What Is the State of the HITECH Act Update to the HIPAA Privacy Patient Right to An Accounting of Disclosures?

If you are a HIPAA geek (or dork) like me, you may have wondered from time to time what has become of the changes called for by Section 13405 of the Health Information Technology for Economic and Clinical Health (HITECH) Act when it comes to the patient right under the HIPAA Privacy Rule to receive an accounting of disclosures from a provider as a covered entity related to a patient’s electronic health information? You may recall that under the original HIPAA Privacy rule, the patient has a right to receive an accounting of disclosures of their protected health information (PHI) when the disclosure did not require their consent (generally not related to a purpose of Treatment, Payment, or Healthcare Operations (TPO)), was permitted or required by law and was not subject to an authorization. Breaches of their privacy in the form of an unauthorized disclosure also technically needed to be included in an accounting of disclosures. This original form of the accounting of disclosures did not depend on their PHI being in paper or electronic form as it considered any such health information in whatever form as being subject to the requirement.

Under HITECH, relative to an individual’s electronic PHI held by a provider, this right was specifically amplified to include both uses and disclosures of an individual’s electronic PHI including when used or disclosed for a TPO-related purpose. Like many, when I saw this, I was quite curious as to the value of that requirement as broadly as it seemed to be stated. When I saw initial proposals from the Office for Civil Rights (OCR) of Health and Human Services and the earlier Request for Information (RFI) on the topic, I thought of several immediate issues:

1. Proposed attempts at rulemaking broadly considered that a user was not just a natural person user but could also include any given computer program, machine user (such as a medical instrument), interface, application server or other similar element of health information technology (HIT).

2. Audit information could potentially include user IDs that might not hold great meaning to a patient without translation.

3. There was no standard for how information in the accounting of disclosures should be represented. There were requirements for what information needed to be included but not how that information needed to be specifically represented, codified, or valued for things like purpose, record type, and other information required to be included.

4. Unlike for what has emerged with the ASTM standard for audit trails used by the HHS Office of the National Coordinator (ONC) for certification of health information technology under 170.315(d)(2), no such standard really exists for the accounting of disclosures. Security audit trails for accesses to EHI are different in content and form from what the accounting of disclosures requires.

Personally, I thought the Security and Privacy Tiger Team of the Health Information Technology Standards Committee (a Federal Advisory Committee to ONC dating from the Obama Administration charged with advising ONC on matters related to the HITECH Act that was a part of the American Recovery and Reinvestment Act (ARRA) of 2009 that gave us meaningful use) got it about right with their recommendations. In interpreting a practical and pragmatic way of implementing the ACA requirement, they recommended focusing on something they felt most useful to patients and that was of disclosures of EHI that were actual instances of sharing of EHI external to the covered entity for a TPO purpose. They also recommended that instead of having an accounting of disclosures requirement for uses internal to the provider of a patient's electronic PHI for a TPO purpose, greater emphasis should be given to a patient's right to file a complaint if they suspected possible unauthorized use of their electronic PHI by the provider. In these recommendations, the Security and Privacy Tiger team surmised that telling a patient about all of the uses of EHI within the covered entity would prove overwhelming in content, confusing in meaning, and without great value all for what would not be the more material source of risk to the patient – that being when their EHI physically electronically was shared with an external individual or entity.

This situation has remained unresolved to this day. This requirement of the ACA remains unimplemented. If I had a say with HHS OCR, I would say do what the Tiger team recommended. What is the hold up? I would love to know the answer. If you want to know what I think should occur or other questions about the intersect of HIT and compliance, reach out to me at jftprgllc@yahoo,com.

#ONC #CEHRT #CuresAct #healthit #hit #ehr #hipaa #ONC #OCR #HIPAAPrivacy #HIPAASecurity