A compliance and privacy officer posted (on a LinkedIn discussion forum) a multi-part question on EHR Accounting of Disclosures, the definition of a disclosure, effective dates and tracking EHR disclosures.
My response: I’m very interested in responses to your questions, because during a second interview with a security officer at a hospital (for a privacy officer position), he became confrontational when he gave me a hypothetical scenario of a nurse and PHI disclosure and then asked me if that was a breach–and said, by the way, “there is no right or wrong answer.” I don’t know if this will help you, but the information I have applies to both CEs and BAs and states as to “compliance dates” “Promulgate rule defining elements to include in accounting of disclosures with six months of a definition defined by the HIT Policy Committee” and “If EHR implemented by 1/1/2009, effective 1/1/2014” and “if EHR implemented after 1/1/2009, effective 1/1/2011 or when implement EHR.” Under HHS Responsiblility: “Define elements included in EHR accounting of disclosures” and “Promulgate rule regarding effective date (may be later than dates included in ARRA but no later than 2016 and 2013 respectively).” Also, under “General Requirements, Accounting of Disclosures from an EHR, “Accounting of disclosures from an EHR that includes disclosures for treatment, payment and healthcare operations only includes disclosures for the three year period prior to the date the accounting is requested (Section 13405(c)(1)).”
The question seems to be has the HIT Policy Committee and HHS adopted standards for accounting for disclosures? Only then (and this would be 6 months later) is the HHS required to promulgate the rule in terms of required information in an accounting of disclosures. Evidently, these rules MAY only require disclosure of information collected through an EHR in a way that takes into account the interests of the individuals in learning the reason their PHI was disclosed. And Section 13405(c)(2) states the rule must account for the administrative burdens associated with accounting for EHR disclosures.
I see your problem here. I don’t see any content on tracking these disclosures, so assume that would be a process determined by the CE and BA. Hopefully our very-much appreciated compliance gurus will jump in here and set us all straight!
I would appreciate input from compliance professionals who may be able to shed light on what seems to be a very gray area.