Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Tuesday, February 17, 2009

Accounting of disclosures to become more comprehensive

One of the requirements under the HIPAA Privacy Rule is that covered entities maintain an "accounting of disclosures" of protected health information, in part so that an individual may request a record of who accessed their health information, at what time, and for what purpose. As codified into law (45 CFR §164.528), the accounting of disclosures rule specifies a time period of six years, so covered entities are obligated to maintain records of disclosures for at least that long. There is a significant set of exceptions in the original accounting of disclosures requirement that the disclosures made for the purposes of treatment, payment, or health care operations do not have to be recorded and made available in the accounting of disclosures. This greatly reduces the administrative burden on covered entities, as most "routine" uses of individually identifiable health information are not subject to the accounting rule. The language in the HITECH Act on accounting of protected health information disclosures removes these exceptions, essentially requiring that an accounting provided to an individual cover all disclosures (there is still an exception for the requests and individual makes to see his or her own information). So the revised accounting of disclosure rule now gives individuals the right to receive a three-year history of all disclosures of their information through an electronic health record.

For EHR vendors, this simplification of the accounting of disclosures rule may actually make it easier to produce the disclosure history, because a comprehensive transaction log showing authorized (and unauthorized) access to records will produce the accounting required. There is a related provision in the HITECH Act that directs the HHS Secretary within six months to promulgate regulations on what specific information should be collected about each disclosure. There is also a pretty protracted period until the rule takes effect, especially for entities that already had electronic health records as of January 1 of this year. The accounting of disclosures rule applies to these covered entities as of January 1, 2014, while for entities acquiring electronic health records after January 1, 2009, the rule goes into effect as of January 1, 2011, or whenever the entity acquires an EHR, whichever is later.

No comments:

Post a Comment