| |||||||||||||
|
Home
|
For other articles and previous issues click here. November 4, 2002 Full
Disclosure Healthcare organizations need to be
savvy when it comes to meeting HIPAA’s stringent accounting
of disclosures provision. Section §164.528 of the HIPAA Privacy Rule grants “individuals a right to receive an accounting of all disclosures of protected health information [PHI] about them by a covered entity for purposes other than treatment, payment, and healthcare operations.” The accounting is required to include “disclosures of protected health information that occurred during the six years prior to the date of the request for an accounting.” Plainly stated, this regulation grants all patients the right to know when, why, and to whom a covered entity has disclosed its PHI for a minimum of six years. This seems like a simple requirement at first glance. In fact, compliance teams at many covered entities believed that the AOD requirement could be fulfilled as a small addition to the ROI process in the HIM department. This approach, unfortunately, will be impractical for most healthcare organizations because HIPAA requires that disclosures from many departments—in addition to HIM—be tracked. A few types of non-HIM disclosures that must be tracked include those made for research purposes, government agencies, law enforcement agencies, health oversight agencies, and public health authorities. These disclosures must be tracked whether they are made verbally, electronically, or in paper form. (Section §164.501 to 164.514, §164.528 Discussion of Comments). For example, when a doctor calls a state child welfare agency to report the suspected abuse of a minor, such disclosure must be tracked even though the disclosure is verbal. Several types of disclosures are excluded from the AOD reporting requirements (see “Items Specifically Excluded From AOD”). Ironically, the recent modifications to the final rule also excluded authorization-based disclosures commonly processed by the HIM department. Per these modifications, Intermountain Health Care (IHC), a well-respected integrated delivery network (IDN) based in Salt Lake City, Utah, compiled an internal inventory of all disclosures made throughout its enterprise. IHC estimated that non-HIM disclosures will account for more than 80% of the disclosures required under the rule. Referring to the modification, Mary Staub, director of health information services, IHC, says, “HIM disclosures were the one part of AOD that we felt we had covered pretty well.” Clearly, responsibility for compliance with the AOD regulations should not be placed solely on the HIM department. In addition to accounting for disclosures in each department, an enterprise with multiple facilities in different geographic locations must also be able to coordinate all disclosures from each facility into a single AOD report. The following example illustrates this requirement: An IDN has facilities in four states. At various times, a patient has received care at the IDN’s hospitals and clinics in all four states. To provide the patient with a complete AOD report, the covered entity must be able to aggregate all disclosures of the patient’s PHI from all facilities in all four states. This requirement holds true for affiliated, hybrid, and single-covered entities with multiple locations. (Organized Health Care Arrangements are not required to account for facilities outside their immediate organization.) Another important component of the AOD provision is that covered entities must enable certain law enforcement or health oversight agencies to request a Suspension of Accounting of Disclosures. This provision offers a means by which these agencies can investigate fraud and other criminal activities of a patient without the patient being aware of the scrutiny—for a period of time (Section §164.528). Healthcare providers, therefore, must have an additional mechanism to track suspension of AOD requests and exclude those disclosures during the requested period of time. One class of disclosure that has received particular attention is disclosures made for research purposes. In the Final Rule, research disclosures were to be accounted for in the same manner as all other disclosures. Each record disclosed to a research protocol required an individual accounting. In an attempt to simplify the requirement for tracking research-based disclosures, the final modifications to the Privacy Rule proposed an alternative accounting method. In the modified rule, covered entities that participate in large (at least 50 records) Institutional Review Boards (IRBs) may choose to “provide individuals with a list of all protocols for which the patient’s protected health information may have been disclosed for research…” (Final Modifications Section §164.528). Additionally, the covered entity is required to assist the individual in “contacting those researchers to whom it is likely that the individual’s PHI was actually disclosed.” Considering the complexity of tracking these data in this manner, along with the requirement to assist patients in contacting researchers as far back as six years, this procedure could become burdensome. Furthermore, trying to correlate a patient’s diagnoses with all probable protocols over the six-year period would be onerous. Assuming that an entity could effectively manage these correlations, the difficulty in contacting researchers from six-year-old studies to find out if a patient’s PHI was actually disclosed would be an overwhelming task. Based on this analysis, entities who participate in IRBs would be best served to track the disclosures made for research purposes in the same manner as all other disclosures. In fact, the final modifications indicate that Health and Human Services intends to monitor the usefulness of this “streamlined” accounting procedure and even encourages covered entities to account for research disclosures in the same manner as all other disclosures. Compliance with these complex regulations is required for all departments in all covered entities. How can compliance teams ensure that physicians, nurses, business office personnel, social services employees, front-line receptionists, and so many others are properly reporting disclosures? Assuring compliance from such a diverse group of professionals is a daunting task. Compliance teams at covered entities must carefully consider how they will monitor and assure compliance with such a complex provision that touches so many employees within their enterprise. Compliance teams are faced with a looming deadline and a problem more complex than originally anticipated. The search for an acceptable and permanent solution should already be underway. What attributes should the model solution contain? It should enable an enterprise to quickly aggregate data from across the enterprise, provide the data to the patient in a timely manner, provide a mechanism for management to track compliance, and do so within realistic budget constraints prior to the mandated deadline. The following are a few common solutions being considered by covered entities: • Paper list or card system. The simplest approach calls for the use of a paper list or card system. Under this proposed solution, a card or sheet is filled out by hand and eventually placed in the patient’s medical record for storage each time a disclosure is made from any department. While this may be adequate for very small, single-location clinics and practices, it is not recommended for larger enterprises with multiple facilities, each with several departments. The paper trail, tracking, recording, recall, and compilation of data would make such a solution unscalable and therefore untenable for all but the smallest of covered entities. • Electronic spreadsheets. Another approach is to use electronic spreadsheets to track all disclosures. Such a system would provide for easier transferability of disclosures between departments than a paper-based system. But, ultimately, this solution carries with it the same inherent problems that a paper-based system does for entities that are larger than a few physicians. In essence, a spreadsheet is an electronic version of the paper method mentioned above. Each time an AOD report is requested, data must be recorrelated by hand. The resulting duplication of effort is only slightly less problematic than with the paper method. • Build a software solution in-house. Many large enterprises may choose to build their own system addressing their specific needs. Should an enterprise select this route, it should consider up-front costs and development time in the face of the fast-approaching compliance deadline. Furthermore, the enterprise should consider the ongoing costs of maintenance and support, integration with other hospital information systems, and the costs associated with a temporary lack of focus on core business functions. • Outsource. A final option is to contract with a vendor that provides a complete solution: one that is cost-effective, compliant with HIPAA guidelines, and can have the solution implemented prior to the April 2003 deadline. Solutions to the AOD puzzle should
be tailored to the specific needs of each healthcare organization,
whether large or small. For small healthcare organizations (up to
10 doctors), a manual solution of either paper or electronic spreadsheets
may be adequate. For larger organizations, an electronic solution,
whether built in-house or outsourced, is likely the only viable
solution. In either case, organizations of all sizes should first
evaluate the many departmental sources—whether HIM or non-HIM—of
disclosures of PHI. Doing so will help define the scope of the AOD
problem. Only when the extent of the task is understood can detailed
requirements for a solution be generated. Finally, these requirements
should help in deciding on a long-term solution that matches the
organization’s needs so that preparations for implementation
can begin immediately. |
 |
3801 Schuylkill Rd • Spring City, PA 19475 Publishers of For the Record All rights reserved. |