New HIPAA Rights for Patients, New Requirements for You

It's official. The Office of Civil Rights (OCR) is proposing to add another regulatory burden to your plate.  On May 27, 2011, the OCR issued its Notice of Proposed Rulemaking on "Accounting of Disclosures."  The problem is, the rule is not only about disclosures. If only it were. Requests for accountings of disclosure have been few and far between, according to most providers.

Instead, the NPRM, if finalized as proposed, would narrow your accounting obligations while adding a new patient right to your administrative requirements. Generally within 30 days from request, you would have to provide the patient or his/her personal representative with an "access report." It essentially amounts to your (or your business associate's) production of an electronic audit trail of access for both uses and disclosures of protected health information (PHI) for treatment, payment or healthcare operations.  This requirement would apply to your covered entity and your business associate.  My experience as a medical malpractice attorney makes me wonder why a patient, healthcare client or long-term care resident, or that individual's family member, would want or need this detailed information other than to support a legal claim, but in the name of responding to the interests of the public, OCR has created an absolute right for the individual to receive this PHI residing within the designate record set. As proposed, the audit trail would not necessarily have names of individuals accessing the PHI if the EHR audit trail does not capture that information (for example, the audit trail might only reflect a user ID number), nor would the access report necessarily reflect whether the access was for the purpose of use or disclosure.  So why would this be helpful? 

Ironically, OCR actually acknowledges that the majority of the comments received in response to its Request for Information (RFI) regarding possible revision to the accounting/access report concept stated that these proposed changes would provide little or no benefit to the individual while creating administrative, staffing and monetary burdens on the covered entity.  Yet OCR imposed the requirements anyway. And would required you to update your Notice of Privacy Practices to reflect this new right, to boot.

Operationally, providers with an EHR would need to figure out how to accomplish this new task.  Since the Office of the National Coordinator has not yet mandated that certified EHR technology be capable of accounting for disclosures (and uses) for treatment, payment or healthcare operations to qualify for Stage 1 Meaningful Use incentives, many EHRs may not have this capability.

OCR would allow you to work with the patient to provide the requested data, even if that means providing the information in hard copy.  Entities and practices that acquired an (older) EHR (prior to 2009) would have an additional year to effectuate this change, but those with newer EHRs, acquired from 2009 forward, would need to be ready to provide these reports by January 1, 2013, even in the face of many acknowledged comments that these time frames are completely unworkable.

However, if it is any comfort, the OCR does shorten the timeframe for the accounting in paper format (6 years) to that of the more current electronic format request (3 years) since no one was asking for that 6-year-old information anyway.

The OCR discussion preceeding the Proposed Rule seems to blend breach notification requirements, accounting for disclosures and the new access reporting requirements into one long spectrum of notice to the patient in the name of "transparency." Providers know that adding the "access report" burden will not necessarily capture all things impermissable, but depending on the practice setting, if finalized as written, it may impose an administrative burden with which compliance feels nearly impossible.

Score one for your EHR vendor. Since the HIPAA security rule expected you to audit your ePHI for years now, it makes sense for you and your EHR vendor to see how you can operationalize this latest proposal from the OCR.  

Thoughts on the OCR/NIST HIPAA Security Conference

I’m writing this as I fly back from a conference held in Washington, DC entitled "Safeguarding Health Information: Building Assurance Through HIPAA Security."  The attendees were an interesting mix of tech folks and administrative/regulatory professionals, all hoping to gain insight into the latest priorities and upcoming changes in the HIPAA/HITECH arena.  I had the opportunity to meet and learn from some talented people who are very serious about managing the risks associated with clinical information and EHRs.  Of course, my primary reason for attending was that I hoped to hear some helpful  information straight from the source.

Sue McAndrew, Deputy Director for Health Information Privacy, spoke to the attendees several times. Among other things, she told us that the final rules on HITECH, breach notification, enforcement, GINA and  would be issued together in one “big mother” of a regulation.  (I think she meant as an “omnibus” regulation,) which would also include issues on research and student immunization.  The accounting for disclosures NPRM  would be issued separately.

She reinforced that patients have an “absolute right” to an electronic copy of their electronic DRS and to designate a recipient of the transmission of that record.  I got up and asked her about that point; specifically, about the concern of small providers who email electronic PHI without encrypting the data, especially because HIPAA Privacy Rule allows providers to honor the patient’s request for email communications (presumably, without difficulty accessing the information), and the HIPAA Security Rule does not mandate encryption where it is reasonable and appropriate. Ms. McAndrew essentially responded (I’m paraphrasing) that the patient’s right to the data was paramount, so where the patient is advised of and knowingly waives the risk of email insecurity, OCR would not find a security violation. At last!

However, encryption is still highly promoted as a safe harbor for breach notification, and the reported breaches so far include loss of unencrypted "data a rest" on missing laptops.  

The biggest take-away message, repeated throughout the conference, is the need for covered entities to have "robust" compliance plans.  No matter how large or small your organization, you are expected meet these requirements: conduct your risk assessment, address your gaps, prepare policies, monitor, train your staff, keep privacy and security awareness front and center.  Even though the details may change, this underlying theme remains the same. Be aware, be prepared.