EHRs play signifcant role in HIPAA omnibus rule
While the patient privacy, breach notification and other provisions of HIPAA's final omnibus rule, unveiled last week, have received a lot of attention, a number of important provisions that directly affect electronic health records and related health information technology have received little fanfare. They include:
- Health information exchanges (which the rule calls health information organizations) and electronic prescribing gateways will be considered business associates and thus directly subject to many of HIPAA's privacy and security provisions. The obligation applies upon creation of the business associate relationship, not when a business associate agreement is signed. A personal health record vendor may or may not be a business associate, depending on the services that the vendor is providing to the covered entity.
- Business associate agreements are necessary despite this new direct liability [i.e. EHR vendors that qualify as business associates need to sign these contracts]
- A provider does not have to use an EHR to comply with the new rule, but if the provider does use an EHR, patients have the right to obtain copies of their records in electronic format, in a form requested by the patient. If that format is not available, then the format provided shall be as agreed upon by the provider and the patient. The provider can only charge the patient the labor costs involved.
- The final rule sets 30 days (down from 60) for providers to provide patients with access to their records, but "encourages" providers to take advantage of their technologies and provide them sooner, considering that the Meaningful Use program contemplates much faster access than 30 days.
- If a covered entity belongs to a HIE, and the HIE suffers a breach, the covered entity is the one obligated to notify patients. However, since multiple covered entities may be involved due the data sharing inherent in an HIE, the covered entities may delegate to the HIE the notification obligation since that way a patient will only receive one notice.
The U.S. Department of Health & Human Services itself acknowledged the relationship between the new HIPAA requirements and health IT, specifically referring in its announcement the need to protect patient information "in an ever expanding digital age."
The HIPAA omnibus rule is slated to go into effect March 26.