John Parmigiani - HR Compliance Expert

Download Report

Transcript John Parmigiani - HR Compliance Expert

New Patient Rights: Will Your
HIPAA Program Be Ready?
John Parmigiani
President
John C. Parmigiani & Associates
© John Parmigiani, 2011
•
•
•
•
•
•
•
Introductions
Session Objectives
What’s it all about?
Issues and Perceived Barriers
Getting Ready
Conclusions
Appendices
– Appendix A: RFI Questions from OCR
– Appendix B: References
• Questions & Answers
© John Parmigiani, 2011
2
© John Parmigiani, 2011
3
John Parmigiani
•
•
•
•
•
•
•
•
President, John C. Parmigiani & Associates, LLC
QuickCompliance, Inc. Senior Vice President for Consulting Services
CTGHS National Practice Director for Regulatory and Compliance Services
HCS Director of Compliance Programs
HIPAA Security Standards Government Chair/ HIPAA Infrastructure Group
Directed development and implementation of security initiatives for HCFA (now CMS)- Director of Enterprise
Standards:
– Security architecture
– Security awareness and training program
– Systems security policies and procedures
– E-commerce/Internet
Directed development and implementation of agency-wide information systems, policy, and standards and
information resources management for HCFA
AHIMA Privacy and Security Council; Advisory Board Guide to Medical Privacy and HIPAA; AMC Workgroup on
HIPAA Security and Privacy; Content Committee of CPRI-HOST/HIMSS Security and Privacy Toolkit; Editorial
Advisory Boards of HIPAA Compliance Alert’s HIPAA Answer Book and HIPAA Training Line, HIPAA Training
Alert, and Health Information Compliance Alert; Chair, HIPAA-Watch Advisory Board; Train for HIPAA Advisory
Board; Train for Compliance Board of Directors; HIMSS Privacy and Security Steering Committee; JCAHO/NCQA
Privacy Certification Committee for BAs; Gerson Lehrman Health Experts Council; Frequent speaker at
national conferences; HIPAA Summit Distinguished Service Award in 2009
© John Parmigiani, 2011
4
© John Parmigiani, 2011
5
Session Objectives
This session is focused on providing participants with:
• A greater understanding of the newly proposed Accounting of Disclosures
(AoD) Rule and what that means for new patient rights and to your
organization’s regulatory HIPAA/HITECH compliance efforts
• Insights into how what is being proposed in the new rule compares with
present regulatory requirements
• A look at what is and the importance of the “designated record set” that
will be used to report disclosures from both electronic and paper records
• An awareness of the proposed implementation schedule for compliance
• What is the role of OCR in writing and enforcing the rule
• Identification of critical impacts to your existing and emerging systems
• Steps you should take now and in the near-future to prepare to ensure
seamless compliance
© John Parmigiani, 2011
6
© John Parmigiani, 2011
7
HIPAA Privacy Rule Accounting of Disclosures under the Health
Information Technology for Economic and Clinical Health (HITECH) Act…
Quick Synopsis:
• Published in the Federal Register* on May 31, 2011 as a proposed rule
(Notice of Proposed Rule Making)– comments were due by August 1,
2011. *See Appendix B References for url
• Purpose: The HITECH Act requires CEs and BAs to provide an accounting
of disclosures of PHI through an electronic health record (EHR), for
treatment, payment, and healthcare operations (TPO) dating back three
years from such a request. This NPRM grants patients two separate
“rights” - “Access Report” / “Accounting of Disclosures”
• Compliance dates: 240 days after the final rule is published in the Federal
Register. Regulatory compliance dates for Access Report and for
Accounting of Disclosures Report:
–
January 1, 2013, for electronic Designated Record Set in EHR systems
acquired after January 1, 2009
– January 1, 2014, for electronic DRS in EHR systems acquired prior to January
1, 2009.
