Accounting for Disclosures in Electronic Health Records Could Be a Time Bomb Waiting for HIPAA Covered Entities
Reprinted from REPORT ON PATIENT PRIVACY, the industry’s most practical source of news on HIPAA patient privacy provisions.
by Eve Collins, Editor of AIS Health, www.aishealth.com
Covered entities (CEs) are stemming their panic for now regarding the new accounting for disclosures requirements for electronic health records (EHRs) that were part of the HITECH Act, at least until they see guidance from HHS, which is due in August, consultants and privacy officials tell RPP.
The new accounting of disclosures requirements for EHRs under the HITECH Act dictates that providers log all disclosures made through EHRs – including those made for treatment, payment and health care purposes – and report them to patients when requested. Formerly, HIPAA required that providers log when protected health information (PHI) is disclosed for purposes other than treatment, payment or health care operations.
The new requirements are a ticking time bomb for covered entities mainly because so much has yet to be defined, says Frank Ruelas, privacy and compliance trainer for CEs. “So many people are reading the [provisions], which are saying ‘You must do X, Y and Z – and by the way, we’ll let you know what X, Y and Z are later,’” he contends.
“Accounting of disclosures for EHRs is really up in air because before anyone can comply, we have to know what they want….The upside is that they’re built on the HIPAA foundation, so one nice thing is that this is not the first-time exposure to these terms. There might be twists and turns on some things, but at least we have a solid foundation,” he says.
“How rapidly HHS defines what the requirements are going to be is likely the biggest issue,” agrees Chris Apgar, president of Apgar and Associates. But a lot is going to depend on how rapidly vendors respond, he adds. “I’m telling clients not to do anything right now. You don’t want to purchase an EHR a vendor claims to be compliant or do any custom programming until HHS has defined the criteria. Until we know that, vendors can’t program for it. If HHS takes its time and doesn’t issue [guidance] for a significant period of time, that puts the vendors and CEs in an untenable position because they will have a difficult time programming EHRs to meet the new requirements.”
“We have to have all the pieces, and HHS hasn’t provided that yet,” Apgar continues. “Providers are in a position where they really don’t know what they are required to do, when they need to get it, how quickly they can get vendors to respond and what it’s going to cost them,” he says. “If they don’t comply, they would be in violation and could be fined. If they don’t have the right technology that meets HHS’s standards, they will have a difficult time taking advantage of the stimulus dollars to move from paper to electronic. The bottom line is the sooner HHS publishes the standards, the sooner the industry can react to it. The longer they wait, the more expensive it is going to be.”
Waiting too long has its consequences for CEs, Ruelas warns. “I think that if someone takes a wait-and-see attitude and keeps monitoring this, they’re going to be in for a rude awakening,” especially where breach notification is concerned, he says. “You need to understand what’s going on because [a breach] can be a marketing relations director’s nightmare with those notifications. How reasonable would it be that Dr. Smith or a hospital system is going to maintain a database with PHI of 500 people or more? Even a small provider has at least 500 patients. If this X factor does occur, the chances that it’s going to affect 500 or more patients is probably a given,” he says.
Abner Weintraub, president of The HIPAA Group, a consulting firm, says that the new provisions are a power keg for CEs. “It is my understanding that this essentially will be a piece of software [that] will be able to do this as part of a built-in feature. In my head, the biggest issue isn’t whether or not covered entities that use EHRs will be able to comply easily – those with good systems will. The bigger issue here is that despite all of the stimulus money and grandstanding to promote EHRs, adoption is still on a very slow curve,” he says. “The health care industry has proven that it’s difficult to lock down data, even if you comply with all the HIPAA security requirements. And the number of data breaches continues to rise.” Cost, general unfamiliarity and slowness to adopt are the issues, he says.
Weintraub, whose clients are mostly small and mid-level CEs, says the smaller facilities will have a tougher time. “When you go out to the countryside to speak to small and medium-sized covered entities, EHR adoption is pretty far down on their list of priorities. The bombshell is for a covered entity [that] decides to get its toes in the water to test EHRs and winds up with a hybrid system with part of its records in an electronic system and part in a traditional medium….What do you do when you have a hybrid system and are expected to supply” information to patients?
