ARRA Privacy Provisions Present IT Challenges
In the August print issue, Journal writer Chris Dimick describes the challenges California healthcare organizations face in determining their responsibilities under tough new state law on health data breach notification and even newer federal law created by ARRA.
The breach notification requirement is not the only ARRA privacy provision shaking up healthcare organizations in California and across the country. It is just the most pressing—final rules appear this month, and organizations must be compliant within 30 days.
Three additional ARRA provisions around privacy and transparency have providers and vendors buzzing, because current electronic record systems cannot meet the requirements.
In many ways, the three provisions describe what EHR systems should be able to do, not what they can do. In the coming months it is up to the federal government to fill in the details. In the coming months and years, it will be up to providers and vendors to adapt and create systems that meet them.
Dimick’s conversations with privacy experts in California continue below, expanding to new provisions on accounting for disclosure, suppressing disclosure of treatment for services paid out-of-pocket, and providing electronic copies of electronic records.
* * *
Accounting for Disclosure
HIM professionals and others are concerned with ARRA’s new accounting for disclosures provision, which requires healthcare facilities using EHRs to provide an accounting or audit trail of all record disclosures. This represents a major change from the current HIPAA laws, which exempt disclosures for treatment purposes and routine healthcare operations. Most state laws do not address accounting for disclosures, and they rely on HIPAA to set the rules.
ARRA did not detail the exact content of the disclosures. The Department of Health and Human Services must deliver those requirements this month, advised by a federally appointed policy committee. Once HHS defines the required content, a second advisory committee will recommend the technical standards to enable the disclosures by the end of this year. By June 2010, HHS must promulgate the final rule on disclosures.
Providers are concerned that it is not technically possible to track every access to every patient record. Some feel such accounting would slow down access to records, time that could be spent treating a patient.
“It is very, very tough [technologically],” says Cassi Birnbaum, director of health information and privacy officer at Rady Children’s Hospital of San Diego. “We can require that everyone does a quick disclosure whenever they are handing information out to somebody outside of the organization. But when you are disclosing information to another clinician, that would be so disruptive to patient care.”
When disclosing information for treatment, HIM professionals will now have to also mind the “minimum necessary” provisions of HIPAA—which state that only the information necessary for an action to be carried out can be disclosed. Organizations have struggled with determining “minimum” since the day the HIPAA rule took effect. HHS is currently compiling guidance on what constitutes the minimum necessary for treatment disclosures in anticipation of the new provisions.
But privacy advocates like Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology in Washington, DC, keep the end goal in site. McGraw, who serves on the advisory committee developing disclosure policy recommendations, feels that patients have a basic right to know who is accessing their medical records.
Gerry Hinkley, a healthcare lawyer and partner with Davis Wright Tremaine LLP, based in San Francisco, agrees. The provision helps give possession of a patient’s health record back to the patient, he says. “If your caregiver shares the information with somebody else, really for any purpose, it is your information and you should know to whom and when.”
The ARRA legislation may have underestimated the wide variance in today’s EHR systems, but legislators did recognize that most existing systems cannot meet the accounting of disclosures rule today. Organizations using EHR systems purchased before January 1, 2009, have until January 2014 to comply with the provision.
Purchasers of new systems are under a much tighter deadline. Healthcare entities that purchase a system after January 1 of this year must be compliant with the new provision as of January 1, 2011. Therefore, organizations currently in the market for an EHR should discuss the provision thoroughly with vendors.
A separate ARRA provision gives patients the right to prevent the disclosure of health data to their health insurance plans if they paid for the treatment out of their own pockets. Complying with this request will require separating out records generated from treatment that was paid personally by the patient, a technically difficult task in the EHR. Previous state and federal law have not set these requirements, buyers never requested the functionality, and vendors have not incorporated it in their systems.
When payers evaluate a claim, typically they request the entire medical record to determine if the treatment was medically necessary, McGraw says. The ARRA provision comes out of some patients’ fears that insurance providers could use certain medical information to modify coverage. The segregated records most likely would be mental health records from psychotherapy sessions, or certain reproductive health services not covered by most insurance.
In addition to the technical challenges, the law raises administrative questions. Organizations will require policies establishing who can and cannot access segregated information. If files are masked from payers, the EHR would have to unmask information when it is needed for treatment.
Ideally, McGraw says, you don’t want to resort to keeping separate systems.
While this segregation of records is both technically and administratively challenging, Hinkley believes actual requests for this type of action will be uncommon. Usually when patients receive treatment they want their health insurance to pay for it, he notes.
Electronic Copies of Electronic Records
The limitations of current technology also complicates an ARRA provision that requires providers to give patients electronic copies of their electronic health records upon request. State law varies on this requirement, with most states, including California, defaulting to HIPAA regulations. Under HIPAA, providers are required to give a copy of a patient’s record in the format requested, but only if documents are “readily producible” in that format.
But ARRA removes the “readily producible” language and outright requires any facility using an EHR to provide an electronic copy of a patient’s health record. Many current EHR systems cannot directly produce an electronic copy of a record by burning it onto a disk or downloading it to a memory stick, Birnbaum says.
“There isn’t an exception for entities that have older legacy systems where you can’t produce an electronic copy,” McGraw notes. “There is no grandfather clause, no easing in.”
HIM professionals have already encountered this wrinkle at the state level. In Illinois, a bill proposing that patient information stored electronically must be produced electronically for release of information requests was amended after state healthcare associations argued that most current EHR systems were incapable of meeting the requirement. The subsequent law requires that a facility unable to produce its electronic documents in an electronic format as requested must send a letter to the requestor explaining why it cannot fulfill the request.
Again, entities shopping for EHR systems must discuss the requirement with vendors to ensure they will be compliant with the law. Birnbaum notes that the provision creates an opportunity for vendors and third-party developers to create add-ons that enable systems to reproduce records electronically.