In the world of mountain climbing, it is well-known that those that race to the top as quickly as possible without taking the necessary steps are doomed to fail. Thinning oxygen levels coupled with harsh conditions at high altitude compel successful climbers to take the right gear and acclimate at base camp. Similary, it can be overwhelming to try to throw yourself headfirst into the world of EMRs without taking stock and adjusting to the new system. Preperation minimizes the risks involved in the ascent toward the ultimate goal, as it has for generations of mountain climbers.
In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health Act (HITECH) as part of the American Recovery and Reinvestment Act (ARRA) to expand upon HIPAA regulations pertaining to electronic transmission of health information. Given the significant increase in EMR/EHR adoption, it is important to proactively manage the transition from manual to electronic logging when distributing protected health information (medical records with patient identification). In fact, both HIPAA and the HITECH Act mandate that all providers implement a consistent and compliant logging of all health information releases.
Currently, HIPAA reqires the accounting to include the items below for each disclosure (164.528(b)(2)
- The date of the disclosure;
- The name of the entity or person who received the protected health information and, if known, the address of such entity or person;
- A brief description of the protected health information disclosed; and
- A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure.
- A copy of the request for health information or a brief statement of the purpose of the disclosure
A few summary areas of how the HITECH Act changed the HIPAA regulations:
- They closed HIPAA's exemption of privacy rules for electronically transmitted medical records
- There are new breach of information notification requirements in the transmission of EMRs
- Breaches affecting a number of individuals must be made public and reported to the Department of Health and Human Services
- Of special note: Healthcare providers must now manage all aspects of tracking electronic disclosure, including information pertaining to carrying out treatment, payment and health care operations, and provide them to individuals requesting an accounting of disclosures for a period of three years prior to the date on which the accouting is requested
I will be covering these issues in more detail in discussions to come. For a complete list of modifications to HIPAA under the HITECH Act, click here.
A few suggested steps for your journey up the EMR compliance mountain:
- Implement an automated release of information system, logging both electronic and paper records disclosed
- Incorporate all faxing of health information into a centralized release of information process
- Maintain electronic images of the request for health information as part of your automated logging system