Monday, May 03, 2010

OCR Request for Information: HIPAA Privacy Rule Accounting of Disclosures under HITECH

Today the Office for Civil Rights (OCR), Department of Health and Human Services issued a Request for Information titled HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act (75 Fed Reg 23214 May 3, 2010). More information at the OCR website.

The Request for Information by OCR seeks comments from health consumers and health care providers/organizations. OCR seeks information on the following areas:
  • Understanding the interests of individuals (health consumers) with respect to learning of such disclosures; and
  • The administrative burden on covered entities (health care providers/organizations) and business associates of accounting for such disclosures.
The Request for Information states that Section 13405(c) of the Health Information Technology for Economic and Clinical Health (HITECH) Act expands an individual’s right under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to receive an accounting of disclosures of protected health information made by HIPAA covered entities and their business associates. In particular, section 13405(c) of the HITECH Act requires that the HIPAA Privacy Rule be amended to require covered entities to account for disclosures of protected health information to carry out treatment, payment, and health care operations if such disclosures are through an electronic health record.

The Request for Information requests specific comments on the following nine questions:

1. What are the benefits to the individual of an accounting of disclosures, particularly of disclosures made for treatment, payment, and health care operations purposes?

2. Are individuals aware of their current right to receive an accounting of disclosures? On what do you base this assessment?

3. If you are a covered entity, how do you make clear to individuals their right to receive an accounting of disclosures? How many requests for an accounting have you received from individuals?

4. For individuals that have received an accounting of disclosures, did the accounting provide the individual with the information he or she was seeking? Are you aware of how individuals use this information once obtained?

5. With respect to treatment, payment, and health care operations disclosures, 45 CFR 170.210(e) currently provides the standard that an electronic health record system record the date, time, patient identification, user identification, and a description of the disclosure. In response to its interim final rule, the Office of the National Coordinator for Health Information Technology received comments on this standard and the corresponding certification criterion suggesting that the standard also include to whom a disclosure was made (i.e., recipient) and the reason or purpose for the disclosure. Should an accounting for treatment, payment, and health care operations disclosures include these or other elements and, if so, why? How important is it to individuals to know the specific purpose of a disclosure— i.e., would it be sufficient to describe the purpose generally (e.g., for ‘‘for treatment,’’ ‘‘for payment,’’ or ‘‘for health care operations purposes’’), or is more detail necessary for the accounting to be of value? To what extent are individuals familiar with the different activities that may constitute ‘‘health care operations?’’ On what do you base this assessment?

6. For existing electronic health record systems:
(a) Is the system able to distinguish between ‘‘uses’’ and ‘‘disclosures’’ as those terms are defined under the HIPAA Privacy Rule? Note that the term ‘‘disclosure’’ includes the sharing of information between a hospital and physicians who are on the hospital’s medical staff but who are not members of its workforce.
(b) If the system is limited to only recording access to information without regard to whether it is a use or disclosure, such as certain audit logs, what information is recorded? How long is such information retained? What would be the burden to retain the information for three years?
(c) If the system is able to distinguish between uses and disclosures of information, what data elements are automatically collected by the system for disclosures (i.e., collected without requiring any additional manual input by the person making the disclosure)? What information, if any, is manually entered by the person making the disclosure?
(d) If the system is able to distinguish between uses and disclosures of information, does it record a description of disclosures in a standardized manner (for example, does the system offer or require a user to select from a limited list of types of disclosures)? If yes, is such a feature being utilized and what are its benefits and drawbacks?
(e) Is there a single, centralized electronic health record system? Or is it a decentralized system (e.g., different
departments maintain different electronic health record systems and an accounting of disclosures for treatment,
payment, and health care operations would need to be tracked for each system)?
(f) Does the system automatically generate an accounting for disclosures under the current HIPAA Privacy Rule (i.e., does the system account for disclosures other than to carry out treatment, payment, and health care
operations)?
i. If yes, what would be the additional burden to also account for disclosures to carry out treatment, payment, and health care operations? Would there be additional hardware requirements (e.g., to store such accounting information)? Would such an accounting feature impact system performance?
ii. If not, is there a different automated system for accounting for disclosures, and does it interface with the electronic health record system?

7. The HITECH Act provides that a covered entity that has acquired an electronic health record after January 1, 2009 must comply with the new accounting requirement beginning January 1, 2011 (or anytime after that date when it acquires an electronic health record), unless we extend this compliance deadline to no later than 2013. Will covered entities be able to begin accounting for disclosures through an electronic health record to carry out treatment, payment, and health care operations by January 1, 2011? If not, how much time would it take vendors of electronic health record systems to design and implement such a feature? Once such a feature is available, how much time would it take for a covered entity to install an updated electronic health record system with this feature?

8. What is the feasibility of an electronic health record module that is exclusively dedicated to accounting for disclosures (both disclosures that must be tracked for the purpose of accounting under the current HIPAA Privacy Rule and disclosures to carry out treatment, payment, and health care operations)? Would such a module work with covered entities that maintain decentralized electronic health record systems?

9. Is there any other information that would be helpful to the Department regarding accounting for disclosures
through an electronic health record to carry out treatment, payment, and health care operations?

Written comments to OCR must be submitted on or before May 18, 2010.