With long hours spent in 2013 wading through ideas and comments on accounting of disclosures in the distance, the Privacy and Security Tiger Team is ready to move onto new data exchange privacy topics in 2014. However, last year’s Tiger Team recommendations to the HIT Policy Committee may help spark changes to HITECH language for accounting of disclosures this year.
Micky Tripathi, Co-Chair of the Tiger Team and CEO of the Massachusetts eHealth Collaborative (MAeHC), talked with HealthITSecurity.com about what last year’s work will mean this year as accounting of disclosures become more pressing for healthcare organizations connected to health information exchanges.
Can you talk about what the Tiger Team’s 2013 work will mean for 2014?
Tripathi: I think that the Privacy and Security Tiger Team’s recommendations to ONC for accounting of disclosures were significant in a number of ways. One is to make the HITECH requirements for accounting of disclosures implementable and still aligned with the ultimate goal. And that is to ensure there’s transparency and that patients have trust in the system and that they’re not concerned about what’s happening with their information. They need timely ways to access their information and to see who’s accessed their information, as well as checking that the data was used for the organization’s original purpose.
How will accounting of disclosures be affected?
Tripathi: That’s what we want to accomplish and I think what we saw in the recommendations, which were based on a hearing that we had, was that HITECH and the Office for Civil Rights (OCR) NPRM that came from it. While well-intentioned, what came from it was a large assumption that because 70 percent of providers have EHRs that have audit functions, that it can immediately flip to granular, rich accounting of disclosure data that could be made available almost real time to patients. That was the big leap that turned out to be overly-aggressive. There’s a big difference between auditing for HIPAA notices or internal integrity checks and what’s required for accounting of disclosures. That was the gap that we exposed during the hearing that came through loud and clear and organizations were able to give their direct feedback. It’s one thing for organizations to produce audits, but if they have to create the type of data for the accounting of disclosures, it could be millions of dollars of investment to provide that type of data. So we were to bridge that gap between the vision that we all agree with and the reality on the ground.
Will there be any amendments to HITECH?
Tripathi: Hopefully, what we’ll see is tailoring of that [accounting of disclosures] final rule to accommodate some of what we [heard from organizations]. And we also talked about how, while the technology and processes aren’t there yet, certification may be able to start the path toward EHRs being able to produce some of that data in a more patient-friendly manner.