EHR Disclosures: Tackling the Challenge
Federal Official Discusses Rule-making Efforts
As it prepares a rule spelling out requirements for providing patients with an accounting of disclosures of information from EHRs to those outside the organization that created the records, the U.S. Department of Health and Human Services' Office for Civil Rights "hopes to put the onus on electronic health records vendors", says Adam Greene, senior health information technology and privacy specialist at the office. The rule, he says, likely will include specific requirements for how EHR software must accommodate these disclosures.
In that way, some of the difficulties involved in reporting disclosures will be eased for healthcare organizations, he contends.
Greene's comments came Aug. 16 at the 2010 Legal EHR Summit in Chicago, sponsored by the American Health Information Management Association.
The Office for Civil Rights left the disclosure accounting requirement out of its recently released final rules for the Medicare and Medicaid EHR incentive payment program created under the HITECH Act, saying it needed more time to work on the details. In July, Susan McAndrew, deputy director for privacy at the Office for Civil Rights, said the office would issue a disclosure accounting rule later this year. She acknowledged this rule-making task is proving difficult. "There is a wide range of opinion on all aspects of this new requirement, including the primary factors we should take into account when balancing benefits to individuals against the burden on covered entities."
Accessing Records
In his presentation at the conference, Greene also addressed the challenge of providing patients with copies of their electronic records.One of the final rules for the EHR incentive program, which spells out how hospitals and physicians must "meaningfully use" EHRs to earn incentives for stage one of the program, requires providers to give patients access to copies of their electronic records. Greene says this can be accomplished in several ways, including:
- Via a patient portal;
- By exchanging information from the EHR with a personal health record application;
- By downloading records to a CD or USB drive.
He noted that electronic records provided to patients can be unencrypted, "as long as you inform the patient about the risks."
Other Security Steps
Greene also offered insights on other security steps hospitals and clinics should take as they implement electronic records, including:
- Conduct a risk assessment or update an existing one. "An EHR creates a whole new ballgame for risk analysis," he says.
- Properly train the workforce so they recognize new security challenges. Security policies developed as a result of a comprehensive risk analysis will prove worthless unless staff is aware of them and knows how to comply, Greene stresses.
- Create a contingency plan for steps to take when an EHR system is unavailable.
- Appropriately monitor access to EHRs and maintain physical safeguards to prevent loss or theft and to address environmental hazards. To make his point, Greene quipped about avoiding having "a secure server next to an open window in front of a radiator."
- Be sure to activate and use all the security features included with an EHR. "It doesn't do anyone any good to have encryption features that are not turned on," he stresses. "And make sure that your hardware supports all of the EHR's security features."
In addition to the roughly 130 major breaches reported so far, the Office for Civil Rights had received more than 7,500 reports of breaches affecting less than 500 individuals as of mid-July, Greene notes. Many of those smaller cases, he says, have involved paper records and fax machines. He urges hospitals and clinics to take steps to make sure that faxed records wind up at the appropriate destination.
