EHR Disclosure Rule: Time to Weigh In
Regulators seek help crafting tough-to-write ruleThe update to the HIPAA Privacy Rule, which regulators must create by June 30 to comply with the HITECH Act, "is the single most difficult security requirement to figure out" in the Act, says Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society.
Under HITECH, the federal rule for carrying out this mandate must take into account the interests of individuals who want to learn when and to whom their information is disclosed, the usefulness of the information to the individual, and the cost burden for such accounting. Individuals must be able to obtain a disclosure of who accessed their records "to carry out treatment, payment and health care operations if such disclosures are through an electronic health record."
And those requirements add up to a rule that's going to be extremely tough for regulators to write and difficult for healthcare organizations to follow, Gallagher says.
Nevertheless consumer advocates label accounting of records disclosures as essential to building trust in electronic health records as well as health information exchanges. "This is a new era, and we need new rules," says Pam Dixon, executive director of the World Privacy Forum.
Questions posed
In a request for information announcement published in the Federal Register May 3, the Office for Civil Rights in the Department of Health and Human Services invites comments on nine detailed questions. The comments are due by May 18.
Among the questions are:
- If you are a covered entity (hospital, clinic, insurer, etc.), how many requests for an accounting of disclosures have you received?
- For those individuals who have received accountings of disclosures, how was this information used once it was obtained?
- Should disclosure identify the individual who has read a record as well as the purpose of their gaining access?
- Will covered entities be able to account for disclosures through EHRs by Jan. 1, 2011, as required under HITECH, or should an extension be granted to 2013?