It's official. The Office of Civil Rights (OCR) is proposing to add another regulatory burden to your plate. On May 27, 2011, the OCR issued its Notice of Proposed Rulemaking on "Accounting of Disclosures." The problem is, the rule is not only about disclosures. If only it were. Requests for accountings of disclosure have been few and far between, according to most providers.
Instead, the NPRM, if finalized as proposed, would narrow your accounting obligations while adding a new patient right to your administrative requirements. Generally within 30 days from request, you would have to provide the patient or his/her personal representative with an "access report." It essentially amounts to your (or your business associate's) production of an electronic audit trail of access for both uses and disclosures of protected health information (PHI) for treatment, payment or healthcare operations. This requirement would apply to your covered entity and your business associate. My experience as a medical malpractice attorney makes me wonder why a patient, healthcare client or long-term care resident, or that individual's family member, would want or need this detailed information other than to support a legal claim, but in the name of responding to the interests of the public, OCR has created an absolute right for the individual to receive this PHI residing within the designate record set. As proposed, the audit trail would not necessarily have names of individuals accessing the PHI if the EHR audit trail does not capture that information (for example, the audit trail might only reflect a user ID number), nor would the access report necessarily reflect whether the access was for the purpose of use or disclosure. So why would this be helpful?
Ironically, OCR actually acknowledges that the majority of the comments received in response to its Request for Information (RFI) regarding possible revision to the accounting/access report concept stated that these proposed changes would provide little or no benefit to the individual while creating administrative, staffing and monetary burdens on the covered entity. Yet OCR imposed the requirements anyway. And would required you to update your Notice of Privacy Practices to reflect this new right, to boot.
Operationally, providers with an EHR would need to figure out how to accomplish this new task. Since the Office of the National Coordinator has not yet mandated that certified EHR technology be capable of accounting for disclosures (and uses) for treatment, payment or healthcare operations to qualify for Stage 1 Meaningful Use incentives, many EHRs may not have this capability.
OCR would allow you to work with the patient to provide the requested data, even if that means providing the information in hard copy. Entities and practices that acquired an (older) EHR (prior to 2009) would have an additional year to effectuate this change, but those with newer EHRs, acquired from 2009 forward, would need to be ready to provide these reports by January 1, 2013, even in the face of many acknowledged comments that these time frames are completely unworkable.
However, if it is any comfort, the OCR does shorten the timeframe for the accounting in paper format (6 years) to that of the more current electronic format request (3 years) since no one was asking for that 6-year-old information anyway.
The OCR discussion preceeding the Proposed Rule seems to blend breach notification requirements, accounting for disclosures and the new access reporting requirements into one long spectrum of notice to the patient in the name of "transparency." Providers know that adding the "access report" burden will not necessarily capture all things impermissable, but depending on the practice setting, if finalized as written, it may impose an administrative burden with which compliance feels nearly impossible.
Score one for your EHR vendor. Since the HIPAA security rule expected you to audit your ePHI for years now, it makes sense for you and your EHR vendor to see how you can operationalize this latest proposal from the OCR.
No comments:
Post a Comment