Patient rights in the healthcare industry have been a critical issue for years. One such right that the public has insisted on is their right to access their own health information and amend health information when it is deemed to be incorrect.
On May 31, 2011, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a Notice of Proposed Rule Making (NPRM) entitled HIPAA Privacy Rule Accounting of Disclosures Under HITECH. OCR will now receive comments on this proposed rule until August 1, 2011 and is expected to publish a final rule by the end of 2011. Compliance with the accounting of disclosures requirements would then begin sometime mid 2012.
The purpose of this rule is to implement the requirement under HITECH to require covered entities and business associates to account for disclosures of protected health information to carry out treatment, payment and healthcare operations where such disclosures are made through an electronic health record. This rule will expand the accounting provision so that individuals would have the right to receive an access report indicating who has accessed ePHI in a designated record set. A Designated Record Set means a group of records maintained by or for a health plan or health care provider that are 1) the medical records and billing records about individuals maintained by or for a covered health care provider; 2) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; used, in whole or in part, by or for the health plan or health care provider to make decisions about individuals.
There are a couple of noteworthy points about this NPRM. First, the covered entity accounting information must be for all disclosures by the covered entity or its business associates (if that business associate creates, receives, maintains, or transmits record set information). So this would include all non-routine and routine (those for treatment, payment and operations) disclosures of PHI from an electronic database (ePHI). Beginning Jan. 1, 2013, individuals would have the right to receive a report of who accessed their ePHI (access report) for a three year period from the date of the request. Secondly, covered entities will have to revise their Notice of Privacy Practices (NPP) to reflect these changes and provide individuals with a Notice of Privacy Practice that discloses how the covered entity may use and disclose PHI and the individuals’ rights regarding their health information. Thirdly, this NPRM will reduce the time for a covered entity to respond to a request for an accounting of disclosures from 60 days to 30 days.
The time to start preparing for these new accounting of disclosure requirements is now – not December 2012. Why now? A big challenge will be whether your system vendors can handle this new ePHI accounting of disclosures requirement and how they will do it. Covered Entities and Business Associates will have to revise their NPP to explain to individuals that they now have a right to an accounting of all disclosures of their ePHI. Changes will have to be made administratively on how a Covered Entity and Business Associate will manage non-routine disclosures of hardcopy PHI for 6 years and routine disclosures of ePHI for 3 years. With another new rule (accounting disclosures) coming down the pike shortly, be prepared and start planning now.
Dave Sina – Author of A Healthcare Compliance Plan for Less that Two Dollars ($2.00) Per Day.