The Office of Civil Rights for the Department of Health and Human Services (HHS) recently requested comments related to its upcoming rulemaking under the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009. HITECH expands the current HIPAA Privacy Rule requirement that a covered entity provide individuals with a right to receive an accounting of certain disclosures of the individual’s protected health information to certain parties. Currently, under HIPAA, a covered entity is not obligated to provide an accounting of disclosures if such disclosures were in furtherance of treatment, payment, or health care operations (TPO). HITECH eliminated these exemptions by requiring covered entities to account for TPO disclosures if such disclosures are made through an electronic health record.
In HHS’s request for information (RFI), HHS seeks comment on several questions from "all stakeholders," including individuals and consumer advocates as well as from vendors of electronic health record systems, particularly regarding the technical capabilities of such systems to account for TPO disclosures.
RFI Questions are Summarized Below:
- What are the benefits to the individual of an accounting of disclosures, particularly TPO disclosures?
- Are individuals aware of their current right to an accounting?
- How do covered entities make clear to individuals their right to receive an accounting of disclosures? How often is an accounting requested?
- Do individuals who request and receive an accounting feel as though it provided the information they were seeking? How did they use this information?
- What types of information (date, time, patient ID, description of disclosure, recipient, etc.) should the accounting of disclosures for TPO provide? How detailed should the TPO disclosure be in order to be useful to the individual?
- For existing electronic health record systems, HHS asks several questions regarding current and future electronic health record systems’ structures and capabilities related to collecting and providing TPO disclosure information.
- Will covered entities by able provide an accounting of TPO disclosures by January 1, 2011? If not, how much time is needed to comply?
- What is the feasibility of an electronic health record module that is exclusively dedicated to accounting for disclosures?
- What additional information should HHS consider in its rulemaking?
A likely basis for the exclusion of TPO disclosures from the original HIPAA Privacy Rule was due to the sheer volume of TPO disclosures that take place on a daily basis in furtherance of providing care to an individual, coupled with the fact that electronic health record systems were in their relative infancy and did not possess the technological "horsepower" to account for such disclosures. The legislature, as indicated by the passage of HITECH, believes that advancements in software systems design, hardware storage, processing speeds, and increased network bandwidth have come to a point where accounting of TPO disclosures is not only technologically possible, it is reasonably attainable. Only time will tell whether the legislature was correct in its assessment. That being said, the RFI process may enable vendors of electronic health record systems to shape the regulations more in their favor through the advocacy of their responses to the HHS RFI.