New accounting-of-disclosures requirements expand concern beyond health information management.
There are so many films that make use of the metaphor of the ship at sea: “Jaws,” “The Perfect Storm” and, of course, “Titanic.” In each of these films, the ship or boat represents the strength and integrity of the characters as they battle against the odds to keep their vessels seaworthy. While the Orca, the Andrea Gail and the Titanic all met their match in the formidable forces of nature, seafarers must also consider smaller, less dramatic threats.
Benjamin Franklin is quoted as once saying, “Beware the little expenses. A small leak will sink a great ship.” When it comes to stipulations from the HITECH Act of 2009, the same might be said for the accounting of disclosures: “Beware even the smallest disclosures. …” These words to the wise point to the fact that it's often the disclosures that seem insignificant that can create big problems for health systems.
Today, even good intentions can quickly turn into a serious breach of a patient's protected health information (PHI) if not properly handled. A major regulatory change that affects how health systems handle disclosures is the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, Improved Privacy and Security Provisions; Section 13405; “Restrictions on Certain Disclosures and Accounting of Certain Protected Health Information Disclosures.” The privacy rule specifies the ways in which health systems and covered entities use and disclose protected health information, including for research purposes.
Effectively, these new regulatory changes stipulate that health systems and their business associates are required to provide full accounting of disclosure of a patient's PHI, no matter how small the disclosure, except of course disclosures related to treatment, payment and operations (TPO). The further explanation of these regulations indicates that disclosures are “required to be limited to the limited data set or the minimum necessary.” In other words, health systems should only disclose information that is pertinent to the reason for a request for disclosure of the protected health information.
Similarly, there are guidelines for disclosures that must be provided in the written accounting, which itself must be kept for six years from the date of disclosure. Disclosures that must be documented in HIPAA accounting include those that are for public health activities and reporting, about victims of abuse, neglect or domestic violence, for health oversight activities, in response to a court order, for law enforcement purposes, and to a medical examiner, funeral director or for cadaveric organ donation, to name a few.
With the complexity of sections and subsections in the changed regulation, it's easy to see how improper discloser can quickly become a concern. But the problem for the organization isn't simply the impropriety of the disclosure, but also the devastating effects of such disclosures. When a disclosure is made without the proper documentation or tracking, this manifests as a leak, not only to the integrity of that patient's PHI, but also to the entire hospital or health system. In effect, when a covered entity fails to put in place the appropriate systems for documenting and tracking disclosures, that entity becomes susceptible to regulatory fines, civil lawsuits and reputation damage.
What was an already difficult process has become exponentially more complex, and hospitals and health systems must ensure that their procedures and systems for the tracking and recording of disclosures are leakproof. This includes ensuring the structural integrity of the system and making sure that areas that may be susceptible to leaks are sealed with appropriate protection. A main component of this complexity relates to the channels through which health information is transacted in today's healthcare environment. Previously, the majority of a hospital's disclosures required to have proper accounting were made within the health information management (HIM) department through requests for medical records or PHI. This department is equipped with years of competence, tools, training and professional support to manage this effectively.
Today, with the expanded accounting-of-disclosures requirements, almost every department within the hospital or health system is responsible for disclosures that are in need of proper tracking. Within a single hospital, disclosures of a patient's medical record may be handled by a radiology department, laboratory or a business office as well as an HIM department. As dictated by HITECH, many of these requests must be recorded and accounted for, so that a patient can see an audit of which individuals and entities have accessed his or her medical record and for what reasons. Yet it's highly likely that departments that are focused more directly on patient care would be less-capably trained in HIPAA regulations, and therefore inadequately equipped to handle disclosures according to the most recent stipulations.
When a hospital takes all the necessary steps to implement a comprehensive process to ensure that even the smallest disclosures are tracked and documented in accordance with HIPAA guidelines, the likelihood of leaks and breaches to patient PHI can be significantly reduced, if not eliminated.
About the author
Don Hardwick is director of compliance and field operations, MRO Corp. For more information on MRO solutions: http://www.mrocorp.com.