Lost in the excitement surrounding meaningful use is a HITECH requirement to expand the HIPAA Privacy Rule. Over the past several years HIPAA has risen to the top of many providers “least favorite acronym list.” The content of this post will likely strengthen HIPAA’s hold on the top spot.
The HITECH Act defined statutory requirements that compelled the Office of Civil Rights (OCR) to publish a notice of public rule making (NPRM) on May 31. (Seventy words in and I have already used four acronyms. What is the world coming to?) As you may recall, OCR is the entity within Health and Human Services charged with making sure we pay attention to HIPAA. Let me make it clear from the beginning that I am not a legal expert and what follows is my interpretation of analysis performed by some very intelligent folks.
In a nutshell, the NPRM proposes to tackle the HITECH requirements by creating two separate rights for individuals within the HIPAA Privacy Rule:
1. The right to an accounting of PHI disclosures (which exists today in a limited fashion), and
2. The right to an access report—basically a list of people who have electronically accessed the individual’s PHI. This is a new requirement mandated by the HITECH Act.
On the surface these appear to be reasonable requirements, but of course the devil is in the details. For example, item 1 is in play today as part of the HIPAA Privacy Rule. I can walk into my physician’s office and ask for a list of folks to whom my PHI was disclosed. Today, however, disclosures that are related to treatment, payment or health care operations, often referred to as TPO, are exempt from this record keeping process. Not the case in the new world. The existing exemption related to the disclosure of PHI for treatment, payment or healthcare operations would no longer apply to disclosures made from an EHR.
The access report (item 2) is essentially a tabulation of every user within the practice who electronically “touches” the patient’s PHI. This is relatively easy to do within the covered entity (your practice). But expanding the requirement to each of your business associates could create worlds of fun from a reporting perspective.
The NPRM contains a host of other pertinent points and for those of you suffering with insomnia, the proposed rule may be read in its entirety here. Points of interest to the practicing nephrologist include:
• Today’s six-year look back period would be reduced to three years reducing the administrative burden for the practice.
• The notice of privacy practices you provide to every patient would be revised to inform the patient of their right to receive an access report and an accounting of disclosures.
• The timeline calls for a different deadline for compliance with the new access report depending on when you acquired your EHR. Providers acquiring their EHR after January 1, 2009, will be expected to meet this new requirement by January 1, 2013. Those acquiring their EHR earlier will have an extra year to comply with this requirement. The accounting requirement (item 1) will go into effect 240 days following the date HHS publishes the final rule.
Maintaining the privacy of a patient’s health information is a very important responsibility. This is especially pertinent within the context of electronic health records. Unfortunately the approach outlined in the NPRM may lead to an increase in your practice’s administrative overhead. If that occurs, I suspect most nephrologists will take the OCR off of their Christmas list. The public comment period for this NPRM remains open through August 1, 2011. Do you have a comment regarding this proposal? We would like to hear from you.