The HITECH Act provisions of the federal economic stimulus law expand an individual’s right to receive an accounting of disclosures of protected health information ("PHI"). As a result, the new law also expands a covered entity’s obligations with respect to accounting for disclosures. While the HIPAA Privacy Rule currently excepts from the accounting requirement those disclosures of PHI made for purposes of treatment, payment and health care operations, under the HITECH Act, if a covered entity uses or maintains an EHR, this exception does not apply to disclosures of that EHR.
The HITECH Act also provides for a grace period for compliance with these new accounting requirements, including an extended grace period (until January 1, 2014) for those covered entities who began using EHRs prior to January 1, 2009. For those covered entities who acquire an EHR after January 1, 2009, the new accounting requirements apply to disclosures made on or after the later of January 1, 2011 or the date that the covered entity acquired the EHR.
I have two questions for you HIT professionals:
1. Maintaininng an accounting of all disclosures of PHI contained in an EHR sounds very burdensome, if not impractical. What do you think?
2. Assuming that the EHR accounting requirements are doable, do you think that the timeframes provided under the HITECH Act for phasing in these requirements are reasonable?
Any feedback would be much appreciated.
