New Proposed HIPAA Disclosures Vex Health Care Players: Who Is Asking for the Information Anyway?

is urging rule-makers not to include access report requirements in the final rule. If rule-makers do include access reports in the new rules, CHIME believes that only data gathered through certified EHRs—not the full array of designated record sets—should be expected to populate such reports. There are also numerous critics of the HHS’s conception of an expanded AOD. Daniel C. Walden, Senior Vice President, Compliance and Chief Privacy Officer, at Medco Health Solutions, Inc., says that AOD provisions and ensuing proposed regulations, if applicable to PBMs, would affect Medco’s ability to use patientspecific information. As such, this could delay access to care and, he says, “create an unnecessary increase in our paperwork burden.” Rebecca Carlson, General Counsel Assistant and Privacy Officer at the Dean Health System, says that her hospital assembled a trial AOD for a patient. At 46 pages long, it took from 40 to 50 hours to collect the data that are currently required in an AOD. Dean Health System did not compile the additional data that would be needed under the proposed rule, including pharmacy information. Another problem with the potential AOD requirement is that the EHRs currently on the market do not account for TPO within a personal medical record, and the HHS stage 1 meaningful-use requirement—tied to the eligibility of physician practices and hospitals for federal health care information technology (HIT) incentive payments—does not require EHRs to do so. Moreover, only a handful of people have ever asked for the existing AODs established by the HIPAA Privacy Rule requirement from 2000. Since 2003, Medco has captured more than 13.6 million records in its AOD database. How many requests has Medco received for AODs in the past eight years? 13! One wonders why Congress even expanded the requirement as part of the HITECH Act. Pharmacists are already concerned about various new federal requirements coming down the pike that would complicate pharmacy software systems. We’re talking about rules for things such as potential drug package verification and electronic health record (EHR) entries. Now there is another software hurdle appearing on the track: compiling audit records of people inside and outside the pharmacy who take a peek at a customer’s personal medical and pharmaceutical information. That is one of the looming new requirements for both inpatient and out patient pharmacies stemming from the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act. Some HITECH provisions made changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Stakeholders throughout the pharmacy industry will be affected by the new HITECH requirements when they come into play, although there is no word yet on when the final rule with compliance deadlines will be published. The HIPAA Privacy Rule affects covered entities such as physicians, health plans, hospitals and pharmacies, and their business associates—pharmacy benefit managers (PBMs), for example. When a patient makes a request, the entity must disclose to which third parties it sent that individual’s protected health information. Since 2000, there has been an exemption for disclosed information pertaining to treatment, payment, and health care operations (TPO). The proposed rule that the Department of Health and Human Services (HHS) issued on May 31 suggested one expansion and one new disclosure that covered entities and business associates would have to make, both stemming from HITECH requirements: