OCR Contemplates Electronic Medical Record Networks
In case you missed it, on December 15, 2008, the Office of Civil Rights published information that suggests it is thinking about how HIPAA applies to the electronic exchange of health information in a networked environment. If you want to review the materials for yourself, they are located here.
In summary, so long as the primary purpose for and function of an electronic network is treatment oriented, HIPAA should not be a barrier to the development of an effective network. OCR's focus in its comments was on setting up electronic exchange networks so as to create a level of trust between patients and the covered entities participating in these networks. OCR recommends that patients be advised, either in the Notice of Privacy Practices or in some other document, that their health information will be used and disclosed for treatment purposes through an electronic network.
Some of the other points made by OCR in this guidance includes the following:
- While covered entities are not required to agree to allow patients to restrict otherwise permissible uses and disclosures of their information, a covered entity must have policies in place to deal with the issue and if a covered entity does agree to allow certain restrictions, the covered entity must abide by that agreement, except in an emergency situation;
- OCR acknowledges that HIPAA does not require a covered entity to allow patients to "opt-in" or "opt-out" of an electronic network but suggests that the ability to afford patients that kind of choice will help build trust between patients and providers who use electronic networks;
- Minimum necessary concepts apply to the electronic networks and the access of health information for payment and health care operations purposes through such networks;
- Regardless of the scope or purpose of an electronic health information exchange network, any disclosures of health information by a covered entity through the network must comply with the Privacy Rule and, in addition must also be in compliance with any more stringent State law requirements;
- Even in an electronic exchange environment, the HIPAA Privacy Rule requirements that patients consent to the disclosure of psychotherapy notes still applies;
- Covered entities who set up electronic health information exchange networks must implement appropriate administrative, technical and physical safeguards to protect the privacy of the protected health information; and
- Covered entities that participate in an electronic network need to be aware that whatever information they import into their electronic records via a network become a part of their legal medical record. However, network participation alone does not make all of the information about a patient that is accessible through the network a part of their legal medical record.
Overall, given the clients that I have worked with who are setting up, trying to set up, or thinking about setting up these kinds of electronic exchange networks, the OCR guidance is not overly enlightening but still helpful in that it confirms that there is a right way and a wrong way to set up such a network and that if you have the right goal -- facilitating better access to information for treatment purposes -- you should be able to get where you are trying to go.