© John Parmigiani, 2011
8
HIPAA Privacy Rule Accounting of Disclosures under the Health
Information Technology for Economic and Clinical Health (HITECH) Act
• Applies to all CEs and to BAs that perform a function or
activity involving the use or disclosure of PHI on the covered
entity’s behalf
• Important to note: TPO uses and disclosures would apply only
to “Access Report” not to the “Accounting of Disclosures”
Report
• The two rights would be “distinct but complementary,"
according to the preamble… “proposal attempts to shift the
accounting provision from a manual process that generates
limited information to a more automated process that
produces more comprehensive information."
© John Parmigiani, 2011
9
Some Key Definitions…
• Disclosure: PHI shared outside of the organization
• Use: PHI accessed within the organization
• Designated Record Set (DRS):
– Per the HIPAA Privacy Rule: A group of records maintained by or for a
CE that:
• Consists of medical records and billing records about individuals
maintained by or for a CE
• Contains enrollment, payment, claims adjudication, and case or
medical management record systems maintained by or for a health
plan; or
• Is used, in whole or in part, by or for the CE to make decisions
about individuals
© John Parmigiani, 2011
10
Some Key Definitions
• Designated Record Set (DRS) – cont’d.:
• Record defined as any item, collection, or grouping of information
that contains PHI and is maintained, collected, used or
disseminated by or for a covered entity.
• Why OCR used: the DRS was defined in regulation while the
EHR is not universally defined, is continually undergoing
changes, and could consist of a number of systems rather
than one, monolithic system and
– OCR believed that CEs had long ago determined what systems were
associated with their DRSs
© John Parmigiani, 2011
11
Current HIPAA Requirements…
• Privacy Rule: (45 CFR 164.528) Accounting of
disclosures* of protected health information
– Individual right to request
– Disclosures for treatment, payment, healthcare
operations are excepted
– Covers all PHI (paper and electronic)
– Must maintain log of disclosure for 6 years
– Have 60 days to respond; one 30-day extension
permitted
*outside of the healthcare organization
© John Parmigiani, 2011
12
Current HIPAA Requirements…
• Response must include:
–
–
–
–
–
Exact date of the disclosure
Name of the recipient
Address of the recipient (if known)
Brief description of the information disclosed
Brief statement of the purpose of the disclosure
• Do not have to account for TPO, Authorized, occurred before
4/14/2003 compliance date, etc.
• Little to no requests over the last 8+ years
• Current rule: tells CEs what does have to be included in an
“accounting” but is not specific as to the actual contents
© John Parmigiani, 2011
13
Current HIPAA Requirements
• HIPAA Security Rule (requires audit tracking)
– Audit controls (45 CFR 164.312(b))
– Information system activity reviews (45 CFR 164.308(a)(1))
• Requires CEs (and now BAs, per HITECH) to “implement
hardware, software, and/or procedural mechanisms that
record and examine activity in information systems that
contain or use ePHI.” - audit logs should be generated and
regularly reviewed
• And, of course, by now (6+ years after the 4/20/05 HIPAA
Security Rule compliance date), all CEs are in full compliance
with this requirement !!
© John Parmigiani, 2011
14
Changes in the Healthcare Environment
• More organizations touching and sharing PHI
– Traditional covered entities
– Business associates
– Gateways
– HIEs
• Push toward an all-inclusive EHR as part of MU incentives
• Patient interest in who is handling their data and how it is
being protected from unauthorized use and disclosure
• Breaches on the rise – notification requirements
• Increased enforcement
© John Parmigiani, 2011
15
Changes Under HITECH {sec. 13405 (c)}
Specifically…
• The HITECH Act requires CEs and BAs to provide an accounting
of disclosures of PHI through an electronic health record
(EHR), for treatment, payment, and healthcare operations
(TPO), dating back three years from such a request
• But only for “disclosures”, and disclosures that came through
an EHR
© John Parmigiani, 2011
16
OCR’s Search for Objectives for Accounting of Disclosures
(AoD)…
• On May 3, 2010, HHS published a request for information
(RFI) seeking further information on individuals’ interests in
learning of disclosures, the burdens on covered entities in
accounting for disclosures, and the capabilities of current
technology.
