Keep audit logs of who accessed records, and what their role is. Besides the future requirement to track and make available PHI disclosed from an EHR, the HIPAA Security Rule requires the generation and review of audit logs.
Use a database to ensure all uses and disclosures are tracked as required by the HIPAA Privacy Rule and plan to maintain similar information related to disclosures when the future EHR accounting of disclosure requirements become reality.
The questions OCR asked providers last year included:
- What are the benefits to the individual of an accounting of disclosures, particularly of disclosures made for treatment, payment, and healthcare operations purposes?
- Are individuals aware of their current right to receive an accounting of disclosures? On what do you base this assessment?
- If you are a covered entity, how do you make clear to individuals their right to receive an accounting of disclosures? How many requests for an accounting have you received from individuals?
- For individuals that have received an accounting of disclosures, did the accounting provide the individual with the information he or she was seeking?
- What is the feasibility of an [EHR] module that is exclusively dedicated to accounting for disclosures (both disclosures that must be tracked for the purpose of accounting under the current HIPAA Privacy Rule and disclosures to carry out treatment, payment, and healthcare operations)? Would such a module work with covered entities that maintain decentralized electronic health record systems?
- Is there any other information that would be helpful to [OCR] regarding accounting for disclosures through an [EHR] to carry out treatment, payment, and healthcare operations?
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.