Possible HIPAA Changes Affecting Accounting of Disclosures (RFI Part 3)
This post will address Part 3 the Office for Civil Rights’ (OCR) request for information (RFI) on possible changes to the Health Information Portability and Accountability Act (HIPAA). Part 3 discusses Accounting of Disclosures (AoD) rules – essentially what records providers have to keep about who they give your information to.
I originally tweeted my analyses here, but have put the tweets together in this post (with edits) for easier reading. The RFI can be found here. My introduction to the RFI as well as an analysis of the first part (on sharing information between providers) can be found here. And my analysis of the second part (on loosening privacy standards for substance use and mental health information) can be found here.
I’ve shared a lot about Accounting of Disclosures on twitter including what they are and difficulties getting providers to comply with providing them. Perhaps my most important tweet thread is on Care Everywhere (which I will talk a lot about in this post). That thread can be found here. I encourage you to read that thread (you do not need to have a Twitter account to see it) before you proceed.
To begin here though, it’s important to understand what an AoD is. Most patients do not know and have never heard of this important part of HIPAA. Patients have a right to an AoD under HIPAA as codified in 45 CFR 164.528. Basically it says providers have to keep a list of entities they gave your protected health information (PHI) to that wasn’t for your care.
The AoD is not part of a patient’s record. Patients have to ask for it specifically (unfortunately most don’t know to ask). Once a patient asks, a provider has 60 days to give them a document that has information to help you understand who has your information and why the provider gave it away. That information must include dates, names, a brief description of what was shared, & a brief statement of the purpose of the disclosure. That statement has to be clear enough that patients can understand why the info was shared.
There are a lot of exceptions as to what they have to provide in an AoD. For instance, they do not have to let you know if they disclosed a patient’s information to carry out treatment or for payment (e.g. what the disclose to other providers or to your insurance). They also don’t have to disclose if the disclosure was “incidental” (which is interpreted very broadly). Those are a few exception, the rest can be found under 45 CFR 164.528(a)(1).
In this 3rd part of the RFI the OCR is looking into:
Implementing the HITECH Act requirement to include, in an accounting of disclosures, disclosures for treatment, payment, and health care operations (TPO) from an electronic health record (EHR) in a manner that provides helpful information to individuals, while minimizing regulatory burdens and disincentives to the adoption and use of interoperable EHRs.
The HITECH Act (Health Information Technology for Economic and Clinical Health Act) was passed in 2009 (as part of the stimulus bill). The HITECH Act updated some of the Privacy and Security standards under HIPAA, particularly around access to and security of your electronic health information. Most of the Rules for the HITECH Act were finally published in 2013. However, updating AoDs was not done. As the OCR notes:
…section 13405(c) of the HITECH Act directs the Department to modify the Privacy Rule to require that an accounting of disclosures include disclosures made for TPO purposes through an electronic health record during the three years before the request.
The OCR was supposed to address this and they published some Notice of Proposed Rulemaking in 2010 but nothing every came of it. Now they’re looking to address this requirement again. Specifically they want feedback on how
…individuals can obtain a meaningful accounting of disclosures that gives them confidence that their PHI is being disclosed appropriately as part of receiving coordinated care or otherwise, without erecting obstacles or disincentives to the adoption and use of interoperable electronic healthcare records, which is necessary for efficient care coordination, case management, and value-based healthcare.
This sounds positive. More information for patients, right? Probably not. In part because it’s clear the OCR doesn’t know how AoDs are working right now at all. If they were to understand AoDs, they may just give up on implementing the requirement all over again.
The OCR starts by asking about the scope of AoD requests:
27) How many requests for an accounting of disclosures do covered entities receive annually and from what percentage of total patients? Of these, how many requests specify a particular preferred electronic form or format, and to what extent do covered entities provide the accounting in the requested form or format?
I’m going to bet that the number of AoD requests is fairly low. Why? Because so few patients know they can ask for them. Furthermore 9 out of every 10 offices I ask don’t know what they are at all. As a result, I generally have to educate offices about their existence and requirements. And with those who do know what an AoD is, I’ve been sent all manner of AoDs, none of them compliant.
I once had staff tell me that they just asked the doctor if he’d shared my info and he told them, “no.” That’s not how an AoD works. It’s not an ad hoc thing. It’s something providers are supposed to document as it happens. For doctors with thousands of patients, relying on memory of whether they shared information isn’t sufficient.
If hospitals and providers say that few patients ask for AoDs, there is a likelihood that the OCR finds them meaningless and could scrap the whole portion – meaning you never get to know who really gets access to your information. Yes, HITECH requires implementing standards that would increase the number of AoDs… But we are almost a decade out from the passage of that law and they have done nothing, nor does the OCR meaningfully enforce the law as it exists.