– See Appendix A for the nine questions in the RFI
– Received approximately 170 comments from numerous organizations
representing health plans, health care providers, privacy advocates,
and other non-covered entities.
– Comments were considered when drafting this proposed rule.
– Emphasis was on balancing individual patient interest and proponents
of increased patient record privacy with burdens on the covered
entities and other custodians of patient data
© John Parmigiani, 2011
17
OCR’s Search for Objectives for Accounting of Disclosures
(AoD)
In response to the RFI:
•
•
•
•
•
•
•
•
Little perceived benefit to individuals
A minimum amount of requests over the last 8 years
Current EHR systems are not up to distinguishing between “uses” and
“disclosures”
Much work has to be done by vendors of HITECH systems to accomplish the
needed upgrades or modifications
Disparity of decentralized systems would require a lot of manual intervention to
produce a report
Deadlines for meeting this aspect of HITECH, along with other announced
deadlines, are not possible
Accounting barriers may be a disincentive to small providers, etc. – unintended
consequence of trying to move toward E-Health
the report requirement could have the unintended consequence of discouraging
physician practices from investing in new technology and undermine efforts to
enhance patient care and improve efficiency through EHRs
© John Parmigiani, 2011
18
Proposed Rule (NPRM) for Accounting of Disclosures…
To implement the HITECH requirement, OCR is proposing to
revise 164.528 of the Privacy Rule into two separate rights for
individuals - is explicit as to what is covered and what is not:
1. The patient’s right to an “Access Report”


Focus is on “who” looked at my (electronic) data
For electronic access in a Designated Record Set by the covered entity’s
workforce members and persons outside of the covered entity
(includes both “uses” and “disclosures”), regardless of the reason
2. The patient’s right to an “Accounting of Disclosures”


Focus is on “to whom” and “why” – what was the purpose of the
disclosure? Why was my information shared outside of the
organization?
Both electronic and paper
© John Parmigiani, 2011
19
Proposed Rule (NPRM) for Accounting of Disclosures
Rational for these two patient rights per the proposed rule:
• Why an accounting of disclosures: “The intent of the accounting of
disclosures is to provide more detailed information (a ‘full accounting’) for
certain disclosures (public health, law enforcement, etc.) that are most
likely to impact the individual.”
• Why access reports: “The intent of the access report is to allow
individuals to learn if specific persons have accessed their electronic DRS
information (it will not provide information about the purposes of the
person’s access).”
In short, OCR believed that what individuals really wanted was “who”
had seen their PHI and “why”; moreover, privacy advocates have been
claiming for years that the exclusions as provided in the Privacy Rule
deprived patients of a full and accurate picture of what PHI was actually
being disclosed.
© John Parmigiani, 2011
20
Access Report…
• Do not need to distinguish between uses and disclosures for the report
(but your system will need to know)
• Do not need to identify the purpose of the access
• Only applies to PHI about the individual that is maintained in an electronic
DSR (OCR realizing that only electronic systems can track accesses to
information in electronic records)
• Content of an Access Report
– Date when the ePHI was accessed
– Time when the ePHI was accessed
– Name of person who accessed (or, if not available, the name of the
organization)
– Description of what information was accessed (diagnoses, treatment,
medications, etc.) and the user’s action (view, create, modify, delete),
if available
© John Parmigiani, 2011
21
Access Report
• Must provide in machine-readable form and format if readily
producible
• Report due in 30 days
• Also, the requesting individual must be allowed to limit the
report to a specific date, time or time period, and user (could
include accesses by a BA).
• Would cover accesses for uses and disclosures for TPO but
would not have to delineate for which
• Requires 100% logging of all DRS accesses
© John Parmigiani, 2011
22
Accounting of Disclosures Report
• All disclosures of PHI (electronic and paper) that is contained in a DRS
would be reportable
– Very similar to what have been the requirements since 4/14/03
– Really a more detailed “full accounting”
• Would not cover uses or disclosures for TPO
• Covers a three-year period from the time of the request
• Content:
– Date can be approximate (month/date or within a range) or for multiple disclosures can
be a date range
– Name of recipient of the information (person or organizational entity)
– Brief description of type of information disclosed
– Brief description of the purpose of the disclosure or a copy of the request for the
disclosure
© John Parmigiani, 2011
23
Disclosures: To Account for or Not to Account for?
