



Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
The negative consequences of HIPAA's accounting requirement for disclosures of protected health information on patient care and hospital operations. The document argues that the current method imposed on hospitals to ensure compliance with this requirement is unnecessarily burdensome and diverts resources from patient care. The American Hospital Association (AHA) proposes solutions to address the paperwork burden, including modifying the regulatory language to exclude certain disclosures from the accounting requirement.
Typology: Summaries
1 / 6
This page cannot be seen from the preview
Don't miss anything!
Hospitals certainly support efforts to enable patients to learn more about the information that hospitals must report to America’s trusted public health officials. The regulatory requirements for “accounting of disclosures of protected health information,” found in §164.528 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) medical privacy regulations, create a number of serious negative unintended consequences on patient care and essential hospital operations. HHS must develop an approach to the accounting requirement that meets the information needs of patients yet remains workable for the hospitals that provide them with care.
The Problem with the Accounting Requirement
While the accounting for disclosures requirement in the HIPAA medical privacy rule is intended to provide patients with meaningful information about what hospitals share with public health agencies, the method imposed upon hospitals by the current HIPAA regulations to ensure that such a laudable objective is achieved is unnecessarily burdensome. Hospitals are currently required to report information for dozens of critically important and widely accepted health- related purposes, such as tracking births and deaths, cancer patterns, child abuse, and defects in medical devices. As currently drafted and interpreted, the HIPAA requirements for accounting for disclosures will require hospitals to create a burdensome paperwork system to account for these numerous and frequent disclosures of information reported to public health authorities.
The HIPAA accounting for disclosures requirements only add to hospitals’ enormous existing regulatory paperwork burdens that already consume 30 minutes to one hour for every hour of patient care and would divert unnecessarily millions of dollars from patient care. Moreover, according to state public health officials, the requirements could discourage hospital participation in important public health initiatives, including new reporting initiatives to detect potential bioterrorism related outbreaks and measure and improve patient safety.
Solutions to Address the Significant Paperwork Burden Imposed by the Accounting Requirement
To respond directly to the specific challenge from Department of Health and Human Services (HHS) Secretary Tommy Thompson that hospitals should propose solutions to address any negative unintended consequences on patient care and essential operations created by the HIPAA medical privacy standards, the AHA offers the following approaches as concrete solutions to address the significant burdens imposed by the regulatory requirements for accounting of disclosures.
Regulatory Change. It would be preferable for HHS to modify the regulatory language of the HIPAA medical privacy rule to explicitly exclude the disclosures that hospitals must report to
America’s trusted public health officials from the accounting for disclosures requirement and thereby eliminate the unjustifiable paperwork burden on hospitals that the requirement imposes. Since HHS is limited to making only annual modifications to the HIPAA medical privacy regulations, the AHA urges HHS to issue without delay such a rule change proposal in order to ensure that the necessary modifications to the rule are completed and applicable to hospitals’ compliance efforts as soon as allowable.
Interpretative Guidance on the Regulatory Requirement. Following are brief descriptions of the distinct categories of disclosures that arguably should be excluded entirely from the accounting requirements or for which an alternative simplified form of accounting should be allowed as well as those limited few that would remain subject to the full accounting of disclosures requirements:
Disclosures that are not required to be included in an accounting of disclosures to a specific individual
y Disclosures for covered functions that support a covered entity’s ability lawfully to provide treatment to individuals or to be eligible to pay or be paid for health care are health care operations. (Q&A #1)
y Public health disclosures that do not include direct identifiers do not pertain to a specific individual or action to be taken with respect to an individual and do not provide a reasonable basis to believe that the recipient could use the information to identify the individual. (Q&A #2)
y In disclosures for reviews preparatory to research, the disclosure is incidental to the research preparation and the reviewer is prohibited from removing any information from the premises of the covered entity and is prohibited from taking any action with respect to the individual. (Q&A #4)
y Disclosures for research pursuant to an Institutional Review Board or Privacy Board waiver of authorization under which direct identifiers must be removed or destroyed by the researcher before use of the data for research do not provide any reasonable basis to believe that the information can be used to identify the individual and the researcher is prohibited from taking any action with respect to the individual. (Q&A #5)
Disclosures for which an alternative, generalized method of accounting to a specific individual is most appropriate
y An alternative, generalized accounting provides the most appropriate method for informing an individual of public health reporting that involves direct identifiers where the reporting is triggered by a disease or condition that is itself noted in the protected health information maintained by the covered entity. (Q&A #3)
AHA Attachment
Frequently Asked Questions
Q1: Are disclosures of protected health information to auditors, licensing authorities, inspectors and investigators that are necessary for a covered entity to continue operating and to be eligible to receive payment for health care services considered health care operations?
