New HIPAA Omnibus Rules Certainly Encourage the Use of a Personal Health Record for Patients With Getting Copies of Their Medica
Posted Jan 18 2013 5:59pm
I read through a few of the comments here that relate to PHRs and I have been covering the technology since it began. When you read about the “email” portions of this it’s a slam dunk as to why you really don’t want to rely on standard email systems to do that for you. It states that once, you as a consumer are advised of the “risk” with using non encrypted technologies to transport information, the monkey is on your back. There’s 563 pages of the law. Rules go into effect on March 26th and there's 180 to become compliant.
The good thing here is a broader coverage for “associates” and when I think of some of those the old Accretive situation comes to mind where a representative was showing a Wall Street investor actual medical records and “their” recommendations for treatment…a big no no which became front page news when they had to report a total of 6 notebooks being stolen. This is not the way to approach “revenue cycling audits”. I attended at the end of last year a convention where I asked the million dollar question of how do hospitals work and govern 3rd party entities and it is something everyone works on as you never know when crossing the line to make a buck will happen but we are seeing a lot of that of late in many areas. If you want more background on this thought process, watch the 5 videos on this blog to your left and see how money takes over.
At least he’s got a better handle on it than Chopra did telling everyone coding could make them rich. I would even wonder how many members of this House Committee even use a PHR and much less know what one is, as they go back to the dated paradigm of “its for those guys over there”. You see it in the news every night.
It states that associates and providers are not responsible for educating the consumer about appropriate ways to transmit via encryption so the best thing here is to be an informed patient and be up on it and get yourself a PHR to store your data. Besides mail servers have issues too, I remember those and just ask anyone who has had to take care of “Exchange’:)
You can always reference the government page here on HIPAA and keep up to date with the news and find answers to questions. Anyway as I see it, rather than having long conversations about what is an approved method for patients to get copies of their medical records, get yourself a PHR and be done with it and have a system you know and can rely on. The full press release can be read here.
There are a couple other revisions, especially in the areas of security breaches that are of interest to hospitals and the 3rd parties who seem of late to be most of the breaches happening today with HIPAA compliance being almost non existent with the breaches we have read about in the news.
One other area of the new rules also substantiates my campaign for licensing and excise data sellers and that has to do with using information for marketing and fundraising…well…how it the heck do we know who’s using our information…answer: License them and require a federal disclosure page and again get that excise tax in there as companies, banks, and so on make BILLIONS in profits here.
“The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.”
How do we know who’s using our information for marketing until one of them reaches us…they ignore HIPAA and the dollar takes over. How many HIPAA fines have we had? That answers the question right there, so don’t depend on the mostly invisible HIPAA police to come to your rescue. So we have half the job here and without away to enforce it will fail in this area as money seems to be winning all the time. It’s actually too bad that a more complete comprehensive model was not created here but band aids are better than nothing.
When we one day get some Hybrid executives in office that understand this perhaps it will get better and they are hard to find but until such time we are stuck with attorneys who like to keep the money rolling in and thus they want to make sure they get paid for every tiny incremental change that is made.
And we could have this too…
Anyway, back to PHRs, now that you as a patient can request your records electronically, get one set up, so you can now have one place where you can have access to all your information you collect in one spot. With a PHR you are set to handle almost any HIPAA compliance method to be used by a hospital, provider and other entities. If they are not up to the20th century, get a PHR compliant fax number and get your records that way too. Most importantly they can’t make you as a patient go out and get a new thumb drive (grin) but will have to get into long conversations about alternative methods if you don’t have a PHR. BD
If a patient wants their data to be placed on an external media drive, like a thumb drive, providers are not mandated to accept the device if their organization has conducted a HIPAA risk analysis and found external drives to be a risk. However, if they reject a patient's thumb drive, they can't require the patient to purchase one the covered entity provides. Instead, they have to find an alternative distribution method, such as email.
The OCR did not define EHRs, but clarified that patients do have access to electronic copies of their health information wherever the data is housed.
Covered entities are not liable for unauthorized access to unencrypted emails if patients want to receive their data that way. OCR said in the rule: "We do not expect covered entities to educate individuals about encryption technology and information security. If individuals are notified of the risks, and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual's request [or once it's delivered]."