Accounting for All Disclosures
Many in healthcare still haven’t made their peace with HIPAA’s accounting of disclosure requirements—the provision under which covered entities, upon request, must provide patients with a record of the entities to whom they have disclosed the patient’s protected health information (PHI). They consider it an undue administrative burden for requests they rarely receive. Now new requirements in the American Recovery and Reinvestment Act have upped the accounting ante.
The law singles out covered entities that maintain PHI in electronic health records, requiring them to account for disclosures of PHI made even for purposes of treatment, payment, and healthcare operations—actions exempted under HIPAA. Under the new law, covered entities must be able to provide disclosures dating back three years from the patient request.
ARRA also requires that covered entities account for the disclosures of their business associates, or require them to make their own accounting. Business associates must respond to individual requests made directly to them.
The secretary of Health and Human Services is charged with determining what information patients may request and covered entities and business associates must provide.
Early Warning for EHR Systems
Covered entities currently using EHR systems have until January 1, 2014, to comply. Existing systems will need to be adapted to meet the new requirement, since few were likely designed to account for disclosures this finely.
Covered entities that purchase EHR systems dating from the first of this year must be compliant as of January 1, 2011. Systems purchased after that date must be capable of compliance right out of the box.
That means covered entities in the market for EHR systems now must get assurance from vendors that the systems will be able to meet the new disclosure criteria.
The secretary’s regulations are required no later than August.