The OCR presents the next question to prove the burdens of providing AoDs:
28) How much time do covered entities take to respond to an individual’s request for an accounting of disclosures? How many worker-hours are needed to produce the accounting? What is the average number of days between receipt of a request and providing the accounting to the requesting individual? How would these estimated time periods change, if at all, if covered entities were to provide a full accounting of disclosures for TPO purposes? What is the basis for these revised estimates?
Providers get 60 days to respond to a request for an AoD. In contrast, they get 30 days to respond to a records request. The average number of days for either is far longer than it should be, especially since most records and AoDs are electronic.
Would adding AoDs for TPOs (treatment/payment) take more time? It shouldn’t. Good record keeping should mean you have access to this information almost instantaneously. Further, it’s now being built in to EHRs. Like Epic’s Care Everywhere platform (as I mentioned above, I’ve written on the Care Everywhere platform here.)
The Care Everywhere platform automatically transmits documents like a “continuity of care” document to others in its system (current entities are listed here and include healthcare organizations around the world). Interestingly, none of the providers I talked to knows this happens, how it happens, or what the documents that are shared are. But Care Everywhere is not unique. There are other technologies in healthcare doing the same thing. This is particularly relevant as Health Information Exchanges (HIEs) are created to ensure “interoperability” (the idea that every system can access your information).
Ultimately, what’s important though is that AoDs are not understood by providers but they are being recorded electronically by EHRs already, including AoDs of patients’ treatment information (which is not currently required). Surely, hospitals and doctors will say that adding to AoDs would take more time, which is laughable when they don’t know it’s already being done for them.
The OCR then asks:
29) If your covered entity does capture and maintain information about TPO accounting, even though it is not currently required by the Privacy Rule, what is the average number of TPO disclosures made by the entity for a given individual in a calendar year? How many such disclosures are made from EHRs
However, if providers don’t know that their EHRs already do this, how are they supposed to answer this question? Granted this question may get them to actually investigate what features their EHRs have and look into where patient information is going. One can hope.
How AoDs act when it comes to Business Associates (BAs) is another aspect to consider.
30) In what scenarios would a business associate make a disclosure of PHI for TPO through an EHR? What is the average number of such disclosures for a given individual in a calendar year, if known?
Business Associates are companies that work with providers – billing companies, companies that help with claims processing, attorneys, etc. Providers are required to keep contracts (called Business Associate Agreements, or BAAs) with BAs to ensure they keep your information private and secure.
How are BAs making disclosures of your health information in an EHR? This is a good question and one I honestly cannot answer. How might they? Again, I’m not sure I can answer. Perhaps in the billing portion of an EHR? If a claim is denied and fees are due to the provider. Since BAs often perform more administrative and business-oriented tasks, it is hard to know what they’d be making disclosures of. If they are making those disclosures, those should be recorded. And regardless, information disclosed to a BA should be recorded.
Who should take responsibility for BAs is essentially the next question:
31) Should the Department require covered entities to account for their business associates’ disclosures for TPO, or should a covered entity be allowed to refer an individual to its business associate(s) to obtain this information? What benefits and burdens would covered entities and individuals experience under either of these options?
To rephrase this question: Should providers be on the hook to account for any disclosures their BA makes? Or should they say to patients they have to go directly to the BA to find out who a BA gave their information to?
Given that most patients don’t know what a BA is or does, patients rely on providers to let them know what BAs they work with. A patient has to be very specific to get pointed in the direction of the right BA to get the info they need.
The decentralization of who has access to and is sharing your information is quite problematic for everyone, especially patients. Making patients go to BAs directly only causes more confusion, time concerns, and extra work that they should not have to undertake.
Providers should be on the hook for providing AoDs because that’s where patients go for information about their care. The next question should be how we help centralize that information – how do we get BAs to report that information to one place so patients only have to make one request.
32) For existing EHR systems:
a) Is the system able to distinguish between “uses” and “disclosures” as those terms are defined under the Privacy Rule at 45 CFR 160.103? (Note that the term “disclosure” includes, but is not limited to, the sharing of information between a hospital and physicians who may have staff privileges but who are not members of its workforce).
What is kept in an EHR system about AoDs is limited. Rarely does it include why your information was disclosed (aka doesn’t tell you the purpose of the disclosure). I’ve had to go to some interesting lengths to find this information out.
