[ Friday, February 11, 2011 ]
Accounting Rule is Coming:
There was a lot of buzz in the HIPAAsphere yesterday about the announcement by OMB that HHS was about to publish a rule
relating the the obligation of Covered Entities (CEs) to account for disclosures of PHI, as changed by HITECH. I wasn't going to write on it until the rule is actually published, but it's getting some press
so I thought I should say something.
The original HIPAA Privacy Rule contained a provision requiring CEs to account for all disclosures of PHI; however, there is are exceptions to the accounting requirement for disclosures for treatment, payment, or healthcare operations, disclosures directly to the individual, and disclosures pursuant to an authorization (this, in fact, effectively excludes from the accounting requirement all disclosures in most patient files). If you don't know, HITECH has a provision that removes the exception to the accounting requirement for disclosures relating to treatment, payment, and healthcare operations if the CE uses an Electronic Health Record (EHR). In other words, HITECH requires CEs that use EHRs to account for all disclosures for treatment, payment, and healthcare operations.
It seems obvious to me that the reason this was inserted into HITECH was based on the understanding by the statute-writers that any EHR will automatically tally the disclosures for treatment, payment, and healthcare operations, so accounting for them won't be a problem. Unfortunately, as we've come to find out, this just isn't true for most EHRs -- most do not have this functionality.
So, it will be very interesting to see how HHS deals with this in the regulations. The good news is that almost nobody ever requests an accounting of disclosures. The bad news is that HIPAA doesn't care if nobody asks, it still requires that you be able to do it if they do.
This is an old problem with HIPAA: an apparent lack of understanding of the industry by the people writing the statutes and regulations (to the great credit of the regulation writers at HHS, the problems really are with the statutes, not the regulations, and the reg writers are just stuck trying to put lipstick on pigs). In the original HIPAA statute, "health plans" were included as "covered entities;" this is interesting, since most corporate health plans and ERISA plans aren't "entities" at all in the common meaning of that term. Most ERISA plans are just that: plans. A flight plan, a floor plan, an evacuation plan; those are plans, not entities. They can't provide notices or adopt policies and procedures. Same with ERISA plans -- they are really a set of documents, not an entity. But HIPAA treats them like they are a thing, not an idea. I believe that the statute drafters in 1996 didn't know what they were talking about; they thought any health plan was an insurance plan, and therefore was an insurance company. The reg writers crafted the regulations to fix this problem, with references to "plan sponsors" and the like, but the underlying disconnect is still there.
Same with the EHR accounting rules. It's based on a faulty understanding of what EHRs can do. And while much of HITECH and healthcare reform is supposed to promote and encourage use of EHRs, things like this add heavy, stupid and useless burdens to those folks who are trying to comply. I dunno, but maybe if somebody had taken the time to READ THE BILL before passing it, this might've come up. Maybe not, but it would've been worth a try.
If it's true that we get the government we deserve, we must've done something really bad.
Jeff [10:23 AM]
Blogger: HIPAA Blog - Edit your Template