HHS Issues RFI on Accounting for Disclosures Through an EHR
HITECH provisions require HIPAA covered entities to account for PHI disclosures.
Guest commentary from Stephen W. Bernstein, Bernadette M. Broccolo, Esther Chang, Daniel F. Gottlieb and Karen S. Sealander, attorneys with the law firm of McDermott, Will & Emery, LLP
On May 3, 2010, the Office for Civil Rights of the U.S. Department of Health & Human Services (HHS) issued a Request for Information (RFI) on the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act that expand the requirements for accounting of disclosures of patients' protected health information (PHI) to include disclosures made through an electronic health record (EHR) for treatment, payment and health care operations purposes.
The HITECH Act requires HHS to issue rules governing this expansion and, in doing so, to balance the interest of individuals in learning the circumstances under which their PHI is being disclosed and the administrative burden of accounting for disclosures for treatment, payment and health care operations through an EHR. Comments received by May 18, 2010, in response to the RFI will assist HHS in developing a proposed rule on this topic.
Current Accounting Standard Under the HIPAA Privacy Rule
The current standards for the privacy of individually identifiable health information (Privacy Rule) adopted by HHS under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) grant patients the right to receive an accounting of certain non-routine disclosures of their PHI, within 60 days of the patient's request (with one 30-day extension available) from a covered entity or its business associate. This accounting right is limited to PHI disclosures made by a covered entity (and its respective business associates) for a maximum period of six years prior to the patient's request. Under the current Privacy Rule, a covered entity is not required to account for disclosures that are:
- for treatment, payment or health care operations;
- to the patient or the patient's personal representative;
- incident to otherwise permitted or required uses or disclosures;
- pursuant to a patient authorization;
- for the covered entity's facility directory or to persons (e.g., family members) involved in the patient's health care or health care payment;
- for disaster relief;
- for national security or intelligence purposes;
- to correctional institutions or law enforcement officials for certain purposes;
- part of a limited data set; or
- made prior to the HIPAA compliance date for the covered entity or business associate.
The accounting of disclosures report must include the date of the disclosure; the name of the entity or person who received the PHI, and, if known, the address; a brief description of the PHI disclosed; and a brief statement of the purpose of the disclosure or a copy of the request for the disclosure. For disclosures related to research projects involving more than 50 individuals, the covered entity may opt to provide a general summary about the disclosures (which may or may not include details about the patient's own PHI) and the research and research sponsor's contact information. Multiple disclosures to the same entity or person may be aggregated.
Covered entities must provide the first accounting of disclosures report free of charge but may charge patients a reasonable cost-based fee for additional requests by the same individual within the same 12-month period, provided the individual is informed in advance of the fee and is given the opportunity to withdraw or modify the request.
Expanded HITECH Accounting Requirements
The HITECH Act requires HHS to revise the Privacy Rule's current standard for accounting of PHI disclosures to require covered entities and business associates to account for treatment, payment and health care operations disclosures of PHI made through an EHR. This expanded accounting requirement is limited to disclosures made up to three years prior to the patient's request. Covered entities have the option of either including the EHR disclosures made by their business associates in the same accounting of disclosures report or providing patients with a list of their business associates who would then be required to provide an accounting directly to the patient. The list of business associates must include the contact information for each such associate (e.g., mailing address, phone number and e-mail address).
The compliance dates for this new EHR accounting requirement are staggered -- a covered entity's compliance date will depend on when it acquired its EHR. A covered entity with an EHR as of Jan. 1, 2009, must be able to provide an accounting of disclosures of PHI for treatment, payment and health care operations made on or after Jan. 1, 2014, but the Secretary of HHS has the discretion to delay this compliance date until a date no later than Jan. 1, 2016. A covered entity that acquired an EHR after Jan. 1, 2009, must be able to honor requests for an accounting of disclosures of PHI for treatment, payment and health care operations made on or after the later of Jan. 1, 2011, or the date the covered entity acquires the EHR, but the Secretary of HHS has the discretion to delay this compliance date to a date no later than Jan. 1, 2013.
The expansion of the current Privacy Rule to cover treatment, payment and health care operations disclosures requires covered entities and their EHRs to have the capacity to track, store and compile a vast amount of information. Producing an accounting of disclosures report under the new HITECH rules will be technically challenging and operationally burdensome, particularly for early adopters of EHRs with multiple information systems.
The Office of the National Coordinator of Health Information Technology (ONC), which is part of HHS, acknowledged that several significant challenges need to be addressed before it will be possible to record the necessary information about disclosures in an efficient manner in its Jan. 13, 2010, interim final rule establishing the initial set of standards, implementation specifications and certification criteria for EHR technology. For example, the ONC noted the lack of any particular EHR technology for recognizing the difference between the internal use of PHI by a covered entity's workforce members and a disclosure to third parties. One estimate of compliance costs for a large health system is in the tens of millions of dollars for programming, storage, infrastructure development and maintenance, as well as personnel costs. It will be important for covered entities and business associates who expect to experience a large compliance burden to respond to the RFI and to comment on the forthcoming proposed rule.
HHS Request for Information and Next Steps
The HHS Office of Civil Rights is in the process of meeting with various stakeholders on the administrative burdens and limitations of tracking EHR disclosures, as well as considering comments received from the general public through this RFI. After HHS reviews the responses to the RFI, a Notice of Public Rulemaking on the new accounting for disclosures regulations with a 60-day comment period is expected. Final rules would presumably follow shortly thereafter unless the Secretary of HHS utilizes her discretion to delay the effective dates by up to two years.
Mr. Bernstein is head of McDermott, Will & Emery's Health Industry Advisory Practice Group, specializing in e-health, deployment of EHR systems, health-related matters impacted by the Internet and HIPAA, as well as mergers, acquisitions, affiliations and joint ventures in the hospital and physician areas. He can be reached at sbernstein@mwe.com.
Ms. Broccolo serves as chair of the Life Sciences Division of the firm's Health Industry Advisory practice and advises clients on health industry relationship formation and realignments; health information technology acquisitions; electronic health information networks; conflict-of-interest compliance and overall corporate compliance programs. She can be reached at bbroccolo@mwe.com.
Mr. Gottlieb represents a wide range of health industry clients, advising them on compliance with federal and state health care laws as well as representing them in mergers, acquisitions, joint ventures, and other transactions involving physicians and other health care providers. He can be reached at dgottlieb@mwe.com.
Ms. Sealander has more than a decade of experience representing and counseling health care providers and others on legislative, regulatory and legal matters, and has special knowledge in matters relating to non-physician providers. She can be reached at ksealander@mwe.com.
Ms. Chang is based in the firm's Los Angeles office and is a member of the State Bar of California. She can be reached at echang@mwe.com.