Over 30 years of reporting on Congress, federal agencies and the White House for corporate America as well as national trade and professional associations.

New Proposed HIPAA Disclosures Vex Healthcare Players


     P&T Journal...September 2011

 
     Pharmacists are already concerned about various new federal requirements coming down the pike which would complicate pharmacy software systems. We're talking about things such as potential drug package verification and electronic health record (EHR) entries. Now there is another software hurdle appearing on the track: compiling audit records of people inside the pharmacy and outside who take a peak at a customer's personal medical and pharmaceutical information.
        That is one of the looming new requirements for both in- and out-patient pharmacies stemming from the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act. Some HITECH provisions made changes to the  Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Players throughout the pharmacy industry will be affected by the new HITECH requirements when they come into play. No word yet on when the final rule with compliance deadlines will be published.
    The HIPAA Privacy Rule requires covered entities such as physicians, health plans, hospitals and pharmacies, and their business associates--pharmacy benefit managers, for example. When a patient makes a request, the entity must disclose which third parties it sent that individual's protected health information to. There has been an exemption since 2000 for disclosed information pertaining to "treatment, payment, and health care operations (TPO)."    
      The proposed rule the Department of Health and Human Services issued on May 31 suggested one expanded and one new disclosure covered entities and business associates would have to make, both stemming from HITECH requirements: (a) the currently required accounting of disclosures (AOD) would have to include TPO information for the first time, where the AOD was made via either electronic or hard copy-- and (b)  individuals could, for the first time, request an access report of electronic-only disclosures of that person's designated record set (DRS) information.  An access report would include the date and time of the access, the identity of the person accessing the information, and, if available, a description of the information that was accessed and what actions were taken while in the system (e.g., create, modify, view, print, etc.).
     The expanded AOD and new access report requirements have earned numerous detractors. The HHS views compilation of an access report as a relatively easy, automated process, and thinks it will contain more useful information than an AOD, which would be more detailed, and would also have to be done manually. So it will be expensive.

       The College of Healthcare Information Management Executives (CHIME) disputes the notion that access reports will be quick and easy to assemble.  “CHIME is extremely concerned about the entire concept of access reports,” said Pam McNutt, Senior Vice President and Chief Information Officer at Dallas-based Methodist Health System and chair of CHIME’s Policy Steering Committee. “We believe the access logs, report filters, and other technical specifications needed to generate an access report would be inconsistent or nonexistent across many clinical data sources that might be considered part of a DRS. For these and other reasons, CHIME is urging rule-makers not to include access report requirements in the final rule. If rule-makers include access reports in the new rules, CHIME believes that only data gathered through certified EHRs, not the full array of designated record sets, should be expected to populate such reports.
     There are numerous critics, too, of  the HHS's conception of an expanded AOD.  Daniel C. Walden,  Senior Vice President, Corporate Compliance and Privacy Officer, Medco Health Solutions, Inc., says, "Accounting of Disclosure provisions and ensuing proposed regulations if applicable to PBMs would  impact Medco’s ability to utilize patient-specific information and as such could delay access to care and create an unnecessary increase in our paperwork burden."
     Rebecca Carlson, General Counsel Assistant and Privacy Officer, Dean Health System, says her hospital assembled a trial AOD for a patient, and it was 46 pages long. It took somewhere between 40-50 hours to assemble the data required currently in an AOD.  And Dean did not compile the additional information which would be required under the proposed rule, including pharmacy information.
    Another problem with the potential AOD requirement is that the EHRs currently on the market do not account for TPO within a personal medical record, nor does the HHS stage 1 meaningful use requirement--tied to the eligibility of physician practices and hospitals for federal HIT incentive payments--require EHRs to do so. Moreover, only a handful of people have ever asked for the existing AODs established by the 2000 HIPAA Privacy Rule requirement. Since 2003, Medco has captured over 13.6 million records in its accounting of disclosures database.  How many requests has Medco received for AODs in the past eight years? Thirteen!
     One wonders why Congress even expanded the requirement as part of the HITECH Act. But these days, many of the things Congress does raises questions about its ability to formulate sound public policy.