HITPC Releases Tiger Team EHR Amendment/Correction Recommendations

The ONC Health Information Technology Policy Committee (HITPC) released the Privacy & Security Tiger Team (Tiger Team) recommendations concerning amendments and corrections to electronic medical records (EMRs) in a letter to HHS on July 25, 2011 (HITPC Letter).  The Tiger Team's two recommendations are:

  • Certified electronic health record (EHR) technology for Meaningful Use Stage 2 should have the capability to support amendments to health information as well as support compliance with HIPAA obligations to respond to patient requests for amendments, specifically (i) to make it technologically possible for providers to make amendments consistent with their obligations with respect to the legal medical record (e.g., access/view the original data and identify changes made); and (ii) attach any information from the patient and any rebuttal from the entity regarding disputed data.
  • Certified EHR technology for Meaningful Use Stage 2 should have the ability to transmit amendments, updates or appended information to other providers to whom data in question had previously been transmitted. 

The recommendations address the concerns of stakeholders regarding technological capabilities of EHR systems to assist covered entities in complying with HIPAA amendment and correction procedures for their EMRs.  They also address issues concerning data integrity and quality when correcting errors in patient information not at the request of the patient or communicating updates in patient information. 

HIPAA requires covered entities to comply with specific procedures for correcting or amending protected health information (PHI) within their records where a patient requests such correction or amendment.  In addition, the principle of "correction" was adopted by the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, which requires timely means provided to individuals to dispute the accuracy or integrity of their health information.  

The Tiger Team recommends that the HIT Standards Committee develop standards, specifications and criteria for the certified EHR technology, and that any technological capabilities be kept as simple as possible to start.  Capabilities could evolve over time and become more complex, including "potentially greater standarization and automation."  Most notably, the Tiger Team rejected placing affirmative obligations on providers to inform other providers and entities about errors which were not identified in response to a patient's request, citing the "range of different errors that could occur" and the potential difficulty in distinguishing between what was a difference in medical opinion and an actual error, deciding,

...Providers' existing ethical and legal obligations were sufficient to motivate them to use appropriate professional judgment regarding when to inform any known or potential recipients of amendments to health data.

Finally, the HITPC letter notes that the Tiger Team considered whether health information exchange organizations (HIOs) should be obligated to correct errors and transmit amendments or updates to affected providers where they may be responsible for such errors.  The Tiger Team has specifically sought input from the HITPC and will continue to research existing HIO policies prior to developing future recommendations on this issue. 

The full HITPC letter may be found here: HITPC Privacy & Security Tiger Team Amendment Recommendations

Maine Reverts Back to Opt-Out Approach for HIE

In my previous post (April 26, 2011), I discussed legislation proposed by privacy advocates in Maine which would require, among other things, that patients "opt-in" before any information could be collected, accessed or disclosed through Maine's HIE HealthInfoNet.  Although HealthInfoNet currently operates under the "opt-out" approach, privacy advocates had pushed for the legislation in order to more adequately safeguard patient privacy.  Stakeholders had decided early on in the HIE's development that opt-in was not practical and as such, patients would be automatically enrolled in the HIE.  Patients could then exercise their choice to opt-out and have their information deleted from the HIE's central data repository. 

After considerable push-back from HealthInfoNet, as well as physicians, hospitals and their respective professional associations, the Maine legislature has reconsidered and revised the proposal.

As rewritten, the proposed legislation would permit HealthInfoNet to continue operating on an opt-out basis, but would dictate specific rules for informing patients of their right to do so. Individuals would need to be provided with, at a minimum:

  • A separate form at the point of initial contact with a description of the risks and benefits of participating in the HIE;
  • A description of how and where to obtain more information or how to contact the HIE;
  • An opportunity for the patient to refuse to participate in the HIE; and
  • A declaration that health care treatment would not be withheldfrom the patient solely based upon the patient's refusal to participate in the HIE.

Although information regarding the HIE is currently included on provider and hospital Notice of Privacy Practices, many patients were not aware that their information was being exchanged through the HIE.  As Amy Landry, communications director at HealthInfoNet acknowledged, "nobody reads the Notice of Privacy Practices." The proposed legislation reflects a compromise between concerns for patient privacy and awareness and the need of the HIE to have a large enough patient population to be of value to physicians and hospitals.

Furthermore, the proposed legislation would require confidentiality policies and procedures for protecting the confidentiality, security and integrity of health care information.  It would also require the HIE to maintain records of all disclosures made by and through the HIE in addition to requiring compliance with all applicable federal laws and regulations dealing with privacy, security and breach notification as defined by 45 CFR Part 160 and 164. 

The amended Bill (LD 1337) may be accessed here.  

Accounting of Disclosures Proposed Rule up for Review: The Beginning of a Collective Sigh of Relief or Covered Entities' Newest Nightmare?

Prepared by Krystyna H. Nowik, Esq.

The Office of Management and Budget (OMB) has finally received the long-awaited proposed rule addressing HITECH’s accounting of disclosure amendments.  As originally required by the HIPAA Privacy Rule, individuals had the right to request an accounting of disclosures made by a Covered Entity of their protected health information (PHI).  However, Covered Entities did not have to comply with requests for an accounting of certain disclosures, such as for those made for treatment, payment and health care operations (TPO) purposes.  With HITECH, however, came the removal of this exemption for TPO disclosures if the disclosure was made through an electronic health record (EHR) – what many Covered Entities felt was the beginning of one giant administrative and technological nightmare.

Public comment requested by the Office for Civil Rights (OCR), Department of Health and Human Services (HHS), back in May of 2010 sought to identify the burden this requirement would have on Covered Entities and their business associates, as well as the interests individuals had in obtaining an accounting of such disclosures.  In particular, the Request for Information asked for comment on current system capabilities and changes that would be needed, the feasibility of an exclusive EHR model, what elements would be required for inclusion in the accounting, and the ability of Covered Entities subject to the January 1, 2011 deadline, come and gone, to comply by then.

In response, the Medical Group Management Association (MGMA) called the new requirement for TPO disclosures through EHRs “onerous” and “extremely difficult to achieve without an enormous outlay of resources.” Reflecting concerns across the nation, the 21-page letter to the Director of OCR argued that:

  • Accounting for TPO disclosures imposed severe administrative burden on physician practices;
  • Low patient volume of accounting requests made expenditure of resources unreasonable;
  • Accounting for TPO disclosures was burdensome and unnecessary, resulting in needless burden and cost;
  • Accounting for TPO disclosures discouraged adoption of EHRs by physician practices.

Covered Entities still have a long wait ahead before seeing HHS’s much anticipated (and perhaps dreaded) proposed rule.  The OMB generally has up to 90 days to review proposed rules, which, if approved, are then published as Notices of Proposed Rulemaking in the Federal Register.