Account for:
•
•
•
•
•
•
•
Not permitted under the Privacy Rule unless a notice of breach has been provided
Public Health activities (except for child abuse or neglect)
Judicial and administrative proceedings
Law enforcement activities to avert a serious threat to health or safety
Military and veterans activities
Government programs providing public benefits
Workers compensation
Not to Account for:
•
•
•
Those disclosures that are defined in CFR 164.502, 508, 510, 512, 514
Any information that meets the definition of patient safety work product – 42CFR
3.20
Disclosures for health oversight purposes (looks at CE not the patient) and
research purposes
© John Parmigiani, 2011
24
Access Report (AcR) vs. Accounting of Disclosures
Report (AoD)
Item
Name
Paper
Exact date(s)
Purpose
TPO
Outside DRS
Electronic(Machine readable)
30-day (+ 0ne 30-day extension)
AcR
yes
no
yes
no
yes
no
yes
yes
© John Parmigiani, 2011
AoD
yes
yes
no
yes
no
yes
optional
yes
25
© John Parmigiani, 2011
26
The Industry Weighs In
Despite OCR’s stated objectives to make implementation of
the AoD proposed rules as seamless as possible for CEs, BAs,
etc., not everyone agrees with or embraces the need.
• A sampling of the responding organizations:
–
–
–
–
–
–
–
–
American Health Information Management Association (AHIMA)
Medical Group Management Association (MGMA)
College of Healthcare Information Management Executives (CHIME)
American Hospital Association (AHA)
American Medical Association (AMA)
Association of American Medical Colleges (AAMC)
Healthcare Information Management Systems Society (HIMSS)
North Carolina Health Information and Communications Alliance (NCHICA)
© John Parmigiani, 2011
27
The Industry Weighs In…
• A sampling of the responding organizations (cont’d.):
–
–
–
–
Center for Democracy and Technology (CDT)
Federation of American Hospitals (FAH)
Health Billing and Management Association (HBMA)
Assorted organizations: hospitals, state health departments, university
medical centers, healthcare law firms, etc.
• Their issues and perceived barriers:
– OCR has failed to demonstrate that the access report will meet a need of
patients or their representatives. Therefore, OCR should withdraw all
provisions related to the access report. If OCR determines that this
necessitates major revisions related to the accounting for disclosures
requirements, then it should consider withdrawing the entire rule and
developing a new notice of proposed rulemaking.
© John Parmigiani, 2011
28
The Industry Weighs In…
• Their issues and perceived barriers (cont’d.):
– The accounting of disclosures is sufficient; the access report is totally
unnecessary.
– As the government tries to reduce administrative costs in healthcare—through
health reform and new financial incentives to become a “meaningful user” of
electronic health records —the right to an access report is a step back.
– OCR should limit the accounting to information maintained in an electronic
health record.
– Even if CEs and BAs are in compliance with the Security Rule requirements,
systems may not keep or have the capability for keeping three years of access
logs
– Not all electronic systems are currently capable of producing an electronic
access report
– Will the cost of compliance meet or exceed the benefit intended?
© John Parmigiani, 2011
29
The Industry Weighs In…
• Their issues and perceived barriers (cont’d.):
– Retain the current 60 day time period for covered entities to respond to a
request for an accounting - generating an accounting for disclosures is still a
very manual process
– To provide adequate time for the development of EHR systems that can more
easily produce the information necessary for an accounting of disclosures, the
compliance enforcement deadline should be extended to 2016; this will avoid
imposing a distraction on hospitals and physicians at a time when they are
working hard to adopt EHRs and to meet the Medicare program’s Meaningful
Use requirements.
