Confidentiality, Privacy and Security

Accounting of Disclosure Tracking...

  • 1.  Accounting of Disclosure Tracking...

    Posted 06-06-2019 13:11
    ​Some of this info is new to a few at our system.  Below is a snippet from a recent article in May regarding tracking of electronic releases.

    Follow the accounting for disclosures require­ment. The HITECH Act of 2009 amended HIPAA to require providers to account for disclo­sures for treatment, payment or operations made in the past three years at a patient's request if the dis­closure was through an electronic health record. Previously providers did not have to account for disclosures for treatment, payment or operations.

    OCR had published a proposed rule in 2011 to imple­ment this new requirement; after incurring considerable backlash the agency shelved it and has yet to issue a new one. However, despite the lack of specific guidance regarding how to comply with this obligation, it has been effective law since 2010, so providers need a mechanism to track these electronic disclosures to other providers and deliver them when a patient requests the information.  


    While there is electronic tracking of releases from our EMR, some are asking even if for TPO this must be tracked if released electronically?  I am now verifying that there are also tracking mechanisms in place for HIE releases that other providers may gather, ROI does track when something is faxed to a provider.  Guess I was not totally aware that this was enforced since 2010.  Any input would be greatly appreciated.  Thanks.

    ------------------------------
    Barb Beckett, RHIT, CHPS
    System Privacy Officer
    Saint Luke's Health System
    bbeckett@saintlukeskc.org
    ------------------------------


  • 2.  RE: Accounting of Disclosure Tracking...

    Posted 06-07-2019 08:39
    Based on my practical experience, I RARELY have had experiences with patients requesting an accounting of disclosure.  I have been in this position 2 1/2 years and not one request.  Prior to that I served as a Privacy Compliance person for a large system and we rarely saw them.   Yes, patients want to know who accessed their health records and are thinking it means they can get an audit of that.  We will audit for cause and complaint but we do not share audits with patients - just results.

    I always feel there is a level of caution about how much to put into this particular requirement of  HIPAA.   I believe if you can reasonably provide the information to the patient through a chart audit, that would meet the intent.   Implementing a system to track activity for literally thousands of records when the chance of a request is slight....

    ------------------------------
    Nancy Davis, MS, RHIA, CHPS
    Director of Compliance & Safety
    Door County Medical Center
    ------------------------------



  • 3.  RE: Accounting of Disclosure Tracking...

    Posted 06-07-2019 10:27
    Thanks Nancy.  We see maybe 3-5 requests a year but not sure we included releases to providers that were done electronically as typically excluded anything releases for TPO.  Am checking to see if others are doing this and was aware of this 9 year requirement.  Not sure we are able to retrieve data prior to our EMR go live in 2014.  Could be a challenge.

    ------------------------------
    Barb Beckett, RHIT, CHPS
    System Privacy Officer
    Saint Luke's Health System
    bbeckett@saintlukeskc.org
    ------------------------------



  • 4.  RE: Accounting of Disclosure Tracking...

    Posted 06-09-2019 04:54
    Basically you two are spot on. As you know Barb, we have a module in PrivacyPro dealing with AOD requests. few ever used it. But we've seen an uptick in interest. And now since the Epic app for quick tracking of disclosures across the house (non-HIM ROI disclosures) seems in some ways lacking, we have been contracted to build a quick tracking mechanism and we've agreed to do so. One of the fields we'll track is whether its "T', 'P' or 'O' disclosure. This could become very important should anything come of the RFI AHIMA just answered from OCR that asked about breaking Operational disclosures out from Treatment and Payment. Seems to me OCR is thinking AOD is under used and/or the items are changing and there may be more use for AOD in the future. Of course, that kind of administrative burden of separating O from TP could sink any new rules, like access reporting did in 2011, but who knows. At least we'll have a quick, easily reported on mechanism to allow anyone house side to track a few fields about any disclosures they make.

    ------------------------------
    Kelly McLendon, RHIA, CHPS
    Managing Director
    CompliancePro Solutions
    kmclendon@complianceprosolutions.com
    321-268-0320
    ------------------------------