ARRA Accounting for Disclosures

Posted on October 2, 2009 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve been reading some things about ARRA’s changes to HIPAA. I’ve heard a number of times the phrase that “ARRA has now given teeth to HIPAA.” I’ve also heard grumblings about a change in the HIPAA requirement that an EMR account for disclosures. I’ve been trying to get a number of experts on HIPAA to do a guest post on these various changes with no success, but I’ll keep trying.

However, I recently heard that the accounting for disclosures is even more stringent than I had thought about before. From what I’ve heard, the law will now require that you are storing and able to report on the disclosure of a patients health information to both internal and external sources. The external sources is something that we’ve done forever and is really not a problem. The challenge is accounting for the internal disclosure of the HIPAA information. Not to mention displaying that information in a nice report.

Let’s say for example, a nurse pulls up a list of patients during a search for a patient by last name. Does the EMR need to know all of the people that were in that list that could have been seen by the nurse? Do you need to audit how long the nurse had that list open? I’m sure there are more situations like this that seem to be required by the new HIPAA laws.

I actually saw a demo of a hospital EMR that recorded this type of granular auditing. I have a feeling many EMR software aren’t even close to this type of tracking.

I’m also reminded of my post talking about the number of users who legitimately access a patient’s chart. In that post I talk about the number of people who can mess up the chart. Now let’s think about the audit logs that will be required for all of those people who are accessing each granular part of a patient’s record.

I’d love to hear people’s thoughts on this subject and any clarifications on things I’m misunderstanding. No doubt we’re going to hear more about this in the future.