– Underestimates the burden of creating access reports when OCR states that
“if few individuals request access reports, then covered entities will rarely
need to undertake the burden of generating an access report.” (76 Fed.Reg. at
31439) This fails to take into account that regardless of the number of
requests, covered entities must have in place all the systems, policies, and
staff that will be necessary if even one request is received.
© John Parmigiani, 2011
30
The Industry Weighs In…
• Their issues and perceived barriers (cont’d.):
– Information should be limited to what is Included in the EHR, not the
Designated Record Set
– Current electronic health record systems are not designed to provide access
information in a format that is understandable to individuals - Generally, a log
also includes information about records activity occurring due to automated
functions in between different clinical systems. In addition the presence of
“codes” and acronyms in logs make the presentation of the data challenging
and lengthy, and provides no information about whether access by a particular
individual is appropriate.
– Names of employees accessing PHI should not be provided – possible
retaliation; reticence on the part of healthcare staff to access that patient’s
medical record, even when doing so is appropriate, with an impact on patient
care; access reports should carry only identifiers for the work force members
rather than actual names
© John Parmigiani, 2011
31
The Industry Weighs In…
• Their issues and perceived barriers (cont’d.):
– Withdraw the proposal and reissue a request for information aimed at better
reflecting the statutory requirements, the technological realities, and better
alignment of the regulation's effectiveness with the compliance burdens
– Access reports can be voluminous and contain hundreds of pages; individuals
will not be able to understand the reports - education to individuals is
necessary prior to implementation of the rule to ensure that individuals fully
understand the various types of accesses that can be listed in an access report.
– it would make more sense to require covered entities and business associates
to respond to requests for access activity on an ad hoc basis rather than
require significant systems and process changes that will raise the cost of
healthcare for what appears to be a very limited number of requests.
– DRSs are too broadly defined and too variable in today’s health IT
environment; the ability to aggregate hundreds or thousands of access events
in any automated fashion is not realistic for most covered entities.
© John Parmigiani, 2011
32
The Industry Weighs In…
• Their issues and perceived barriers (cont’d.):
– Only data gathered from certified EHRs, not the full array of designated record
sets, should be expected to populate access reports; access logs, report filters
and other technical specifications needed to generate an access report would
be inconsistent or nonexistent across many clinical data sources that might be
considered part of a DRS
– HITECH required CEs and BAs to account for disclosures from EHRs only; the
proposed access report requirement goes well beyond HIPAA's intent and
does not materially add to HIPAA's already strong protections for protected
health information; OCR does not have the authority to establish the right to
an access report and has gone beyond its statutory authority in specifying
DSRs and in their retention.
– Most health care facilities do not have the technology infrastructure necessary
to comply with the access report requirement
© John Parmigiani, 2011
33
The Industry Weighs In…
• Their issues and perceived barriers (cont’d.):
– Providing a list of names without any context may result in numerous
questions to understand why all of the individuals listed accessed the record –
more work for healthcare staff already resource-challenged
– Without a technical solution to compile the log data from multiple systems, it
is a daunting task to see who accessed the patient’s record during their stay –
a multitude of records is generally involved
– Practice management systems , for the most part, do not have capabilities
sophisticated enough to identify when PHI has been accessed and by whom
nor have "minimum necessary" requirements been incorporated into existing
software; there are numerous distinct times during the course of a simple
office visit that a patient's PHI would be accessed and each of these accesses
would add another interruption to the workflow and require a separate
interaction with the practice's system--even if there is no other reason to
access the system at that juncture.
© John Parmigiani, 2011
34
The Industry Weighs In…
• Their issues and perceived barriers (cont’d.):
– Proposed new right to an access report detailing all uses by covered entities is
an undesirable, costly and administratively burdensome expansion of policy in
an area where there has been virtually no patient interest or activity
– OCR should revise the proposed rule to focus on short-term goals, while
starting to develop a long-term proposal on access report requirements that
would not overburden health care providers
In short, get rid of the access report and rethink the whole process
to make a proposal that takes into account industry technical
capabilities and a “reasonable” and economically feasible
approach to keeping patients informed and safeguarding their PHI
from unauthorized access.