For example, one hospital system gave me AoDs from multiple hospitals all at once but couldn’t distinguish between which hospital gave out what information. One of the disclosures noted my info was sent to a state agency but couldn’t tell me why. So I called the state agency that got my information and they had no idea why it was sent to them either. Turns out it was a state reporting requirement of some sort, but still no one could tell me exactly what was shared. It became a dead end where I knew my health information was shared but, ironically, no one wanted to really account for it.
Access to PHI is discussed next:
b) If the existing system only records access to information without identifying whether such access represents a use or disclosure, what information is recorded about each instance of access? How long is such information retained? What would be the burden for covered entities to retain the information for three years? Once collected, what additional costs or other resources would be required to maintain the data for each subsequent year? At what point would retention of the information be excessively burdensome? OCR requests specific examples and cost estimates, where available.
Access to your health information in EHRs is regulated more under the Security Rule than the Privacy Rule. One of the aspects of compliance with Security Rule is doing a Risk Assessment. Part of that Risk Assessment and ongoing activities is keeping track of who has access to your information.
Who has access to your info in EHRs should be easy to find and account for because electronic health records (EHRs) track users (providers) who log in with unique identifiers (username/password). How much info and how long it’s kept is up to each EHR and how each provider chooses to implement the tools in their EHR but the information is there for the most part. Distinguishing who is logging in versus who is disclosing that information may be more difficult but I believe EHRs are already set up to do this (see the Care Everywhere example again).
The question about standardizing how long AoDs or any records should be kept is an interesting one. Each state has different record retention laws (ranging from about 5-10 years).
In my opinion, AoDs should not be separate from patient records. AoDs should be part of the patient record. As such, they should fall within record retention requirements already in place for records. To shorten the time they are kept and to keep them separate confounds the system and makes it harder for patients to have a say in where their health information goes and how it is used. Ultimately, that’s the most important part of HIPAA, giving patients rights to their records and having a role in their healthcare.
The details of AoDs are what matter in ensuring patients have a meaningful role. But the OCR clearly doesn’t know what is really disclosed.
c) If the system is able to distinguish between uses and disclosures of information, what details regarding each disclosure are automatically collected by the system (i.e., collected without requiring any additional manual input by the person making the disclosure)? What information, if any, is manually entered by the person making the disclosure or accessing the information?
The details asked for AoDs currently (date, name, a brief description of what was shared & a brief statement of the purpose of the disclosure) should be automatically collected. Sadly, the purpose often isn’t. At the same time, the others almost always are.
When I say a “brief description of what was shared” is collected, I mean that broadly. Often “description” looks something like “continuity of care.” While that technically is a description, it doesn’t tell me what was shared. Standardizing terms like this could easily be fixed with a glossary. After some investigating, I was able to figure out what this document meant in the Care Everywhere platform, but it really shouldn’t take tracking down. It should be clear.
Manual entries of disclosures are likely far fewer than they could be. Providers don’t know what AoDs are so they aren’t keeping records as they should be – concurrently with any disclosure they make. They aren’t going the extra mile to note when and what they’re sharing information. Teaching providers the importance of noting disclosures may change this.
With details, the OCR wants to know about data elements:
d) If the system is able to distinguish between uses and disclosures of information, what data elements are automatically collected by the system for uses (i.e., collected without requiring any additional manual input by the person making the disclosure)? What information, if any, is manually entered by the person making the use?
For this, see the above. Essentially date and time and a notation of what they call a document is shared. And no one is going back and making notes that I’ve seen (though I’ve taught the providers I work with to do this because it is best practice).
Descriptions, I’ve talked above but the OCR asks:
e) If the system is able to distinguish between uses and disclosures of information, does it record a description of disclosures in a standardized manner (for example, does the system offer or require a user to select from a limited list of types of disclosures)? If yes, is the feature being utilized? What are the benefits and drawbacks?
Under most AoDs I’ve seen, yes, it does record a “description.” It’s a list like “continuity of care document,” or “progress notes,” or “CE Encounter List,” or “CE Clinical Summary.” These are not particularly helpful for patients. Again, a glossary would help patients understand what these mean.
Centralization, as I mentioned above would make a huge difference:
f) To what extent do covered entities maintain a single, centralized EHR system versus a decentralized system (e.g., different departments maintain different EHR systems, and an accounting of disclosures for TPO would need to be tracked for each system)? To what extent are covered entities that currently use decentralized systems planning to migrate to centralized systems or vice versa? How is the industry mix of centralized and decentralized systems likely to change over the next five or ten years?
