OCR: HIPAA changes to impact EHRs

The upcoming changes to HIPAA operations and enforcement will have a significant impact on electronic health records, according to the leaders of the U.S. Department of Health & Human Services' Office for Civil Rights (OCR).

The "omnibus" final HPAA rule, which combines updates to HIPAA's privacy, security, breach notification and enforcement provisions, was sent to the Office of Management and Budget on March 24, according to Susan McAndrew, Deputy Director for Health Information Privacy at OCR, speaking at the 20th National HIPAA Summit in Washington, D.C. this week. OMB is expected to review the mega rule, which McAndrew also called "one big mother of a final regulation" within the next 90 days, after which it officially will be released, she said.

Some of the changes McAndrew highlighted in her presentation will directly impact how providers use EHRs. They include:

  • Business associate responsibilities being finalized: That means that agreements with EHR vendors, who typically are business associates, may have to be changed.
  • Limits and prohibitions on the marketing and sale of protected health information (PHI): Since some EHR vendors require providers to share their data with the vendors for these purposes, this will need to be reviewed and modified.  
  • Increased ability of patients to obtain access to their records electronically and information requests being directed to a third party: "This is part of the spirit to help promote EHRs and PHRs so individuals have robust access to their essential health information," McAndrew noted.

OCR's increased emphasis on enforcement, which will intensify, will also have a significant impact on EHRs, since only one-fourth of the major breaches on HHS "wall of shame" involved paper, according to OCR Director Leon Rodriguez, who also spoke at the conference.

While Rodriguez didn't single out EHRs as the least secure repository of patient data, he did say that all of the enforcement cases brought to date involved a "series of failures that made that vulnerability possible."

"If the privacy and security of health information is not protected, it will change the way people use healthcare and affect outcomes," Rodriguez warned.