© John Parmigiani, 2011
35
© John Parmigiani, 2011
36
In an Era of Increased Enforcement…
• Role of OCR
– Both a crafter of the regulations and an enforcer for
compliance
• Step up in enforcement
– “Wall of Shame” (approx. 300 breaches affecting 500 or
more; approx. 32,000 lesser breaches)
– BAH contract - audit candidate identification
– KPMG ($9.2 M contract for 150 audits by 12/31/12)
– UCLA ($865,500 resolution agreement)
– Mass General ($1 M resolution agreement)
– Cignet Health ($4.3M civil monetary penalty – fine)
© John Parmigiani, 2011
37
In an Era of Increased Enforcement
• Plethora of agencies engaged in enforcement and guidance
for healthcare data protection
– OCR, ONC, CMS, FTC, Commerce, NIST, PCAST
• State data protection laws
• Heightened consumer (patient) awareness of existing and
increasing threats to electronic information
– Identity theft
– Medical identity theft
© John Parmigiani, 2011
38
Steps to Take
Remember this is a proposed rule that has generated a
number of comments ranging from total recall and rewrite to
some major tweakings. Before it becomes final
(implementation at the earliest is the second half of 2012), it
could undergo significant changes. But… there are some
prudent actions that can be taken.
To begin:
– NPRM should serve as a wake –up call for CEs and BAs
– Health plans: encompasses all of their systems not just electronic
health records
– Today’s processes to track accesses are more manual than automated
- most EHRs don’t have the necessary degree of granularity for
tracking accesses
© John Parmigiani, 2011
39
Steps to Take…
Now
• Requires that covered entities identify all systems that contribute to their
designated record sets
– Important to remember that it is not only the information in your
EHR/EMR but what is in your DRS
– Need to inventory
– Need to know when purchased to determine when to be included in
the reports – take advantage of the compliance dates
• Some are older (before 1/01/09); some are newer (after 1/1/09)
• Go with the later date, if possible
– Need to look at the purpose of the system
• Is it about the health of the individual?
• Is it for the benefit of managing the organization?
– DRS need to be defined in each of the systems that contain patient
information
© John Parmigiani, 2011
40
Steps to Take…
Now (cont’d.)
– Identify where all of your PHI that makes up a DRS is housed
• Dig up your data flow analysis (Getting ready for HIPAA Privacy Rule compliance
2001-2003)
–
–
–
–
–
• Can be in multiple systems
– Radiology, lab, pharmacy, billing, etc. systems – are they separate or
do they feed into one repository?
Who has access to them
Determine your extent of implementing audit logs, even though required by
HIPAA Security Rule
Make sure that all accesses to patient information systems are being logged
What are your retention policies/procedures for access logs (three-year lookback requirement - could be as of 1/1/2010)
Need to be able to distinguish between an access for “use” and an access for
“disclosure”
© John Parmigiani, 2011
41
Steps to Take…
Short-Term
– Strong argument for a centralized, all-inclusive EHR (or at least a “hub”) and
the interrelated clinical and administrative systems that feed it all being
connected
– Determine your vendor(s) capabilities
•
•
•
•
•
•
Enhancements/modifications being planned
Stage 2 MU readiness
When and how will interface with existing and planned systems
Current and future security requirements in various stages of MU
EHR certification / MU
AoD module?
– Once breach notification rule goes final: resolve any confusion over breach
notification and what to report in access and accounting reports
© John Parmigiani, 2011
42
Steps to Take…
Longer-Term
Once AoD goes final:
− Revise and reissue Notice of Privacy Practices (NPP)
• A new patient right (“right to access report”) has been added to the list of
patient rights
• NPP need to be revised and made available to both patients and health
plan participants
• For health plans can be held off until the 2013 annual mailing
− Business Associates – need to identify responsibilities in BAA
© John Parmigiani, 2011
43
Still to Come…
• Newer systems to meet emerging stages of Meaningful Use will have more
disclosures electronically for TPO
• How to handle disclosures through an HIE (disclosures that originate from
an EHR that are received by another EHR electronic system) – may require
extensive changes to existing EHR systems to track the purpose of a
disclosure for TPO through electronic HIE
OCR to work with ONC for HIT, may result in EHR certification changes,
which may impact the proposed NPRM
• More changes to the Privacy Rule:
– Expansions of patient rights to access
– Restrictions related to health information, marketing, fund raising, and
sale of PHI
© John Parmigiani, 2011
44
Still to Come
• Breach bills, etc.
