To help guide the Health and Human Services Department in tightening rules for health information privacy, HHS has asked providers, payers and consumers to comment on the benefits and burdens of accounting for the disclosure of protected health information, even if the data is intended for treatment and billing purposes.
The HITECH Act called for HHS to strengthen the privacy rule of the Health Insurance Portability and Accountability Act (HIPAA). With the changes, providers, plans and their business partners will have to account for disclosures of patient information contained in an electronic health record, even if the data is for healthcare provision and payment.
HHS' Office of Civil Rights (OCR), which oversees health information privacy, published a request for comments in the May 3 Federal Register "to inform our regulations under the HITECH Act," according to the announcement.
Under HIPAA, providers and plans currently do not have to report releases of protected data when the disclosures are related to patient treatment, payment and healthcare operations. HHS said in the notice that it will remove the exemption for those disclosures when it involves an electronic health record (EHR).
Accounting for disclosures also could become part of the standards and certification criteria for the meaningful use of electronic health records.
OCR reported that the Office of the National Coordinator received comments to its rulemaking on EHR certification recommending that a standard requiring EHRs to capable of recording the date, time, patient identification and description of disclosed information should also include the recipient and purpose of the disclosure, the notice said.
Some providers already use an EHR system that generates an accounting for disclosures under current HIPAA rules for data other than treatment, billing and operations data.
OCR wanted to hear from those providers to determine what it would take for their systems to also account for disclosures used to carry out treatment, billing and healthcare operations.
OCR also seeks feedback from individuals about the importance of knowing the purpose for which providers or plans shared their data.
