[ Friday, September 06, 2002 ]
Back on Topic
. Sorry for the outbursts, but it's that time of year. And probably will be for a while.
Anyway, I've been wrestling with the need for accounting of disclosures issue (Section 165.528 of the regs). The recent changes added a few exclusions to what needs accounting, which you'd think would be a good thing. The idea behind the need to account for disclosures of PHI is that a patient has a right to know where their information is going. But that right needs to be counterbalanced by the burden that will fall on providers and others who would need to track every time they send records to anyone. It would be ridiculously burdensome to require a doctor to track each time she sends medical records to the insurance company for payment. And those types of uses (treatment, payment, and health care operations) are the exact type of situations where a patient should EXPECT his physician to disclose the information. So, the balancing act has been to exclude from the required accounting of disclosures any disclosures that meet this "business as usual," "expected" standard. Disclosures that are still legal but are not otherwise "expected" are the ones that ought to be tracked.
The proposal to revise the regulations back in March included a provision to include disclosures pursuant to an authorization from the patient in the "expected" category, and therefore exclude them from the types of disclosures for which a covered entity must be able to account. If a patient has signed an explicit authorization allowing his physician to make specific disclosures, the patient shouldn't be surprised that those disclosures were in fact made. They are "expected." When the final revisions came out in August, they kept the exclusion for authorized disclosures, but also added a few other excluded types of disclosures: disclosures as part of a limited data set (see above) and disclosures incident to an otherwise authorized disclosure. The "incident to" language leaves a lot to be desired.
My concern on first reviewing that language was that they draw in, by way of the "incident to" language, not only disclosures that are legal and "expected" but disclosures that are legal and not "expected." In other words, you could read the new language to drag into the "excepted" column not only those "expected" disclosures and the disclosures incidental to them, but all legal disclosures whether they're expected or not. This seemed to pretty much vitiate the accounting requirement: you only need to account for the disclosures you weren't allowed to make in the first place.
The language used by HHS is "disclosures that are merely incidental to an otherwise permissable use or disclosure will not require an accounting." See 67 Fed Reg 53244, bottom of the right column. They start to get back on track in the top of the next page when they note that it is difficult to account for incidental disclosures because you might not even know they are occurring, and that's a good reason to not have to account for them. But at the end of the same paragraph toward the top of page 53245, they say, "In that case, the underlying disclosure [for treatment purposes] is not subject to an accounting and it would be arbitrary to require an accounting for a disclosure that was merely incidental to such a communication." The implication is that the reason the incidental disclosure gets a free pass is because the underlying disclosure got a free pass, and that's not consistent; the incidental disclosure gets a free pass because it's incidental and not primary, regardless of whether the primary disclosure gets a pass (i.e., treatment, payment, and health care operations disclosures) or doesn't (i.e., disclosures for public health purposes).
I still think regardless of the comments, they've blown it with the actual language. The language says you don't have to account for a disclosure that is incident to any disclosure that is permitted (regardless whether it's an "expected" disclosure or not). What they intend is that if you are making a legal disclosure (say, a disclosure to a cancer registry) and there's an incidental disclosure related to that (a bystander overhears the report), the incidental disclosure doesn't need to be reported. However, isn't the disclosure "incident to" itself? That might be a little bit of a stretch, but couldn't you also say the the disclosure to the registry is "incident to" the original disclosure to the patient, the pathologist, etc. for treatment purposes? The regs don't define "incident to" in such a way to limit it to the casual, unintended and tangental disclosures the commentary seems to envision. And the provision itself (164.528(a)(1)(iii)) could have easily outlined that the disclosure itself is not so excepted unless it fits into another exception, but they didn't do so.
I'm a little more comforted that what they intended was to release from the accounting requirement these casual, unintended and tangental disclosures, but still don't like the way it's written.
Jeff [11:26 AM]
Blogger: HIPAA Blog - Edit your Template