– At the federal level: work toward national, robust, preemptive (rather
than a floor-level) regulatory requirements
• Data Security and Breach Notification Act (Pryor-Ark./Rockefeller-W,Va.)
• Personal Data Privacy and Security Act Leahy- Vermont)
• National Data Security Breach Notification Law (Mack-CA)
– At the state level
• MA Data Privacy Law, considered most stringent
• 47 states (Data Protection Acts) + DC, Puerto Rico
• Strengthened as new threats emerge
© John Parmigiani, 2011
45
© John Parmigiani, 2011
46
In Summary…
• Regardless of how the final pronouncements on how the
Accounting of Disclosures play out, a number of the implied
“requirements” in the NPRM make good business sense in
managing PHI and in safeguarding patient information (or any
sensitive organizational proprietary information) from
unauthorized access
• Should always strive to exhibit a “culture of compliance”
• Make sure that your risk assessments of not only your EHR
but also your entire enterprise are kept current to meet MU,
HIPAA/HITECH, and state regulatory requirements – a
foundation building block with multiple applications and
benefits
© John Parmigiani, 2011
47
John Parmigiani
410-750-2497
[email protected]
www.johnparmigiani.com
© John Parmigiani, 2011
48
© John Parmigiani, 2011
49
Appendix A
RFI Questions from OCR
© John Parmigiani, 2011
50
RFI Questions from OCR…
1.
2.
3.
4.
What are the benefits to the individual of an accounting of disclosures,
particularly of disclosures made for treatment, payment, and Health care
operations purposes?
Are individuals aware of their current right to receive an accounting of
disclosures? On what do you base this assessment?
If you are a covered entity, how do you make clear to individuals their right to
receive an accounting of disclosures? How many requests for an accounting
have you received from individuals?
For individuals that have received an accounting of disclosures, did the
accounting provide the individual with the information he or she was seeking?
Are you aware of how individuals use this information once obtained?
© John Parmigiani, 2011
51
RFI Questions from OCR…
5.
With respect to treatment, payment, and health care operations disclosures, 45
CFR 170.210(e) currently provides the standard that an electronic health record
system record the date, time, patient identification, user identification, and a
description of the disclosure. In response to its interim final rule, the Office of
the National Coordinator for Health Information Technology received comments
on this standard and the corresponding certification criterion suggesting that the
standard also include to whom a disclosure was made (i.e., recipient) and the
reason or purpose for the disclosure.
a)
b)
c)
d)
Should an accounting for treatment, payment, and health care operations disclosures
include these or other elements and, if so, why?
How important is it to individuals to know the specific purpose of a disclosure— i.e.,
would it be sufficient to describe the purpose generally (e.g., for ‘‘for treatment,’’
‘‘for payment,’’ or ‘‘for health care operations purposes’’), or is more detail necessary
for the accounting to be of value?
To what extent are individuals familiar with the different activities that may
constitute ‘‘health care operations?’’
On what do you base this assessment?
© John Parmigiani, 2011
52
RFI Questions from OCR…
6.
For existing electronic health record systems:
a) Is the system able to distinguish between ‘‘uses’’ and ‘‘disclosures’’ as those terms are
defined under the HIPAA Privacy Rule? Note that the term ‘‘disclosure’’ includes the
sharing of information between a hospital and physicians who are on the hospital’s
medical staff but who are not members of its workforce.
b) If the system is limited to only recording access to information without regard to
whether it is a use or disclosure, such as certain audit logs, what information is
recorded? How long is such information retained? What would be the burden to retain
the information for three years?
c) If the system is able to distinguish between uses and disclosures of information, what
data elements are automatically collected by the system for disclosures (i.e., collected
without requiring any additional manual input by the person making the disclosure)?
d) What information, if any, is manually entered by the person making the disclosure? If
the system is able to distinguish between uses and disclosures of information, does it
record a description of disclosures in a standardized manner (for example, does the
system offer or require a user to select from a limited list of types of disclosures)? If yes,
is such a feature being utilized and what are its benefits and drawbacks?
