is issuing commendations. In fact, he awards folks for good privacy and security practices by distributing one-page commendations to individual employees, their managers and human resources.
It's little things like this that help employee morale – and help when OCR or state auditors come knocking.
"It's great for the employees," Young says. "And now, maybe they see that Greg is not just looking for the bad guys, he's looking for the good guys, too. And we're using the commendations as a tool for any regulatory agency that wants to audit us. It shows historically we encourage people to report things and then proactively respond by immediately addressing the risk before it becomes something reportable."
The Department of Health and Human Services' Office for Civil Rights intends to strengthen HIPAA compliance requirements under the HITECH Act. The proposed changes would make BAs directly liable for HIPAA breaches, and subcontractors of BAs would also have to be compliant with HITECH and HIPAA. And that means they would have to comply with the HIPAA Security Rule and the use and disclosures provisions of the HIPAA Privacy Rule.
But is HITECH alone enough to ensure BAs and their subcontractors comply?
Not really, says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA.
A contract satisfies HITECH requirements. In it, make sure you include language that requires physical safeguards and asking BAs to document and prove their security measures and plans for incident response.
Case in point: The theft of an electronic medical records file in Manhattan may affect as many as 1.7 million patients. It is the largest breach since OCR began posting breaches on its website in February 2010. On February 9, The New York City Health and Hospitals Corporation (HHC) reported on its website that it began to notify 1.7 million patients, staff, contractors, vendors, and others who were treated by and/or provided services during the past 20 years.
HHC said the breach involves a reported theft of electronic record files that contained PHI, personal information, and personally identifiable employee medical information (PIEMI).
The loss of this data, HHC said, occurred through the negligence of a "contracted firm that specializes in the secure transport and storage of sensitive data." In other words, the breach is attributed to a BA of HHC.
An HHC spokesman said in an e-mail to HealthLeaders Media that the van is owned by an information-management company the corporation hired to handle patient records -- GRM Information Management Services, a contracted firm that specializes in the secure transport and storage of sensitive data.
As a result of this theft, HHC said it took additional actions to further secure the transport of backup data off-site, including:
Suspending the transport of unencrypted backup files from any HHC facility to off-site storage locations
Expediting its plan to upgrade critical data to the 256-bit Advanced Encryption Standard , considered by the federal government as the highest level of protection against tampering. At the time of the theft, HHC had already upgraded and encrypted nearly 80 percent of the 1,568 systems applications used throughout the corporation. The upgrade is expected to be completed by the fall of 2011. Replacing GRM with a new vendor to handle offsite backup data that will be stored in highly protected facilities that have climate-controlled dedicated tape vaults, secured keycard access, video surveillance and trained personnel
"[This breach] demonstrates why healthcare providers, and all kinds of organizations with sensitive information, need to ensure their business associates to whom they entrust confidential and sensitive information have effective safeguards in place," Herold says. "Counting on just a BA agreement is not enough. Organizations need to go further and require business associates to provide some kind of proof or assurance that the actually have safeguards in place. If they don't obtain some type of assurance, it is likely this type of incident will happen."
Herold says she has audited more than 200 BA information security and privacy programs, and almost all the folks in the information security and IT areas in those organizations had not seen the BA contract.
"[They] had no clue what their acquisitions and contracting department had agreed to in the contracts with regard to information security and privacy activities," she says.
HHC said on its website that it "values and protects individuals' privacy and confidentiality and deeply regrets any inconvenience and concern this may create for patients, staff, and others affected…There is no evidence to indicate that the information has been inappropriately accessed or misused."
HHS is providing information and credit monitoring services to all affected individuals who may be worried about possible identity theft.
Use of encryption limits damage, Herold says. "This incident once more demonstrates why any type of mobile PHI (moving on legs, wheels or otherwise outside of the secured server located within the appropriate facility) needs to be encrypted when in electronic form, and locked securely when in print form."
Jeff Drummond,health law partner in the Dallas office of Jackson Walker LLP, agrees, offering the following advice: "Encrypt. Or at least lock your car doors."
The Office for Civil Rights (OCR), HIPAA privacy and security enforcer, has issued its first civil money penalty to a covered entity for violations of the HIPAA Privacy Rule, according to a press release posted today on the Department of Health & Human services (HHS) website.
The OCR fined Cignet Health, of Prince George’s County, MD, $4.3 million for the violations, which also marks the first time federal regulators have used the new monetary penalty structure under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Cignet violated the rights of 41 patients when it denied them access to their medical records, which they requested between September 2008 and October 2009, according to HHS.
Further, Cignet did not respond to OCR’s demands to produce the records and did not cooperate with investigations.
When reached by phone Tuesday afternoon, a customer service representative from Cignet Health said Dr. Dan Austin, CEO, would handle requests from media. He was unavailable at the time, the representative said.
