The U.S. Department of Health & Human Services Office for Civil Rights (OCR) published a request for information (RFI) on the Health Information Technology for Economic and Clinical Health (HITECH) Act’s expansion of an individual’s right to receive an accounting of disclosures under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Pursuant to the HITECH Act, covered entities will soon be required to account for disclosures of protected health information (PHI) made for treatment, payment, and healthcare operations if the entity utilizes an electronic health record (EHR) system. This is a significant change from current guidance, by which covered entities are not required to provide an accounting of any disclosures made for purposes of treatment, payment, or healthcare operations. As the OCR prepares to develop specific regulations, it has issued the RFI to pose specific questions to and request comments from covered entities, EHR system vendors, and individual and consumer advocates regarding the new requirement.
Specific questions posed to covered entities include: (1) How do covered entities inform individuals of their rights to an accounting of disclosures? (2) How many accounting of disclosures requests a covered entity has received? (3) Whether a covered entity uses a single EHR system and whether that system creates an automatic accounting of disclosures, or whether there is a separate system to generate this information? and (4) Whether the HITECH Act’s requirement that covered entities that acquire EHR systems after January 1, 2009 account for disclosures for treatment, payment, and healthcare operations by January 1, 2011 is a feasible deadline, and, if not, how long it would take a covered entity to install a feature to track these disclosures?
Other requests for comments are directed at individuals, consumer advocates, and EHR system vendors. The questions directed at individuals and consumer advocates inquire into the benefits of an accounting of disclosures, whether individuals are aware of their right to receive an accounting of disclosures, and whether an individual was provided requested information. The RFI also requested information from EHR system vendors as to whether the EHR system is able to distinguish between PHI “uses” and “disclosures” and as to the additional burdens that would be imposed on the EHR system to account for disclosures for treatment, payment, and healthcare operations and the feasibility of an EHR module to account for these disclosures.
For more information on HIPAA privacy and security rules, please visit www.wachler.com or contact a Wachler & Associates attorney at 248-544-0888.