Like many people in my area of healthcare law and compliance, we are up to our ears in the 563 page HITECH Final Omnibus Rule, parsing and analyzing. I will be writing a number of pieces on this hefty bit of your-tax-dollars-at-work, but let me start with this one point: A Patient's Right to Transmission of the EHR. As you probably know, patients have the absolute right to an electronic copy of their electronic record, and there is much discussion about what that looks like, what media to use (the regulators won't tell you) and how to get paid for honoring that request. (And, if your practice is in a hybrid state, the patient's request for the record requires a more extensive response, as you ensure that you have produced the appropriate paper and electronic records in their respective formats.)
For practices and healthcare organizations alike, this small section of the large rule has enormous operational impact. But here is the part of the rule I like best: the federal regulators actually agreed with me on something.
Last year, at the HIPAA Summit in Washington, D.C., and the year before that, at the NIST/OCR conference, also in Washington, D.C., I asked Susan McAndrew, OCR's Deputy Director for Health Information Privacy, essentially the same question: I inquired about how small practices, without secure email capability, were going to comply with the Interim Final Rule's mandate that they transmit an EHR electronically to a specific recipient, and at the same time, avoid a compliance violation and enforcement risk. My feeling was that providers without secure email were caught between a rock and a hard place - at risk for sending unsecure email, at risk for refusing to comply with the patient's right to transmit his/her EHR for fear of regulatory reprisal. The patients should be able to assume the risk inherent in the email transmission, but would the regulators agree to back off of the provider's HIPAA compliance responsibilities?
In essence, the answer is yes. The guidance to the HITECH Omnibus Rule states that if a patient or personal representative requests that a provider transmit his/her electronic record to him/herself or someone else, and the provider is only able to do so through unencrypted email technology, then the provider needs to make sure that the individual understands the risks inherent in the email transmission. If, knowing this risk of sending the record over unsecure email, the individual nonetheless wants the provider to honor the request, then the provider is not subject to enforcement in the event the transmitted ePHI is subsequently compromised. Further, the provider may rely upon the email address the patient/personal representative has provided. The provider should obtain a written email request and waiver/understanding of the discussion of the risks. Again, as long as the email address was typed in correctly based upon the written request, the provider is not subject to enforcement if something goes wrong after hitting "send."
Score one for common sense. Those many providers who refused to use email for fear of enforcement can breathe a little easier now.
Much more to follow.
No comments:
Post a Comment