HIPAA Accounting of Disclosures and EHRs: How the Rules are Changing and What Your Systems Need to Provide

Instructor: Jim Sheldon Dean
Webinar Id: 800038

Duration: 90 Minutes

  • Recorded
  • Only for one participant ?
  • Price $245.

Overview:

The session will walk the listener down the path from the current HIPAA Accounting of Disclosures rule, through the HITECH Act's required changes, and the into the proposed rule to implement HITECH which goes beyond what was required in the law and establishes a new right to an Access Report of all electonic PHI. First the current rule will be explained and issues pertaining to that will be discussed, followed by an explanation of the changes the HITECH Act calls for. Expected impacts from the law will be discussed, and then the proposed rule will be presented, with an explanation of the impacts from the proposed requirements.

  • The session will explain what information is subject to the accounting of disclosures requirement, and how individuals should be able to request and receive such accountings. The kinds of disclosures that are exempt from the accounting will be described, particularly highlighting changes from the current requirements. The necessity for tracking disclosures that must be and must not be accounted for will be explained 
  • Accounting of Disclosures calls on much of what should be in place to meet HIPAA Security safeguards requirements and to meet Meaningful Use requirements for receiving federal funding for EHR usage. Accounting of Disclosures, HIPAA Security compliance, and Meaningful Use are all linked together to support good security practices. However, many systems that are not formal EHRs are indeed covered by the proposed definiton for providing an accounting and many of these may not have the kinds of electronic tracking systems necessary to produce an accounting. It may be feasible to meet HIPAA Security audit requirements without having to use an electronic audit trail that could be the basis for an access report, so not all electronic systems can readily provide an access report. We'll talk about the impacts and issues involved with the limited audit ability of many systems.
  • The features that must be available in new systems and the questions to ask system vendors will be described, and some insights into how you can retrofit existing systems will be discussed.  
  • The process for responding to requests for accountings of disclosures will be related to the regulations that require it, and the supporting policies necessary will be outlined, including identifying changes that will be necessary in the Notice of Privacy Practices.  
  • The role of business associates who maintain or support your EHR will be discussed, and the extension of the accounting out to them by way of their use of Designated Record Set data will be explored, including potential necessary changes to business associate agreements. 
  • The session will leave you with a list of tasks to help you get started with your organization's compliance even in advance of the final rule on the changes."
Why you should attend:
  • The HIPAA Privacy Rule, which went into effect in 2003, required that entities keep track of all the disclosures they make of Protected Health Information (PHI) outside of those necessary for Treatment, Payment, and Healthcare Operations (TPO). In the days when health information was primarily hard copy-based, the limitation on tracking disclosures to those outside of TPO was quite reasonable, as it could be difficult or impossible to track every individual who looked at a paper record. But the HITECH Act included a change in the exception, by requiring Electronic Health Record (EHR) systems to keep track of disclosures made for all reasons, including those for TPO, beginning January 1 of 2011 for systems installed in 2009 or 2010. Older installations have more time under the law to include this capability, but now individuals can request a full accounting of disclosures, including TPO, from EHRs, and every entity that maintains electronic records must be prepared to comply with such requests. 
  • Now a new proposed rule to implement the the law alters some important aspects of HIPAA as expected but also goes in new directions by calling for patient-designed access reports for their electronic data, including not only information in a formal electronic medical record, but also any electronic data in the Designated Record Set. Some of the issues may include:
    • The definition of a Designated Record Set in this context
    • The use of an Access Report covering all uses and disclosures vs. an Accounting of Disclosures
    • The presumption that electronic Access Reports can be generally available for all systems
    • Current methods of complying with HIPAA Security audit requirements vs. what would be needed to provide reports to individuals
    • New additions to the list of disclosures excluded from an accounting
    • Timetable of changes in the rules vs. implementation times and expense of implementation
    • Cost of implementation vs. benefit -- can the expected utilization of this right be balanced with the expense?
    • Business Associate impacts -- response time to generate an Access Report so the entity can respond within 30 days
Areas Covered in the Session:
  • How the rules of Accounting of Disclosures used to work
  • What used to be necessary to be able to respond to requests for accountings
  • How electronic health records change the landscape of accounting for disclosures
  • What the new electronic systems can keep track of, and what they can't
  • How having systems that meet HIPAA Security Requirements for auditing and activity review can help you meet the new requirements to account for all disclosures, even those for treatment, payment, and healthcare operations
  • What the new rules require you to do to respond to requests for accountings of disclosures
  • How the new accounting of disclosures relates to the systems you use to track health information
  • What your systems vendors should be doing to help you meet the new requirements for accounting of disclosures
  • The format and content of the information that is provided to the individuals who ask for an accounting
  • The policies you need to support the new requirements
    • Learn about the Accounting of Disclosures requirements in HIPAA and under the new proposed rule
    • How Accounting of Disclosures works now
    • What's in the HITECH Act for Accounting of Disclosures
    • What’s in the new proposed rule on Accounting of Disclosures
    • How Accounting of Disclosures, the HIPAA Security Rule, and Meaningful Use of EHRs for incentive funding are all connected
    • What needs to be done now to prepare for changes
Who Will Benefit:
  • Compliance director
  • CEO
  • CFO
  • Privacy Officer
  • Security Officer
  • Information Systems Manager
  • HIPAA Officer
  • Chief Information Officer
  • Health Information Manager
  • Healthcare Counsel/lawyer
  • Office Manager

Speaker Profile
Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities.

Sheldon-Dean serves on the HIMSS Information Systems Security Workgroup, has co-chaired the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and is a recipient of the WEDI 2011 Award of Merit. He is a frequent speaker regarding HIPAA and information privacy and security compliance issues at seminars and conferences, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference in Washington, D.C.

Sheldon-Dean has more than 30 years of experience in policy analysis and implementation, business process analysis, information systems and software development. His experience includes leading the development of health care related Web sites; award-winning, best-selling commercial utility software; and mission-critical, fault-tolerant communications satellite control systems. In addition, he has eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.


You Recently Viewed