A1: Yes. Disclosures of protected health information that a covered entity makes to a government entity, an entity acting under a grant of authority from a government entity, or third party payors are considered health care operations, as they are necessary for the covered entity to retain its license, continue its operation or receive payments for health care from a payor, including Medicare or Medicaid. Health care operations are defined as those that relate to covered functions. The disclosures described above relate to covered functions because they enable the covered entity to continue to be a health care provider, health plan or health care clearinghouse and support a covered entity’s ability lawfully to provide treatment to individuals or to be eligible to pay or be paid for health care. These health care operations disclosures do not relate to a specific individual or affect public or private actions taken with respect to an individual, and based on the Notice of privacy practices, may be expected to occur as appropriate. As such, they are not required to be included in an accounting of disclosures to a specific individual.
Q2: Are public health reports that do not include direct identifiers relating to an individual (as defined in 45 C.F.R. 164.514(e)(2)) subject to the individual accounting requirements?
A2: No. Public health disclosures that do not include direct identifiers do not pertain to a specific individual or action to be taken with respect to such individual. Where such disclosures are made to an entity in accordance with 45 C.F.R. 164.512(b), there is no “reasonable basis to believe that the information can be used to identify the individual” as is required for the reported information to be considered “individually identifiable health information” as defined in 45 C.F.R. 160.103. As such, public health disclosures that do not include the direct identifiers are not considered disclosures of protected health information; they do not relate to a specific individual or affect public or private actions taken with respect to an individual, and based on the Notice of privacy practices, may be expected by all to occur as appropriate. As such, they are not required to be included in an accounting of disclosures to a specific individual.
Q3: What is the form required for an accounting of disclosures of protected health information made for public health purposes?
A3: Public health reporting pursuant to § 164.512(b) that involves direct identifiers (e.g., births, deaths, communicable diseases) relates to a specific individual or may affect public or private actions taken with respect to an individual and thus is subject to the
AHA Attachment
individual accounting of disclosures requirements. Where the public health reporting requirement is triggered by a disease or condition that is itself noted in protected health information maintained by the covered entity, the requirement of an accounting can be satisfied by the covered entity by one of two methods: (1) an individualized report of all disclosures of a specific individual’s protected health information, or (2) a generalized report. To use the generalized reporting method, the covered entity must make available a Public Health Accounting Report that includes the following information for every type of public health disclosure the covered entity makes: (1) the name of the entity or person who receives the protected health information and, if known, the address of such entity or person (e.g., State Health Department); (2) a brief description of the protected health information disclosed (e.g., birth; PKU result; specific disease diagnosis); (3) a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure (e.g., to report births for State tracking); and (4) the general time frame within which such disclosures typically occur (e.g., births are reported within 24 hours of the birth). When using the generalized method for public health disclosures, each individual accounting should state that to the extent the individual had a condition or event included in the Public Health Accounting Report of reportable public health conditions or events, the law and institutional policy require the individual’s protected health information to be disclosed as provided in the generalized report of public health disclosures. Covered entities are not required to review the individual’s record to determine whether the individual had a birth, communicable disease, cancer or some other reportable condition or event. Providing the generalized report and explanation regarding reportable conditions or events meets the requirements for an accounting and strikes the right balance between an individual’s right to be informed and the administrative burden on covered entities.
Q4: Are uses and disclosures of information for reviews preparatory to research ( C.F.R. 164.512(i)(1)(ii) subject to the individual accounting requirements?
A4: No. In order to provide access to protected health information for reviews preparatory to research, the covered entity must prohibit the reviewer from removing any information from the premises of the covered entity, and require the reviewer to represent that access to the information is being sought solely to prepare for research. The reviewer’s exposure to identifying information is incidental to the research preparation, the reviewer is bound to protect the confidentiality of the reviewed information, and the reviewer is prohibited from taking any action with respect to the individual. As such, reviews preparatory to research are not required to be included in an accounting of disclosures to a specific individual.
Q5: Are disclosures for research pursuant to a waiver of authorization by an Institutional Review Board or Privacy Board in accord with 45 C.F.R. 164.512(i)(1)(i) subject to the individual accounting requirements?
A5: Yes, if the IRB or Privacy Board has allowed the researcher to obtain and maintain direct identifiers for research purposes. This is a disclosure of information pertaining to a specific identifiable individual. However, in granting a waiver of authorization, an IRB or Privacy Board is required to obtain “adequate written assurances that the protected