Some CEs Are Shopping for Vendors
Despite Apgar’s advice to wait, he says some of his clients are looking for vendors now anyway to comparison shop and because of needed upgrades. “Others are looking at what they can do now, and I caution them that they don’t want to do that because, yes, they need to account for disclosures from their EHRs and [electronic medical records], but we don’t know what they have to do and what they have to include.”
Apgar says that once the requirements take effect, it shouldn’t be too difficult on CEs that are already doing what they’re supposed to be doing. “They should already have audit logs turned on and already be reviewing those audit logs. The security rule requires the use of audit logs to identify and track the use and disclosure of PHI,” he says. “I tell clients that, at a minimum, they want to know who did what, when they did it and what did they do.”
Two problems Apgar sees are (1) audit logs record all access to PHI, not just disclosures, and (2) what should this accounting look like? “None of that is insurmountable. You can create a report out of audit logs that is readable to a patient. It’s just a matter of sorting through what is a disclosure and what is not.” If a patient wants this e-mailed to him or her, that could be an issue because the CE would have to have secure messaging and encrypt the accounting, but the CEs should be encrypting PHI sent over the Internet anyway, he adds.
Weintraub points out that patients probably won’t be up to speed on what their rights are. “I don’t think patients will be clamoring to have providers supply their data. Most people don’t know today that they can add an amendment to medical records or that they can restrict information” as allowed by HIPAA since 2003. “I think the same thing applies here. And CEs are relieved at the fact that they don’t know these things. That’s going to save some of the burden to comply because requests will be few and far between.”
Weintraub is counseling his clients to focus on getting educated about EHRs for now, to “read and learn what [they] can about EHRs and their security or lack of it, and look ahead to the regs, but don’t jump immediately. Education is the most important element right now as opposed to a super-fast rush to purchase,” he says. Issues such as interoperability still haven’t been worked out, for example. “I see it as early to rush in except for the bigger institutions that have tons of money and can afford to experiment, and if the system they adopt now is not what they need, they can migrate their data and deal with the changes. The small and mid-sized covered entities can’t afford that.”
Some other hairy issues that might come up later for CEs include a patient’s right to restrict where information is sent and to request that PHI be given to him or her in an electronic format or transmitted to another provider, says Ruelas.
Ruelas’ clients view the new provisions as a headache, but he says there isn’t a lot of anxiety over them yet. For one thing, the law says CEs can charge patients for the cost of labor only when they ask for their records in an electronic format. “So how much does it cost to copy a record over to flash drive?” Ruelas asks. But in the grand scheme of things, it’s just another way that patients can ask for their PHI: Do they want a copy of their medical records sent through the mail, ready to be picked up at the front desk, or will they bring in a flash drive? “If they request it electronically, we have to give it to them that way. That’s the only difference,” he says.
HITECH Was a ‘Necessary Evil’
Apgar says the accounting of disclosures provision was likely an example of privacy advocates getting their way, but that the HITECH Act overall was a necessary evil. “Business associates and personal health records vendors are dealing with PHI, and there was no regulation that held them accountable. This does that,” he says. Add to that the fact that HHS and CMS have done “lousy jobs” enforcing HIPAA because of lack of funding, Apgar says. “I think what was included was appropriate and necessary, especially given business associates were already supposed to meet the requirements of the HIPAA privacy and security rules by contract. The accounting for disclosures thing is more than what is necessary, but I think that was an isolated incident.”
Ruelas says privacy advocates may have had the Obama administration’s ear with this provision, but “maybe that’s a good thing. Because of the fact that so many things are moving more and more electronic, and people are understanding that as more go electronic, more risks are associated with that,” he says.
With just one electronic copy of a document, entities have the ability to post the information on their Web sites or e-mail it out. “People feel more exposed. And who are the major violators?” The Veterans Administration has had major breaches of patient information, he points out. “The government that sets the rules can’t get it right and drops the ball. How can we expect a private enterprise to be held to a higher standard?”
Comments