- HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Acts
- Permanent Certification Program for Health Information Technology; Revisions to ONC-Approved Accreditor Processess
- Five Year Review of Work Relative Value Units Under the Physician Fee Schedule appearing June 6
- Proposed Changes to Electronic Prescribing Incentive Program appearing June 1
Over the next several days, I will be breaking down these proposed rules. This first blog will break down the proposed privacy regulation.
This is a notice of proposed rulemaking which outlines implementation aspects of requirements from the Health Information Technology for Economic and Clinical Health Act (HITECH). However, the U.S. Department of Health and Human Services (HHS) "proposes to expand the accounting provision [of protected health information (PHI) disclosure] to provide individuals with the right to receive and access report indicating who has accessed electronic protected health information in a designated record set." 76 FR 31426
If you wish to submit comments on the regulation, they are due Aug. 1, 2011.
The Agency in an aside makes it clear why this regulation matters: "an individual is seeking information on why she has recently begun to receive information related to her health condition from a third party." This begs the question of what are you doing in your office to explain your care coordination procedures? You know your patients don't take time to read the Privacy Notice fully. You can prevent concern up front.
Considerations to think about
This is a proposed rule, so none of these changes are final. However, consider the following:
- While you hand out your annual Notice of Privacy Practices, does your office explain how you and others on the care team (including the health insurer) may reach out directly or with a third-party about their condition? For example, I still get tons of calls about my asthma which is seasonal and I spend a great deal of time explaining that its under control and I am prepared every year for it with the onslaught of pollen. If I didn't know that the health plan does data mining and outsources these chronic condition programs to a third party, I would be livid that my medical record was disclosed (I could believe that it was sold). Instead, I do my best to tell the nurses that I am a good patient.
- Have you worked with the patients who have to date received the disclosure accounting information to find out if the format and information is helpful? Its worthwhile to find out if there are things you can do to make it more transparent and simple to use.
- As part of your EMR stimulus dollar purchase, have you asked your vender about disclosure tracking?
Overview of Proposed Changes
- A patient's individual right to access a written accounting of disclosures explained in a standardized "access report"
- Accounting is for both written and electronic protected health information within a "designated record set"
- Applies "when any person accesses an electronic designated record set, whether that person is a member of the workforce or a person outside the covered entity"
- Defines what needs to be included in the accounting, noting too that "impermissible disclosures that id not rise to the level of breach" are covered
- Disclosure accounting for three instead of six years
- Revision to the annual HIPAA Privacy Notice requirements
Quick background
The "Kennedy-Kassebaum bill", also known as the Health Insurance Portability and Accountability Act (HIPAA), not only modified how COBRA is administered but in a few pages established standardized electronic transactions, significant privacy regulations and security requirements for "protected health information (PHI)". This legislation established what arguably is the modern medical industry backbone for health care transactions and business operations.
Covered entities are the parties that engage in health care, such as health plans, health care providers and those professionals directly involved in treatment, payment or other health care operations. Business associates are the third parties that come in touch with the PHI that comes out of the patient encounters described above. Business associates include (but are not limited to) claims billing services, chart abstraction services, dictation services, etc.
The Agency believes that this term limits the scope of PHI subject to accounting for both covered entities and business associates. "Designated record sets include the medical and health care payment records maintained by or for a covered entity, and other records used by or for the covered entity to make decisions about individuals. [...] We believe that this information which forms the basis for covered entities' health care and payment decisions about the individual, generally represent the protected health information that is of most interest to the individual." 76 FR 31430 Already defined in 45 CFR 164.501, "Designated record set means:
- A group of records maintained by or for a covered entity that is:
(i) The medical records and billing records about individuals maintained by or for a covered health care provider;
(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.
- For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.
An interesting proposed change in the regulation would alter the responsibility of accounting. Specifically, "a covered entity would not be required to account or a business associate's disclosure of information outside of a designated record set." This is an important change. While the Business Associate is still responsible for accounting purposes and thus reporting of unauthorized access and disclosures outside of the designated record set, the covered entity that they are working with does not need to mirror records for anything other than the designated record set. This appears to streamline the rule and may decrease the accounting burden on covered entities.
Time period of accounting
This is a significant change and will likely have a positive affect on the health care industry. The proposed regulation reduces the period for PHI disclosure accounting from six years to three years. Of note however, "We believe that it is appropriate to maintain a consistent accounting time period for all types of disclosures." So this requirement applies to both written and electronic PHI.
Bootstrapping paper records under this law
Although a predictable attempt of the Agency, I'm not sure if this proposed change is going to fly. The rule notes that "Disclosures to carry out treatment, payment and heath care operations as provided in section 164.506 would continue to be exempt for paper records." 76 FR 31432 Yet it notes, "in accordance with section 13405(c) of the HITECH Act, an individual would be able to obtain information (such as the name of the person accessing the information) for all access to electronic protected health information stored in a designated record set for purposes of treatment, payment and health care operations."
The way I read this, the Agency is using the "designated record set" to parse the information included in the accounting requirement. Consider the following scenario: as a medical office, you contract with a clearinghouse to take your paper claims and convert them to electronic records. As part of one claim, you are requested by the health plan to submit medical records. Your office faxes them over which is converted into an electronic file that is stored on the health plan's system. Because a Business Associate (the clearinghouse) converts the medical claim, which is part of the designated record set, this seems to fit into the new scope of required accounting. Further, because the health plan (also a covered entity) has converted previously paper medical records to an electronic format, it would also seem that this format is too included in the scope. I hope that HHS is working on a telepathy module for us all to download into our brains to know when our business partners convert information that is sent to them to electronic formats.
Easing time period accounting
A very good development in the proposed rule is to permit multiple disclosures to the same individual for the same purpose to reflect a time period. For example, "three disclosures that began in January 2010 and ended in May 2010 could be described as "between January 2010 and May 2010." For individual disclosures, new flexibility is permitted with "a month and year (e.g., December 2010), or a date range (e.g., December 1, 2010 and December 15, 2010" when the exact date of disclosure is not known. Further, the dates may be descriptive if it is part of normal business practices such as "within 15 days of discharge." 76 FR 31434.
Accounting of disclosures that do not compromise the security or privacy of patient information
In instances where disclosures would put another patient in jeopardy of identity disclosure, the proposed rule would permit generic terms to describe who the information was disclosed to. "For example, if a physician's office mistakenly sends an appointment reminder to the wrong patient (and determines that the impermissible disclosure does not require breach notification because it does not compromise the privacy or security of the information), then the accounting may indicate that the disclosure was to "another patient."
[Part II will be posted soon.]
"Got arrested. Almost lost a patient. Doesn't take a lot of beer to cause a lot of trouble."
