HIPAA rule thrusts EHR users into uncharted territory

The final HIPAA omnibus rule, slated to be published in the Federal Register tomorrow, impacts electronic health records in many significant ways. But the new rule also delves into some uncharted territory that may trip up the unwary provider.   

For instance, the rule expands the definition of business associate to entities that merely maintain patient protected health information. So EHR data repositories and cloud-based EHR vendors that previously have argued they were not subject to HIPAA now must comply with the law, according to Elizabeth Litten, an attorney with Lawrenceville, N.J.-based firm Fox Rothschild who spoke with FierceEMR. Since some of these entities are newcomers to the HIPAA world, she says, they may not yet have processes in place yet to protect patient PHI adequately, such as training staff and conducting risk analyses. That increases the risk that the confidentiality of such data may be violated.  

The new rule also clarifies that a business associate's subcontractors also must comply with HIPAA. That's great in theory, but how will the provider know if a subcontractor is even working for the business associate, let alone whether the business associate is policing the subcontractor regarding HIPAA compliance? You may not know that your EHR or PHR vendor has engaged a third party to move PHI or upgrade some hardware and will have access to your patients' data. There's still continued push back from subcontractors who claim that they're not subject to HIPAA, Litten says.    

And what if a business associate or subcontractor is holding your patients' PHI somewhere offshore? That's a big issue with cloud-based EHRs and other repositories, especially if there's a security breach or other HIPAA violation. How would a provider protect itself and hold the violators accountable in that instance?

"Remember it's the covered entity that still notifies [the U.S. Department of Health & Human Services]," attorney Michael Kline, also of Fox Rothschild, told FierceEMR.

Then there's the provision that requires a provider to comply with a request from a patient to not submit a claim to a health plan if the patient has paid for the treatment out of pocket. The proposed rule had suggested that providers be required to segregate the data into a separate part of the EHR and report the restriction to downstream providers, such as pharmacists. The final rule requires only that the provider "flag" the restriction in the patient's record.

But how can that be accomplished with an EHR? Would the flag go in the free text section? Would a special field need to be created for it? It's clearly a HIPAA violation if the flag doesn't work. "You better have a really good flag," Kline says.

What is clear is that covered entities are going to make mistakes and trip up, especially in the developing world of EHRs and other health IT. "I'm sure things will come up that people haven't thought of," Litten says.  

It's also clear that the costs to comply will be greater than those outlined in the rule itself, Kline warns. But the actual cost--hard and soft--is also yet to be determined. - Marla (@FierceHealthIT)