HITECH Privacy Compliance Gets Trickier – Meaningful Use Monday

Posted on July 9, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

It’s been a very interesting few weeks for privacy protection under  HIPAA. Just in case you haven’t had a chance to catch up on them,  here’s what’s going on.  The OCR has announced the protocols under which it’s going to perform audits required by HITECH.

Here’s how OCR is going to check both you and business associates for compliance with the HIPAA Privacy Rule,  Security Rule and Breach Notification Rule. Here’s a summary from the Beyond Healthcare  Reform blog from lawfirm Faegre Baker Daniels:

Privacy Rule Security Rule
Notices of privacy practices Administrative Safeguards
Right to request privacy protection for PHI Physical Safeguards
Access to PHI Technical Safeguards
Administrative requirements
Uses and disclosures of PHI
Amendment of PHI
Accountings of disclosures

Meanwhile, there’s the matter of the temperature being turned up on your relationship with your business partners. As things stand, maintaining HIPAA-level control over information once it leaves your facility or office is hard enough.  Since 2009, HITECH has required covered entities and business associates to disclose if they’d used information on patients — including for treatment, payment or operations — if the access was through an EMR.

While that’s sticky to enforce, it mostly affects providers, not the business associates in most cases. But things could get a little trickier going forward.  A new proposed rule would now require a basic access report applying not just to EMRs, but also to uses and disclosures of e-PHI in a designated record set.

As the Beyond Healthcare Reform blog notes, this could mean that health plans and business associates (if they have a designated records set) would have to provide the access reports for everything, including treatment, payment and operations.

I doubt any of us are surprised to see OCR getting tougher on data sharing;  in fact, I’d argue that it’s overdue. The question is whether in the mean time, the near-daily data breaches we see (stolen laptops with unencrypted data, lost data disks) still haunt us.  Scary times.