HIPAA Regulations 2013: DRS Data and Restriction of Disclosures


The designated record set is important and it's a significant thing to understand what designated record set is. It's the records that you're using – that the provider uses for making decisions about the patient, about how to treat the patient – or how to handle payment of services for the patient or whatever, okay. The medical records and medical billing records that are used to make decisions about the individuals, that's the designated record set, okay.

So it doesn't include maybe some – maybe some protected health information that you have on file where you maybe had some internal – some internal proceedings, some management proceedings where you looked at a particular situation or had an internal review and there's some information that has the patient's name associated with it as part of that internal review.

Well, that's not part of your designated record set because that wasn't used to make decisions on the patient. That was used for your internal operations. So that's not DRS data.

Our expert mentioned in a healthcare training program that it is important to know what is and isn't because the stuff that is in your designated record set is the stuff that are certain rights that the patients have as far as accounting of disclosures and restriction of disclosures and copying of information and things like that.

A disclosure is one that's going to some other organization other than yours whereas a use is something that's inside the organization. And that's important to understand because accounting of disclosures is a concept that's been in place for a long time where the individual has a right to an accounting of all disclosures of their health information.

So every time the information went to some other organization, they have a right to know when that happened and to whom and what was it all about for the last six years except for – and they have these huge exceptions here – for treatment, payment and healthcare operations which is most of them, okay.

And then there's another list of exceptions that covers almost all the rest of them so you wind up with hardly anything in your accounting of disclosures. Anybody who handles these knows that.

There was a proposed rule to change that in the HITECH Act. That is not part of the final update, okay. So it's staying the way it was which is nice because the way it was going to be was – is – was a nightmare. And let's hope they don't go with anything – the way they proposed it.

But again, if you have a business associate managing your EHR for you, you need to be able to provide the proper information so that you can have a good accounting of disclosures under whatever regulations they are.

Whether the old HIPAA regulations or the new ones come along, you want to make sure that your agreement says when the new regulations come along that they'll give you the features you need to satisfy them. That's something you need in your agreement, that's for sure.

A restriction of disclosures: There's a new change that's going into effect March 26th. So the other ones here under (b)(1), (b)(2) and (d) on slide 27 here; (b)(1), (b)(2) and (d), those sections of HITECH 13405. But you do have to have an authorization that says, you know, we are actually getting money for this if there's sale of the information involved. Now, there's a – there's a – that's in 13405(d) and that's showing up in the sale of PHI section.

But the (b)(1) and (b)(2), those are requirements to use minimum necessary when you're actually dealing with the information. So more requirements are to be minimum necessary about how you disclose information and how you use information, and how you pass it around.

13405(a) though is the one that may have some impact, more of the – more of the larger impact. And that's if the individual says, “I am paying for this service out-of-pocket and I don't you to tell my insurance company about it,” you have to go along with that.

There's a big exception for Medicare and Medicaid and those kinds of things that are required by law. But generally, if the individual says, “I don't want you to tell my insurance company about this. I am paying out-of-pocket,” you have to comply keeping in line with the healthcare guidelines.

And so your systems need to be able to handle that. You need to be able to have your EHR do this for you and understand how you're going to – how you're going to deal with these requests and have to have a process in place to deal with it and maintain compliance with HIPAA regulations and HIPAA security standards.

It may need – you may need to update your business associate agreement to make sure they give you those capabilities in your EHR.

Getting an electronic copy of your PHI from your EHR

The individuals do have a right to get an electronic copy of information that you're holding on to electronically. So if you hold a – if you have it electronically and the patient says, “I want an electronic copy,” you'll have to be able to give this to them.

Now, the nice thing is there is some discussion in the preamble of how you interpret and if you look on the individual preferences for some of the HIPAA regulations they based this on and some of the discussions they based this on, they say, well, listen, if the patient says, “I want you to email me this information,” and you say, “Well, listen, the email that we sent you,” if it's just plain email, there are some risks to it being exposed and it could become, you know, it's not necessarily secure, “It doesn't happen too often but, you know, do you want us to go ahead with this anyway?”

And if the patient says, “Yeah, I want you to just use plain email. I don't want to be bothered with anything else.” And you say, “Okay. Well, as long as you accept the risks of this, and there's low risk,” we – and so we have a patient discussion of that – it has to do with accepting the risks of what's going on, an informed discussion of what's going on and you document that, then you can go ahead with emailing the stuff unencrypted. You don't have to have the secured patient portal.

But if people want you to email the information and they insist on it, it's the reasonable thing to do so long as you discuss the impact.

You might also extend this discussion to the world of texting. When it comes to updating appointment times or little details of information, you may look and say, “Well, this information is really – this is very low risk stuff here,” you don't think it's exposed. Or this may even be a more secure way of doing things than email or a telephone call. It may be a more private way of doing things in order to avoid HIPAA breach.

Get more healthcare compliance related tips and strategies at AudioEducator's on demand conference page.

Our Accreditation Partners
Facebook Twitter Linkedin Youtube RSS Feeds Google Plus