The violations are considered “willful neglect”, and fall under the most egregious penalty scale under HITECH, according to Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, in Des Moines, IA.
The penalty amount demonstrates the significance of “willful neglect” violations by entities who are “not actively trying to get into compliance and stay in compliance,” Herold says. Further, it shows the importance of having policies and procedures in place to follow during an OCR investigation.
“This should also serve as an example and provide good motivation for all covered entities and business associates to get into compliance, and maintain compliance, with HIPAA and HITECH,” Herold says. “[Privacy and security officers] need to show this news report to their CEOs and CFOs to prove that penalties not only can occur, but that they have now started, and with quite a big, financially painful bang.”
The patients who requested the medical records individually filed complaints with OCR, initiating the government’s investigations. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of his or her medical records within 30 days of the patient’s request, with one possible 30-day extension. Those violations cost Cignet Health $1.3 million. Failing to cooperate with the government investigation accounted for the other $3 million in fines. The penalties are based on amounts authorized by Section 13410(d) of HITECH.
Herold says she expects more patients and patients’ rights groups to submit complaints to OCR in hopes of the same result.
“Due to their apparent lack of compliance, as well as demonstrable arrogance with regard to dealing with the OCR investigators, Cignet now has the dubious honor of being the poster child for HIPAA/HITECH willful neglect,” Herold adds.
This isn’t the first HIPAA violation involving large fines. CVS Caremark Corp. reached a settlement of $2.25 million for potential HIPAA violations in February 2009, and Rite Aid Corporation in the same investigation settled for $1 million a year and a half later. In addition, Health Net, Inc. agreed to pay $250,000 to the state of Connecticut for HIPAA violations in 2010.
Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP, notes that OCR hasn’t handed out any “true fines,” rather just settlements, until now.
"It's hard to know exactly what was going on at Cignet, but failing to cooperate with an OCR investigation, much less failing to directly address customer complaints that raise HIPAA issues, is just plain stupid," Drummond says. "For some time now, many of us who follow HIPAA have been waiting for OCR to find a particularly egregious case and deliver a significant fine, so that some in the healthcare industry who have gotten lackadaisical about HIPAA compliance will sit up and take notice. This may just be the case."
The Department of Health & Human Services (HHS) pushed forward a HITECH-required proposed rule on accounting of disclosures of EHRs Wednesday.
The rule will lay the foundation for what healthcare providers will be accountable for when patients request disclosures on their electronic medical records. The Office of Management and Budget (OMB) reviews all rules before they are made final. The process could take anywhere from one to 90 days.
HITECH expands an individual's right to request accounts on disclosures of his/her health record.
The Office for Civil Rights (OCR), the enforcer of the HIPAA privacy and security rules, in May 2010 published a notice in the Federal Register asking for help crafting this proposed rule on accounting of disclosures on EHRs.
OCR wrote that it wanted to “better understand the interests of individuals with respect to learning of such disclosures, the administrative burden on covered entities and business associates of accounting for such disclosures, and other information that may inform [our] rulemaking in this area."
Current law exempts disclosures to carry out treatment, payment and healthcare operations. But HITECH changed that, allowing patients to request these types of disclosures through an EHR.
Because of the expansion of disclosure rights to patients, when President Obama in February 2009 signed HITECH into law, some providers called the accounting of disclosures provision a logistical nightmare.
In order to get ahead of the game, covered entities should document their uses, disclosures, and storage of PHI with EHRs or any other system or data repository, Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, says in the HCPro, Inc. April 2009 HIPAA and the HITECH Act whitepaper.
Keep audit logs of who accessed records, and what their role is. Besides the future requirement to track and make available PHI disclosed from an EHR, the HIPAA Security Rule requires the generation and review of audit logs.
Use a database to ensure all uses and disclosures are tracked as required by the HIPAA Privacy Rule and plan to maintain similar information related to disclosures when the future EHR accounting of disclosure requirements become reality.
The questions OCR asked providers last year included:
What are the benefits to the individual of an accounting of disclosures, particularly of disclosures made for treatment, payment, and healthcare operations purposes?
Are individuals aware of their current right to receive an accounting of disclosures? On what do you base this assessment?
If you are a covered entity, how do you make clear to individuals their right to receive an accounting of disclosures? How many requests for an accounting have you received from individuals?
For individuals that have received an accounting of disclosures, did the accounting provide the individual with the information he or she was seeking?
What is the feasibility of an [EHR] module that is exclusively dedicated to accounting for disclosures (both disclosures that must be tracked for the purpose of accounting under the current HIPAA Privacy Rule and disclosures to carry out treatment, payment, and healthcare operations)? Would such a module work with covered entities that maintain decentralized electronic health record systems?
Is there any other information that would be helpful to [OCR] regarding accounting for disclosures through an [EHR] to carry out treatment, payment, and healthcare operations?