It’s been a very interesting few weeks for privacy protection under HIPAA. Just in case you haven’t had a chance to catch up on them, here’s what’s going on. The OCR has announced the protocols under which it’s going to perform audits required by HITECH.
Here’s how OCR is going to check both you and business associates for compliance with the HIPAA Privacy Rule, Security Rule and Breach Notification Rule. Here’s a summary from the Beyond Healthcare Reform blog from lawfirm Faegre Baker Daniels:
|Privacy Rule||Security Rule|
|Notices of privacy practices||Administrative Safeguards|
|Right to request privacy protection for PHI||Physical Safeguards|
|Access to PHI||Technical Safeguards|
|Uses and disclosures of PHI|
|Amendment of PHI|
|Accountings of disclosures|
Meanwhile, there’s the matter of the temperature being turned up on your relationship with your business partners. As things stand, maintaining HIPAA-level control over information once it leaves your facility or office is hard enough. Since 2009, HITECH has required covered entities and business associates to disclose if they’d used information on patients — including for treatment, payment or operations — if the access was through an EMR.
While that’s sticky to enforce, it mostly affects providers, not the business associates in most cases. But things could get a little trickier going forward. A new proposed rule would now require a basic access report applying not just to EMRs, but also to uses and disclosures of e-PHI in a designated record set.
As the Beyond Healthcare Reform blog notes, this could mean that health plans and business associates (if they have a designated records set) would have to provide the access reports for everything, including treatment, payment and operations.
I doubt any of us are surprised to see OCR getting tougher on data sharing; in fact, I’d argue that it’s overdue. The question is whether in the mean time, the near-daily data breaches we see (stolen laptops with unencrypted data, lost data disks) still haunt us. Scary times.