[BreachExchange] Hospital Impact: Don't forget EHR 'loose ends'

Audrey McNeil audrey at riskbasedsecurity.com
Mon Dec 12 18:41:21 EST 2016


http://www.fiercehealthcare.com/it/let-s-not-forget-ehrs-loose-ends

Front-burner issues—such as interoperability, EHR-related risks to patient
safety, cybersecurity and other threats to privacy and security of patient
data—receive the lion’s share of attention, as well they should.

But there are many moving parts to health information technology and
electronic health records, and some of those that should be getting more
attention as the industry evolves still need to be addressed so
stakeholders can move forward.

For instance, does anyone remember the much-maligned proposed accounting
for disclosures rule for EHRs?

Patient records disclosures, accounting: A regulatory mystery

The HITECH Act, enacted in 2009, expanded the patient right to an
accounting for disclosures of their records when it came to electronic
patient information. Normally, an accounting did not include disclosures
for payment, treatment and operations.

But HITECH said that when it came to digital information, patients would be
entitled to an accounting of all disclosures for the previous three years,
including those pertaining to payment, treatment or operations. The theory
was that it would be easier to provide this information in electronic form.

But the industry is still waiting for the government to guide them on this
provision. The proposed rule, published in May 2011, was roundly criticized
for being unduly burdensome considering how few patients had been asking
for an accounting of disclosures. It was also criticized for overreaching
beyond the requirements of the statute and for not being technologically
feasible.

Some examples: The proposed rule would have created a new right to an
“access report,” expanded what had to be reported to patients and required
the identification of individual staff members who accessed EHRs, leaving
them potentially at risk of privacy violation claims from patients.

The controversial rule was reevaluated by ONC’s Health IT Policy
Committee’s Tiger Team in 2013. Since then? It's fallen by the wayside.

But nothing has replaced it. That may not be a big deal if very few
patients actually request an accounting for disclosures, which was the case
just a few years ago. But since the Office for Civil Rights has been trying
to get the word out to patients about their rights under HIPAA, and the
industry is trying to increase patient engagement in their health, more
patients will likely begin to ask for these accountings, and healthcare
organizations need guidance about how to satisfy the requirement.

Unique patient identifier: A forgotten patient safety threat

Another issue that should no longer be ignored is the unique patient
identifier. HIPAA, enacted in 1996, had required unique identification
numbers for patients, employers, plans and providers to improve quality of
care.

The industry has already instituted or is working on the other identifiers.
But Congress put a “temporary moratorium” on funding the patient identifier
back in 2000, and since then has refused to let the Department of Health
and Human Services (HHS) explore the possibility of using them, even though
HHS officials have admitted that it’s on a lot of people’s “wish list.”

Joy Pritts back in 2013 expressed her frustration and suggested that the
private sector might step in to help.

But that was three years ago—and it hasn’t happened.

Now data exchange is of the highest priority, but matching patient records
is exceedingly difficult.  Providers are routinely spending time mitigating
the effects of patient matching problems, some of them weekly.

Not only is that a waste of resources, it’s also a huge risk to patient
safety. At the least, HHS should be able to explore whether the patient
identifier is a feasible concept.

The future of health IT and some of the rules affecting them are in an
uncertain state. We don’t know what will happen to some of the laws that
regulate them, the programs that require them and the priorities that
impact them.

But these and other loose ends can’t be forgotten: They are part of the
cogs in the wheel and must be addressed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161212/f517135b/attachment.html>


More information about the BreachExchange mailing list