EHR Disclosure Rule Moving ForwardOMB Is Reviewing HITECH-Mandated Proposal
The rule, mandated under the HITECH Act, will spell out how hospitals, clinics and others must comply with patient requests for an accounting of who outside of the organization that created an EHR has accessed the information.
The Department of Health and Human Services forwarded the proposal to the Office of Management and Budget on February 9. OMB reviews all rules before they are published in the Federal Register. How long that review will take remains to be seen.
Once the notice of proposed rulemaking is published in the Federal Register, HHS will accept comments on the rule before it's finalized.
Disclosure Rule DelayedThe accounting for disclosures provision, prepared by HHS' Office for Civil Rights, was not included in an earlier proposal to modify HIPAA privacy, security and enforcement rules because authorities needed extra time to obtain comments on the complex issues involved and create a plan for addressing all concerns.
The current version of the HIPAA privacy rule allows covered entities to disclose health information for treatment, payment and healthcare operations without a patient's written consent. Under the new accounting for disclosures mandate in HITECH, organizations must document these disclosures and make the accounting available to consumers.
When the Office for Civil Rights asked for comments on the issues involved in accounting for disclosures, many of them reflected "a misunderstanding of or perhaps ambiguities around the definition of what a disclosure is," said Dixie Baker, a federal adviser who's a senior vice president at SAIC. She explained in a recent interview with HealthcareInfoSecurity.com: "A disclosure is defined as the release, transfer, provision of access or divulging of information outside the entity holding the information. But many of the comments related to the difficulty and/or the usefulness of recording the reason for each access that any user within an organization makes."
Baker acknowledged that it's not always easy to distinguish between disclosures of records inside vs. outside an organization. "For example, physicians working in a hospital may be business associates of that hospital and not employees. So it is a complex issue. In my opinion, the HITECH regulations that have been published so far have been quite reasonable and consistent with the overall objective of raising the bar without crippling the system. So I expect this regulation to hold to that principle as well."
In a speech last August, Adam Greene, senior health information technology and privacy specialist at the Office for Civil Rights, acknowledged that accounting for disclosures of patient information in electronic health records will prove to be "a very daunting challenge." (See: EHR Disclosures: Tackling the Challenge.
Green said the office hoped "to put the onus on electronic health records vendors," by including in the new rule specific requirements for how EHR software must accommodate these disclosures. In that way, some of the difficulties involved in reporting disclosures will be eased for healthcare organizations, he contended.
HIPAA Modifications ProposalA final version of the HIPAA modification rule, without the accounting for disclosures provision, is expected in March.
That rule would, among other things, require organizations that maintain EHRs to offer electronic copies to patients upon request. It also would enable patients to request that an electronic record be transmitted to another provider organization.
In addition, the rule would enable individuals to obtain restrictions on certain disclosures of information to health plans if they pay out of their own pockets for services.