Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Friday, May 7, 2010

Thoughts about EHRs and accounting of disclosures

One of the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act portion of the Recovery Act changed the requirements for HIPAA-covered entities to maintain an accounting of disclosures of health information. Under the HIPAA Privacy Rule (specifically, 45 CFR §164.528), such entities were already required to keep (and make available to individuals if requested) a record of disclosures going back six years, but they did not have to include disclosures for treatment, payment, or health care operations. HITECH changed the rule to remove these exempted purposes for disclosure where electronic health records are in use, and also changed the required timeframe to a three-year history, rather than six (§13405(c)(1)).This change will go into effect for existing EHR users on January 1, 2014, and three years earlier for entities that acquire an EHR after January 1, 2009. (The fact that the new rules aren't yet in effect is why the current Code of Federal Regulations still reflects the six-year period and the exceptions for treatment, payment, and health care operations.) The law also directs HHS to produce regulations describing exactly what information needs to be collected about each disclosure, taking into account "the interests of the individuals in learning the circumstances under which their protected health information is being disclosed and takes into account the administrative burden of accounting for such disclosures." (§13405(c)(2)) As part of the process of developing these regulations, HHS this week published a notice in the Federal Register requesting information on the new accounting for disclosure requirements.

While the need to produce accountings of disclosures should be familiar ground to health care organizations, the exceptions to the rules for treatment, payment, and health care operations purposes likely have resulted in many covered entities not having to attend to these requirements, so there is understandable concern about imposing new administrative burdens on health care providers. To some extent, the effort to comply with the accounting of disclosure rules could be shifted to EHR vendors, if the ability to store and report comprehensive accounting of disclosure statements is made a requirement for EHR certification under meaningful use rules. Many of these systems already have this capability, so the level of effort to comply hinges on the details of the information that needs to be collected and whether these systems can capture that information with little or no modification. It is logical to assume that some additional work effort will be placed on health care personnel to record disclosures, as the likely need to include recipient information and purpose for the disclosure are attributes that might not be easily captured in an automated fashion from transactional logs. If HHS is going to consider the individual interest in knowing when and why their data has been disclosed, it should also consider defining the disclosure rules to include "use" or "access" rather than just exchange. Some of the most publicized breaches of personal health data privacy are really abuse of privilege by authorized EHR users like hospital staff; nothing in the current HIPAA rules or in the proposed language would include this sort of access.

In applying to all HIPAA-covered entities, the scope of the accounting of disclosures requirements obviously extend well beyond the government, but HHS might do well to examine some of the approaches and technical mechanisms already used by government agencies. Under the Privacy Act, all federal agencies are required to maintain and make available to individuals accountings of disclosures of personal information held in any agency system of records. The Privacy Act makes an exception for access to records by government employees as part of performing their job duties, but in general require that agencies keep a record of when, what, and why a disclosure of personal information is made, and the name and address of the person or organization to whom the disclosure is made (5 USC §552a(c)). The fact that just about every agency has processes and/or systems in place to maintain these disclosure records should give HHS (and even EHR vendors) a lot of information about ways to implement such an accounting of disclosures from EHR systems.

If, as private sector health care entities are likely to argue, there is significant new effort required to comply with stricter accounting of disclosure rules, HHS might also want to consider what incentives might be provided to help mitigate the compliance burden. Meaningful use is one way to approach this, insofar as the ability to maintain and produce the accounting of disclosures the law requires could be made a required functional capability of certified EHR modules or systems. There is another potential source of incentive, at least if some progress is made to develop the business case for health information exchange using EHRs and health IT. While the best reason to look at business models for data sharing is to encourage participation, a potential side benefit of a business model in which data holders were paid for sharing their data, the transaction history that would provide the basis of billing records could also be used to satisfy accounting of disclosure requirements. Absent such a business model, there are policy oversight and legal enforcement interests in auditing data sharing transactions as well (basically to see if entities are living up to their legal or contractual obligations), and the information needed to satisfy such monitoring activities could also likely be leveraged for accounting of disclosures.

No comments:

Post a Comment