Accounting of Disclosures

A compliance and privacy officer posted (on a LinkedIn discussion forum) a multi-part question on EHR Accounting of Disclosures, the definition of a disclosure, effective dates and tracking EHR disclosures. 

My response:  I’m very interested in responses to your questions, because during a second interview with a security officer at a hospital (for a privacy officer position), he became confrontational when he gave me a hypothetical scenario of a nurse and PHI disclosure and then asked me if that was a breach–and said, by the way, “there is no right or wrong answer.” I don’t know if this will help you, but the information I have applies to both CEs and BAs and states as to “compliance dates” “Promulgate rule defining elements to include in accounting of disclosures with six months of a definition defined by the HIT Policy Committee” and “If EHR implemented by 1/1/2009, effective 1/1/2014” and “if EHR implemented after 1/1/2009, effective 1/1/2011 or when implement EHR.” Under HHS Responsiblility: “Define elements included in EHR accounting of disclosures” and “Promulgate rule regarding effective date (may be later than dates included in ARRA but no later than 2016 and 2013 respectively).” Also, under “General Requirements, Accounting of Disclosures from an EHR, “Accounting of disclosures from an EHR that includes disclosures for treatment, payment and healthcare operations only includes disclosures for the three year period prior to the date the accounting is requested (Section 13405(c)(1)).”
The question seems to be has the HIT Policy Committee and HHS adopted standards for accounting for disclosures? Only then (and this would be 6 months later) is the HHS required to promulgate the rule in terms of required information in an accounting of disclosures. Evidently, these rules MAY only require disclosure of information collected through an EHR in a way that takes into account the interests of the individuals in learning the reason their PHI was disclosed. And Section 13405(c)(2) states the rule must account for the administrative burdens associated with accounting for EHR disclosures.
I see your problem here. I don’t see any content on tracking these disclosures, so assume that would be a process determined by the CE and BA. Hopefully our very-much appreciated compliance gurus will jump in here and set us all straight!

I would appreciate input from compliance professionals who may be able to shed light on what seems to be a very gray area. 

Advertisements

About Julie

My credentials include a Master's Certificate in Health Informatics, a CHPSE certification (Certified HIPAA Privacy and Security Expert), and certification in HL7 (Health Level 7). The multidisciplinary approach to equipping myself to enter the healthcare IT sector is consistent with my professional background in sales, management, healthcare, and recruiting. I also have a BA in Organizational Psychology from the University of Michigan, which as been invaluable in my professional life for exceling in sales, change management, and laying down an excellent foundation from which I was able to build effective communication skills with professionals of all levels.

Posted on April 2, 2011, in HIPAA, HITECH, Policies, Questions and tagged , , , , , , , , , , , , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: