You are here

Prescription: Washington

New Proposed HIPAA Disclosures Vex Health Care Players

Who Is Asking for the Information Anyway?
Stephen Barlas

Pharmacists are already concerned about various new federal requirements coming down the pike that would complicate pharmacy software systems. We’re talking about rules for things such as potential drug package verification and electronic health record (EHR) entries. Now there is another software hurdle appearing on the track: compiling audit records of people inside and outside the pharmacy who take a peek at a customer’s personal medical and pharmaceutical information.

That is one of the looming new requirements for both inpatient and out-patient pharmacies stemming from the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act. Some HITECH provisions made changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Stakeholders throughout the pharmacy industry will be affected by the new HITECH requirements when they come into play, although there is no word yet on when the final rule with compliance deadlines will be published.

The HIPAA Privacy Rule affects covered entities such as physicians, health plans, hospitals and pharmacies, and their business associates—pharmacy benefit managers (PBMs), for example. When a patient makes a request, the entity must disclose to which third parties it sent that individual’s protected health information. Since 2000, there has been an exemption for disclosed information pertaining to treatment, payment, and health care operations (TPO).

The proposed rule that the Department of Health and Human Services (HHS) issued on May 31 suggested one expansion and one new disclosure that covered entities and business associates would have to make, both stemming from HITECH requirements:

  • The currently required accounting of disclosures (AOD) would have to include TPO information, for the first time and indicate whether the AOD was made via either electronic or paper copy.
  • Individuals could, for the first time, request an access report of electronic-only disclosures of that person’s designated record set (DRS) information.
  • An access report would include the date and time of the access; the identity of the person accessing the information; and, if available, a description of the information that was accessed and what actions were taken (e.g., create, modify, view, or print) while the information was in the system.

    The expanded AOD and new access report requirements have earned numerous detractors. The HHS views the compilation of an access report as a relatively easy, automated process and thinks that it will contain more useful information than an AOD, which would be more detailed and would have to be done manually—and thus would be expensive.

    The College of Healthcare Information Management Executives (CHIME) disputes the notion that access reports will be quick and easy to assemble.

    “CHIME is extremely concerned about the entire concept of access reports,” said Pam McNutt, Senior Vice President and Chief Information Officer at Dallas-based Methodist Health System and Chair of CHIME’s Policy Steering Committee. “We believe the access logs, report filters, and other technical specifications needed to generate an access report would be inconsistent or nonexistent across many clinical data sources that might be considered part of a designated record set.”

    For these and other reasons, CHIME is urging rule-makers not to include access report requirements in the final rule. If rule-makers do include access reports in the new rules, CHIME believes that only data gathered through certified EHRs—not the full array of designated record sets—should be expected to populate such reports.

    There are also numerous critics of the HHS’s conception of an expanded AOD. Daniel C. Walden, Senior Vice President, Compliance and Chief Privacy Officer, at Medco Health Solutions, Inc., says that AOD provisions and ensuing proposed regulations, if applicable to PBMs, would affect Medco’s ability to use patient-specific information. As such, this could delay access to care and, he says, “create an unnecessary increase in our paperwork burden.”

    Rebecca Carlson, General Counsel Assistant and Privacy Officer at the Dean Health System, says that her hospital assembled a trial AOD for a patient. At 46 pages long, it took from 40 to 50 hours to collect the data that are currently required in an AOD. Dean Health System did not compile the additional data that would be needed under the proposed rule, including pharmacy information.

    Another problem with the potential AOD requirement is that the EHRs currently on the market do not account for TPO within a personal medical record, and the HHS stage 1 meaningful-use requirement—tied to the eligibility of physician practices and hospitals for federal health care information technology (HIT) incentive payments—does not require EHRs to do so. Moreover, only a handful of people have ever asked for the existing AODs established by the HIPAA Privacy Rule requirement from 2000. Since 2003, Medco has captured more than 13.6 million records in its AOD database. How many requests has Medco received for AODs in the past eight years? 13!

    One wonders why Congress even expanded the requirement as part of the HITECH Act.