© John Parmigiani, 2011
53
RFI Questions from OCR…
6.
For existing electronic health record systems:
e) Is there a single, centralized electronic health record system? Or is it a decentralized
system (e.g., different departments maintain different electronic health record systems
and an accounting of disclosures for treatment, payment, and health care operations
would need to be tracked for each system)?
f) Does the system automatically generate an accounting for disclosures under the current
HIPAA Privacy Rule (i.e., does the system account for disclosures other than to carry out
treatment, payment, and health care operations)?
i. If yes, what would be the additional burden to also account for disclosures to
carry out treatment, payment, and health care operations? Would there be
additional hardware requirements (e.g., to store such accounting information)?
Would such an accounting feature impact system performance?
ii. If not, is there a different automated system for accounting for disclosures, and
does it interface with the electronic health record system?
© John Parmigiani, 2011
54
RFI Questions from OCR…
7. The HITECH Act provides that a covered entity that has acquired an electronic health record
after January 1, 2009 must comply with the new accounting requirement beginning January
1, 2011 (or anytime after that date when it acquires an electronic health record), unless we
extend this compliance deadline to no later than 2013.
a) Will covered entities be able to begin accounting for disclosures through an electronic
health record to carry out treatment, payment, and health care operations by January
1, 2011?
b) If not, how much time would it take vendors of electronic health record systems to
design and implement such a feature? Once such a feature is available, how much time
would it take for a covered entity to install an updated electronic health record system
with this feature?
8. What is the feasibility of an electronic health record module that is exclusively dedicated to
accounting for disclosures (both disclosures that must be tracked for the purpose of
accounting under the current HIPAA Privacy Rule and disclosures to carry out treatment,
payment, and health care operations)? Would such a module work with covered entities that
maintain decentralized electronic health record systems?
© John Parmigiani, 2011
55
RFI Questions from OCR
9. Is there any other information that would be helpful to the Department regarding accounting
for disclosures through an electronic health record to carry out treatment, payment, and
health care operations?
© John Parmigiani, 2011
56
Appendix B
References
© John Parmigiani, 2011
57
References
• Proposed HIPAA Privacy Rule Accounting of Disclosures Under
the Health Information Technology for Economic and Clinical
Health Act http://www.gpo.gov/fdsys/pkg/FR-2011-0531/pdf/2011-13297.pdf
• HIPAA Security Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securit
yrule/securityrulepdf.pdf
• HIPAA Privacy Rule (Summary)
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summ
ary/
© John Parmigiani, 2011
58
Copyright Consent Information
This presentation is a copyrighted document. As the registered attendee, you are hereby granted
permission to copy and distribute this presentation to your colleagues who attend this audio
conference. Please list these conference attendees using the form below and fax this page to
(800)-759-7179
Name
E-mail Address
Title
_____________________ ____________________________ __________________________
_____________________ ____________________________ __________________________
_____________________ ____________________________ __________________________
_____________________ ____________________________ __________________________
_____________________ ____________________________ __________________________
_____________________ ____________________________ __________________________
*Feel free to duplicate this page for additional attendees.
*Please print clearly
8/23/11- New Patient Rights: Will Your HIPAA Program Be Ready?
HLTH
59
This presentation is intended solely to provide
general information and does not constitute legal
advice. Attendance at the presentation or later
review of these printed materials does not create an
attorney-client relationship with the presenter(s).
You should not take any action based upon any
information in this presentation without first
consulting legal counsel familiar with your particular
circumstances.
Thanks
© John Parmigiani, 2011
61