EHR Disclosure Rule: Time to Weigh In

Regulators seek help crafting tough-to-write rule
EHR Disclosure Rule: Time to Weigh In
Federal regulators are seeking advice and insights as they prepare to tackle the challenge of writing a rule enabling patients to receive an accounting of who has viewed their electronic health records.

The update to the HIPAA Privacy Rule, which regulators must create by June 30 to comply with the HITECH Act, "is the single most difficult security requirement to figure out" in the Act, says Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society.

Under HITECH, the federal rule for carrying out this mandate must take into account the interests of individuals who want to learn when and to whom their information is disclosed, the usefulness of the information to the individual, and the cost burden for such accounting. Individuals must be able to obtain a disclosure of who accessed their records "to carry out treatment, payment and health care operations if such disclosures are through an electronic health record."

And those requirements add up to a rule that's going to be extremely tough for regulators to write and difficult for healthcare organizations to follow, Gallagher says.

Nevertheless consumer advocates label accounting of records disclosures as essential to building trust in electronic health records as well as health information exchanges. "This is a new era, and we need new rules," says Pam Dixon, executive director of the World Privacy Forum.

Questions posed

In a request for information announcement published in the Federal Register May 3, the Office for Civil Rights in the Department of Health and Human Services invites comments on nine detailed questions. The comments are due by May 18.

Among the questions are:

  • If you are a covered entity (hospital, clinic, insurer, etc.), how many requests for an accounting of disclosures have you received?

  • For those individuals who have received accountings of disclosures, how was this information used once it was obtained?

  • Should disclosure identify the individual who has read a record as well as the purpose of their gaining access?

  • Will covered entities be able to account for disclosures through EHRs by Jan. 1, 2011, as required under HITECH, or should an extension be granted to 2013?

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.