Proposed DHHS Rule on HITECH Incentive Payments Requires HIPAA-Compliant Patient Information Disclosure Capability

The Centers for Medicare and Medicaid Services issued a Notice of Proposed Rule Making (NPRM) on December 30, 2009, which specifies HIPAA privacy and security, and electronic health information disclosure capability criteria, for eligible hospitals to receive incentive payments for the transition to electronic health records (“EHR’s”) pursuant to the HITECH Act. The NPRM may be downloaded at http://www.federalregister.gov/OFRUpload/OFRData/2009-31217_PI.pdf.  It will requrre an interdisciplinary approach to implementation

The NPRM outlines the criteria for eligible hospitals to certify that they are engaging in “Meaningful Use” of the EHR. This comprises the ability to provide “key clinical information (to) providers of care and patient authorized entities.”  This entails the same procedures used by the hospital’s e-discovery lawyers: identify the requested patient information, preserve it, collect it and then disclose it.  The NRPM also notes that hospitals must “ensure that Meaningful Use of the certified EHR supports compliance with the HIPAA Privacy and Security Rules.”  The hospital’s Privacy Office, the Compliance Office, and its HIPAA lawyers must, then, be involved in the process to certify the EHR.

The NRPM will become a final Rule sixty days after the data of issuance.

• Tweet