HIPAA Privacy Rule Accounting of Disclosures under HITECH

Tuesday 31 May 2011
Today's Federal Register includes the Office of Civil Rights (OCR) Notice of Proposed Rulemaking (NPRM) modifying the HIPAA Privacy Rule's Accounting of Disclosure requirements for protected health information. OCR was required to make these modifications to the HIPAA Privacy Rule to implement the requirements under the Health Information Technology for Economic and Clinical Health Act (HITECH) section of the ARRA.
HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act, Office for Civil Rights, Notice of Proposed Rulemaking (76 FR 31426, May 31, 2011)
The regulations greatly expand the responsibility for health care covered entities and business associates to document and track the use and disclosure of health information held in an electronic health record (EHR). Health care providers and business associates should plan to thoroughly review these new regulations to understand the impact on their existing policies and procedures.

The regulations outline new procedures for accounting of disclosures of health information held in an electronic health record and disclosed for treatment, payment, and health care operations (as defined under HIPAA). The accounting period under the proposed regulations is three years. The proposed regulations focus on two rights for individuals -- a right to an accounting of disclosure and a "new" right to an access report. The new access report does not distinguish between a use (think internal use by a health care provider) and disclosure (providing the information to a third party). Instead the new right to an access report focuses on whether someone "accessed" the information in the EHR.

Previously under HIPAA, uses and disclosures for treatment, payment, and health care operations (commonly referred to as "TPO") were exempt from the accounting of disclosures requirements. The requirement for accounting for some limited uses and disclosures has always been a part of the HIPAA Privacy Rule.

The rule proposes separate compliance dates for the changes to the accounting of disclosures requirements (180 days after the effective date of the final rule - 240 days after publication of the final rule) and for the right to receive an access report (beginning January 1, 2013, for any EHR system acquired after January 1, 2009 and January 1, 2014, for any EHR system acquired on or before January 1, 2009).

My initial comments above are based upon a quick review of the proposed regulations. Official comments on the NPRM must be submitted on or before August 1, 2011.

Practical Guidance on Medicare Physician Signature Requirements

Tuesday 24 May 2011
I was recently researching the physician signature requirements under the Medicare program and found this resource outlining some of key questions and answers around the requirements.

The Centers for Medicare & Medicaid Services Medicare Learning Network has issued a fact sheet on Comprehensive Error Rate Testing (CERT) Signature Requirements with the Q and A. Also mentioned in the guidance as a resourceis the Medicare Learning Network's MLN Matters Article MM6698, "Signature Guidelines for Medical Review Purposes."

FSB Welcomes Tom Clark

Sunday 22 May 2011
A warm welcome to J. Thomas "Tom" Clark who recently joined Flaherty Sensabaugh Bonasso PLLC as Senior Counsel. Tom is a welcomed addition to our corporate practice group and will help to expand the level of representation that we provide our health care, oil and gas, coal and banking industry clients.

Tom comes to FSB with over 10 years of experience in handling business organization and commercial transactions. Tom received his undergraduate degree from Virginia Tech in 1993 and his J.D. from the University of Pittsburgh in 1997.

HITECH Final Regulations Update: Coming Soon!

Thursday 12 May 2011
Susan McAndrew, deputy director for health information privacy at the Office for Civil Rights (OCR) indicated this week that various final regulations modifying the HIPAA privacy and security rules required by the Health Information Technology for Economic and Clinical Health Act (HITECH) will be issued soon. Health lawyers have been waiting on these regulations to better understand the full impact of the HITECH changes to HIPAA, including whether the "harm standard" will remain a part of the Interim Final Rule on breach notification.

According to a Health Information Security News article, McAndrew made this announcement this week while speaking at the 2011 NIST HIPAA Conference, Safeguarding Health Information: Building Assurance through HIPAA Security, held in Washington.

The article also indicated that a separate NPRM will be issued announcing the approach OCR plans to take regarding the accounting for disclosure modifications under the HITECH Act. The HITECH Act modified the traditional rule regarding those types of uses and disclosures that must be accounted for by health care providers and covered entities. Under the traditional rule -- health care providers did not have to provide an accounting of disclosure for uses and disclosures for treatment, payment, and health care operations. However, the modification by the HITECH Act now requires health care providers who utilize an electronic health record system (EHR)to provide, upon request, an accounting of disclosure of all uses and disclosures including those for treatment, payment, and health care operations which occurred within the last three year period. Of further interest will be how the NPRM suggests how business associates who obtain PHI from health care providers must also track and maintain a list of uses and disclosures for accounting of disclosure requests.

WVCLE: Health Care Law 2011 Seminar

Tuesday 10 May 2011
The West Virginia Continuing Legal Education Section of WVU College of Law will be sponsoring Health Care Law 2011 Seminar on May 20, 2011, in Charleston, West Virginia at WVU Medical Center - CAMC.

The Health Care Law 2011 Seminar will cover a variety of topics of interest to West Virginia health care attorneys. Topics include: Medical Mapractice Update, Protecting Medicare's Interest Under Section 111 and Mandatory Reporting Requirments, Risk Management Topics for Hospitals, Development and Update on ACOs, HIPAA/HITECH Update and Anatomy of a Health Care Data Breach, Stark and Fraud Abuse Update, and Lawyers and Law Firms as Business Associates.

I will be speaking on the changes to HIPAA under HITECH. The title for my presentation is "Anatomy of a Breach: Practical Tools to Handle a Breach and HIPAA/HITECH Updates."

Learn more about the seminar and how to register here.