OMB reviews information disclosure changes to HIPAA privacy rule

The proposed rule would extend the privacy rule’s information disclosure requirements to include disclosures during the previous three years for treatment, payment, and health care operations (TPO) if a health care provider uses an electronic health records (EHR) system, according to a report by Health Data Management.

The extension of the privacy rule is required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted in 2009 as part of the American Recovery and Reinvestment Act and amends HIPAA by beefing up enforcement and penalties for violations.

In a letter to HHS, the Medical Group Management Association (MGMA) called the requirement burdensome and unrealistic, according to the report.

"The fact that HITECH stipulates that the TPO accounting is only required for those physician practices that have adopted an EHR suggests that the government believes TPO disclosures would be collected and stored on this one clinical system," the MGMA letter said.

"This is simply not the case. The majority of physician practices store their clinical data in an EHR and their administrative data (including payment information and data that would qualify as 'health care operations') in their practice management system. Satisfying an accounting for TPO request in most practices is not a simple keystroke strike….MGMA members have made it clear that completing these types of reports requires a substantial amount of manual collection from multiple data sources", the letter said.

What’s Hot on Infosecurity Magazine?