It's time to revamp the EHR accounting for disclosures rule

The Sept. 23, compliance deadline for the "omnibus" rule implementing most of the amendments to HIPAA stemming from the 2009 HITECH Act is fast approaching. But there's still one major provision of HITECH that needs to be finalized, and it's a doozy for providers who use electronic health records: the new accounting for disclosures provision.

This provision expands a patient's right to an accounting of disclosures of his or her health records when the records are stored in an EHR. Now, a patient can obtain an accounting of all disclosures. Under the old law, disclosures were exempt if they were for payment, treatment or operations.

But the proposed rule implementing this section of the HITECH Act--published in the Federal Register May 31, 2011--went farther than the statute itself, creating a new right for patients to obtain an "access report," expanding what needed to be reported to "uses," as well as "disclosures" and leaving employees who legitimately accessed a record vulnerable to privacy complaints.

Many in the industry slammed the proposed rule, calling it "burdensome" and "unnecessary," and asked that it be withdrawn, particularly since so few patients have bothered to ask for an accounting of disclosures in the 17 years HIPAA has been on the books. There also have been concerns that some EHRs simply don't have the technological capability yet to comply with the proposed rule.

"They chose the least used piece of HIPAA and made it hardest to comply with," attorney Kirk Nahra from Wiley Rein in Washington, D.C., said at the joint HIPAA security conference held by the U.S. Department of Health & Human Services Office for Civil Rights and the National Institute of Standards and Technology in May. "It's an enormous compliance and financial challenge."

Nahra added that he'd throw out the proposed rule, calling it "unworkable."

That's why it's heartening to see that HHS is reevaluating the rule, rather than blithely finalizing it.

OCR has asked ONC's Health IT Policy Committee Privacy and Security Tiger Team to hold a virtual hearing on the rule.  Originally slated for Sept. 6, the team at its Aug. 19 meeting pushed the hearing back to Sept. 30.  The hearing is scheduled to last several hours.

The Tiger Team has not yet publicized what specific topics and questions will be covered at the hearing, although it predicted that the hearing will be "spirited."

But the fact that HHS is willing to gather more information about the proposed rule and basically reopen the comment period more than two years after rule was published is very telling. The proposed rule just may be too ambitious, despite advances in technology.

And it may be that HHS has been accused of exceeding its authority by creating a rule that goes beyond the statute.

In the Aug. 19 meeting, David Holtzman, OCR's senior health IT and privacy policy specialist, acknowledged that it currently could not be forecast when the final rule would be forthcoming, and implied that the final rule was not imminent.  

It's not often that the industry gets a second bite at the apple. If you want this rule changed, weigh in. Contact the Tiger Team. Attend the hearing

HHS is listening. Let's take advantage of it. - Marla (@MarlaHirsch)