AHIMA raises concern over HHS privacy rules
In response to the U.S. Department of Health and Human Services (HHS) Office of Civil Rights' notice of proposed rulemaking on modifications to the HIPAA Privacy, Security and Enforcement rules under the HITECH Act, the American Health Information Management Association (AHIMA) raised concerns about the sale of patient health information when an organization is being absorbed by a second organization.
"The OCR's approach, while practical, raises the issue of whether consumers have the right to determine if their health information should be transferred with the ownership of a health organization," AHIMA stated.
"While AHIMA continues to applaud federal government support for the ideal of protecting patients' health information rights, the proposed rule-making for HIPAA privacy, security and enforcement by HHS has a number of requirements that we do not believe the industry is ready to undertake; especially as it gears up for meaningful use,” stated Rita K. Bowen, president of AHIMA's board of directors.
The association stated that it agrees with HHS Secretary Kathleen Sebelius’ assumption that it is not necessary to extend the compliance date for small health plans. However, AHIMA is concerned with the proposed 180-day compliance period, given the impact the proposed rule will have on covered entities’ manual and electronic systems that are not currently capable of meeting the proposed requirements and for which retooling may not be completed within the 180-day period.
"As staunch supporters of patients' health information rights, AHIMA agrees the single most contentious issue in the proposed regulation is the ability of individuals to restrict the information held by their healthcare providers from being shared with their health plan,” Bowen said. “While AHIMA believes an individual's control over this data flow is valid, data flow restrictions in the HHS proposal create unintended repercussions for data integrity, data processing and other elements within the current US reimbursement system.
According to a letter to OCR dated Sept. 8, AHIMA stated it believes that covered entities should remain concerned with and address the personal health information that is created, received, maintained or transmitted by business associates and their subcontractors and not dismiss their (the covered entity’s) obligation to safeguard confidentiality, privacy and security of their customer’s personal health information.
Many AHIMA members are engaged in providing patients' individual and aggregate data for a variety of approved uses, according to the Chicago-based organization.
“There is a continued discussion within the profession on how to best cover the costs of the retrieval, analysis and release of information within the context of the privacy and security regulations, patient restrictions and the need to verify the requesting individual as a means of keeping released information available to a necessary minimum. Additionally, we remain concerned the charges permitted by states or HIPAA do not cover all costs and ultimately raise the cost of healthcare,” remarked Bowen.
AHIMA strongly believes that the OCR must provide greater clarification regarding the definition of "agents" as it relates to covered entities and who should be covered by HIPAA, including its hybrid organizations, the organization stated.
"The OCR's approach, while practical, raises the issue of whether consumers have the right to determine if their health information should be transferred with the ownership of a health organization," AHIMA stated.
"While AHIMA continues to applaud federal government support for the ideal of protecting patients' health information rights, the proposed rule-making for HIPAA privacy, security and enforcement by HHS has a number of requirements that we do not believe the industry is ready to undertake; especially as it gears up for meaningful use,” stated Rita K. Bowen, president of AHIMA's board of directors.
The association stated that it agrees with HHS Secretary Kathleen Sebelius’ assumption that it is not necessary to extend the compliance date for small health plans. However, AHIMA is concerned with the proposed 180-day compliance period, given the impact the proposed rule will have on covered entities’ manual and electronic systems that are not currently capable of meeting the proposed requirements and for which retooling may not be completed within the 180-day period.
"As staunch supporters of patients' health information rights, AHIMA agrees the single most contentious issue in the proposed regulation is the ability of individuals to restrict the information held by their healthcare providers from being shared with their health plan,” Bowen said. “While AHIMA believes an individual's control over this data flow is valid, data flow restrictions in the HHS proposal create unintended repercussions for data integrity, data processing and other elements within the current US reimbursement system.
According to a letter to OCR dated Sept. 8, AHIMA stated it believes that covered entities should remain concerned with and address the personal health information that is created, received, maintained or transmitted by business associates and their subcontractors and not dismiss their (the covered entity’s) obligation to safeguard confidentiality, privacy and security of their customer’s personal health information.
Many AHIMA members are engaged in providing patients' individual and aggregate data for a variety of approved uses, according to the Chicago-based organization.
“There is a continued discussion within the profession on how to best cover the costs of the retrieval, analysis and release of information within the context of the privacy and security regulations, patient restrictions and the need to verify the requesting individual as a means of keeping released information available to a necessary minimum. Additionally, we remain concerned the charges permitted by states or HIPAA do not cover all costs and ultimately raise the cost of healthcare,” remarked Bowen.
AHIMA strongly believes that the OCR must provide greater clarification regarding the definition of "agents" as it relates to covered entities and who should be covered by HIPAA, including its hybrid organizations, the organization stated.