[ Wednesday, June 01, 2011 ]
One further note
on the new Accounting for Disclosures rule: Kirk Nahra made an interesting point on the AHLA HIT list: perhaps the intent of HHS in making the accounting rule so burdensome is to protect the "harm" threshold in the breach notification rule. The "harm" rule has been under attack by privacy advocates and congressmen, and may go away. But if HHS can impose a harsh accounting requirement (accounting requests are few and far between, so even if the rule is harsh, it won't happen enough to be truly burdensome), then it can justify keeping the breach notification rule easier, and maintain the "no harm" threshold for breach notification. Hmmmmm. . . . . . .
UPDATE: Katherine Keefe also points out that this rule may really catch health plans flat-footed and off-guard. They don't have EHRs. But they do maintain ePHI, and they maintain it in a way that would fit the definition of a designated record set. The access rule applies to all ePHI, regardless of whether it's in an EHR or not. Yikes.
Jeff [10:57 AM]
Blogger: HIPAA Blog - Edit your Template