Providers NOT Required To Keep EHR Audit Systems Turned On

“If healthcare providers are using their electronic health records to falsify medical billing or cover their tracks after mistakes, there’s an easy way for investigators to find out: Check the audit trail.”

“Unfortunately, federal rules don’t require healthcare providers to keep their automated audit systems turned on. A study out this week from HHS’ watchdog office (PDF) finds that many healthcare providers can simply disable their logs or alter them after the fact—and experts say the problem may be far worse than what the study found.”

“HHS’ inspector general’s office this week reported the results of a voluntary survey of all 900 hospitals that had received federal subsidies to buy electronic health record systems as of March 2012. The survey, which had a 95% response rate, found that 44% of the hospitals reported having the ability to delete their EHR audit logs. Another 33% could disable the audit logs, while 11% could edit the records at will.”

To view the full article please visit: Providers Not Required To Keep EHR Audit Systems Turned On

The Individual’s Right to Restrict Disclosure of Health Information

This article gives a great explanation of how industry has fought to influence those in government that write the ‘rules’ for how federal law works in practice. The key industry tactic is to complain that complying with the law is too costly, or impossible, or would take too much time. For reasons we don’t understand, the government agency that writes the ‘rules’ takes the side of industry rather than defending patients.

From ABA Health eSource, Jim Pyles, “The Right to Obtain Restrictions Under the HIPAA/HITECH Rule:
A Return to the Ethical Practice of Medicine
.

The Individual’s Right to Restrict Disclosure of Health Information
AuthorThe HIPAA/HITECH Final Omnibus Rule issued on January 25, 2013 restores the right for Americans to retain some control over the disclosure of their health information as part of the “floor” of federal privacy protections afforded by HIPAA.(1) Under the new rule, individuals have a right to obtain restrictions on the disclosure of health information in electronic or any other form to a health plan for payment or healthcare operations with respect to specific items and services for which the individual has paid the covered entity out of pocket in full.(2) Such requests for restrictions must be granted by the covered entity unless disclosure is required by law. Covered entities must also include this right in their notices of privacy practices.(3) The guidance in the preamble states that only healthcare providers are required to include such a statement in their notices of privacy practices; however, the language of the statute and the regulation itself states that the notice requirement applies to covered entities.(4) The new rule became effective March 26, and covered entities must be in compliance by no later than September 23, 2013.(5)

————-

1 78 Fed. Reg. at 5628 (January 25, 2013).
2 45 C.F.R. § 164. 522(a)(1)(vi).
3 45 C.F.R. § 164.520(b)(1)(iv).
4 HITECH Act, section 13405(a); 45 C.F.R. § 164.522(a)(1)(vi) (as amended).
5 78 Fed. Reg. at 5566.

Health Care, the Cloud, and Privacy, Jan. 7 Panel

Health Care, the Cloud, and Privacy

Phoenix Park Hotel
520 North Capitol Street, NW | Washington, DC 20001
Georgian Room
Monday, January 7, 2013 | 12:00 p.m. ET

On behalf of Patient Privacy Rights (PPR), you are invited to attend a panel discussion on health care system privacy challenges posed by cloud computing. The one-hour discussion, “Health Care, the Cloud, and Privacy,” will be held on Monday, January 7, 2013 at the Phoenix Park Hotel in Washington, D.C. Boxed lunches will be provided.

With technological innovations that promise better efficiency and lower cost, one of the most anticipated developments is how industry and regulators will respond. That question today is focused intently on cloud computing and the implications for corporations with electronic systems containing sensitive consumer health data. Who is handling patient data? How do HIPAA and other health privacy laws and rights function in the cloud? What can policymakers do to better protect our sensitive medical data?

Our distinguished panel will feature:

Joy Pritts
Chief Privacy Officer
Office of the National Coordinator for Health IT
U.S. Department of Health and Human Services

Deborah C. Peel, MD
Founder and Chair
Patient Privacy Rights (PPR)

Nicolas P. Terry
Hall Render Professor of Law
Indiana University Robert H. McKinney School of Law

Lillie Coney
Associate Director
Electronic Privacy Information Center (EPIC)

Please RSVP to Jenna Alsayegh at jalsayegh@deweysquare.com.

We hope to see you there!

And there is more:
View the Invitation as a PDF
View the Press Release

PPR also sent a letter to the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) that urges for more comprehensive guidance on securing patient data in “the cloud.” With the healthcare industry moving their records to electronic databases, PPR sees a number of issues associated with cloud computing services, including compliance with existing healthcare privacy laws like the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, stronger state and federal health information privacy laws, medical ethics, and Americans’ rights to health information privacy. View the letter here.

Re: 2012: Time for Action on Health Privacy

Things in Washington DC must really be bad if Deven McGraw, Chair of the Privacy and Security Tiger Team and member of the national Health IT Policy Committee, is speaking out so clearly about the lack of privacy protections in federal policy. She states in the article “2012: Time for Action on Health Privacy” that it’s time for HHS/ONC to change their “pattern” of “too much talk and not enough action” to protect privacy. Is there a privacy crisis? PPR thinks it’s critical to build privacy and patient control over data in up front. Now is the time!

See full article

“Consumers and patients support the electronic sharing of health information and are eager to experience the benefits of widespread adoption and use of electronic health records. Yet a substantial majority continue to express significant concerns regarding the impact of e-health on the privacy and security of their health information. According to a recent survey by the Markle Foundation, the privacy of health information is a significant concern for the American public and doctors who serve them.

Building and maintaining public trust in health IT and health information sharing will be critical to leveraging their benefits to improve individual and population health. The rhetoric from the Office of the National Coordinator for Health IT and HHS has been consistently strong on the importance of respecting the confidentiality of health information; however, with a few exceptions, the pattern has been too much talk and not enough action.”