I’ve been reading some things about ARRA’s changes to HIPAA. I’ve heard a number of times the phrase that “ARRA has now given teeth to HIPAA.” I’ve also heard grumblings about a change in the HIPAA requirement that an EMR account for disclosures. I’ve been trying to get a number of experts on HIPAA to do a guest post on these various changes with no success, but I’ll keep trying.
However, I recently heard that the accounting for disclosures is even more stringent than I had thought about before. From what I’ve heard, the law will now require that you are storing and able to report on the disclosure of a patients health information to both internal and external sources. The external sources is something that we’ve done forever and is really not a problem. The challenge is accounting for the internal disclosure of the HIPAA information. Not to mention displaying that information in a nice report.
Let’s say for example, a nurse pulls up a list of patients during a search for a patient by last name. Does the EMR need to know all of the people that were in that list that could have been seen by the nurse? Do you need to audit how long the nurse had that list open? I’m sure there are more situations like this that seem to be required by the new HIPAA laws.
I actually saw a demo of a hospital EMR that recorded this type of granular auditing. I have a feeling many EMR software aren’t even close to this type of tracking.
I’m also reminded of my post talking about the number of users who legitimately access a patient’s chart. In that post I talk about the number of people who can mess up the chart. Now let’s think about the audit logs that will be required for all of those people who are accessing each granular part of a patient’s record.
I’d love to hear people’s thoughts on this subject and any clarifications on things I’m misunderstanding. No doubt we’re going to hear more about this in the future.
You are right many EMRs do not have ANY internal tracking. Medscribbler records every action of open, read, print, alter etc of every part: progress note, Rx-ing etc according to every logged on user with time and date. Not perfect but MOST EMRs for primary care have very little or nothing.
While I agree that there is a strong need for HIPAA laws to protect patient information, it sounds as if ARRA may be going a bit overboard. How will health care professionals ever be able to effectively and efficiently do their jobs if they have to think about every time they access patient records? Wow…
Jill,
I don’t think that health care professionals will have to think every time they open it. The EMR will take care of all the tracking and it should be able to say that you opened it and within a few seconds closed it. So, no one will ask questions there. However, the price to monitor and report on all of this stuff is expensive to build into an EMR and so that price will be passed on to the healthcare professionals.
My question is will the government have the right to access or request audit logs from doctors using EMR?
Ryan,
I’m not a lawyer, so don’t take what I say as legal advice. However, it seems quite clear that there will be times when doctors will have to provide audit logs from their EMR system. That seems pretty much inevitable for me. I expect there will be a whole industry of expert witness testimony on EMR software. That last part is just my guess.