I don’t know the answer to this question, but generally I’ve seen them kept in one part of the EHR. So as with my example above, I asked one hospital and got AoDs from multiple hospitals using the same EHR system. I’ve had this with doctors in centralized systems too. And with HIEs (health information exchanges) and systems like Care Everywhere, even decentralized systems are coming together. Over the next 5-10 years this is likely to become even more centralized, especially with continued policy pressure to pursue interoperability. However, interoperability remains a bit of a pipe dream.
If systems do become interoperable though, that doesn’t mean that accounting of disclosures will be a priority and it doesn’t mean it will be any easier for patients to access AoDs – especially if the info isn’t considered part of the patient record automatically and BAs abound that are not required to make AoDs in a centralized place.
How are AoDs generated? The OCR wants to know:
g) Do existing EHR systems automatically generate an accounting of disclosures under the current Privacy Rule (i.e., does the system account for disclosures other than to carry out TPO)? If so, what would be the additional burden to also account for disclosures to carry out TPO? If not, to what extent do covered entities use a separate system or module to generate an accounting of disclosures, and does the system interface with the EHR system? OCR requests cost estimates, where available.
Some EHRs do automatically generate AoDs. But these automatically generated AoDs are limited. Systems like Epic already account for a lot of the treatment (TPO) AoDs, too.
The OCR thinks EHRs can’t do this though and asks:
33) If an EHR is not currently able to account for disclosures of an EHR to carry out TPO, what would be the burden, in time and financial costs, for covered entities and/or their vendors to implement such a feature?
But considering they already can and do, any burden should be minimal. Granted, EHR vendors vary and some providers, in a race to meet Meaningful Use requirements, got stuck with really shitty systems that do almost nothing.
The biggest cost to ensure EHRs can generate AoDs would be getting doctors to dump current EHRs that can’t offer this feature & invest in meaningful EHR systems. Given lack of real standards when implementing policy measures that incentivized adoption of EHRs, this would be difficult. For small offices this could be a problem but shouldn’t be an excuse.
Accordingly, the OCR asks:
34) For covered entities already planning to adopt new EHRs, to what extent would a requirement to track TPO disclosures affect the cost of the new system?
Still, I don’t know of many providers planning to adopt new EHRs. Most have adopted an EHR and the investment was too big for them at that time. Most likely can’t afford dumping the one they have and purchasing a new EHR.
EHR vendors could offer the ability to upgrade systems. But vendors have bilked providers for a lot of money already. I can see them bilking them even more for adding this feature. Given that this feature is in existence, it probably shouldn’t be that hard or costly to implement elsewhere but health IT is all about charging a lot of money. Frankly, health IT is not about what’s doing for patients but about what will make vendors a lot of money.
How aware are patients of AoDs and their rights to obtain an AoD, the OCR continues to have no clue.
35) A covered entity’s Notice of Privacy Practices must inform individuals of the right to obtain an accounting of disclosures. Is this notice sufficient to make patients aware of this right? If not, what actions by OCR could effectively raise awareness?
Notice of Privacy Practices (NPPs) will also be discussed in the 4th part of this RFI, but here they ask about it specifically with AoDs. The OCR knows that almost no one reads these privacy practices, thus they should know that patients clearly do not know that they can ask for AoDs.
The OCR asked about raising awareness in the first part of the RFI too. I discussed it here. In that part of my analyses, I wrote:
I wish there were more focus on [the question of public outreach and education]. It’s a short one but it’s incredibly important. We need more public outreach and education. Patients do not know their rights and as a result either can’t get their own information or know who has it.
Raising awareness has to be on both sides, though. It has to be through better materials to educate patients but also better training to providers. I’ve repeatedly said here that providers don’t know what AoDs are. If providers don’t know, how can they help patients understand?
Truly though, I don’t necessarily think that patients should have to know about AoDs. I think AoDs should be part of the patient record. They shouldn’t be separate. They shouldn’t have to wait 60 days for them. They should be presented when a patient requests their information.
But how can anyone convince the OCR to actually include them with the patient record if the OCR doesn’t know why patients would want an AoD?
36) Why do individuals make requests for an accounting of disclosures under the current rule? Why would individuals make requests for an accounting of TPO disclosures made through EHRs?
Why would a patient want an AoD? So many reasons… But patients shouldn’t have to explain. Patients shouldn’t need to justify. It’s the patient’s information and they should know who is getting it and why. Full stop. That said, here are some reasons:
Concern that information is being shared that shouldn’t be.
Wanting to know who is involved in their care.
Wanting to be have an active role in their care.
Wanting to follow up on records amendments.
Here’s why I went down the rabbit hole of AoDs: Two doctors shared information about me that they shouldn’t have. It was noted in one chart and not another. It resulted in my care becoming compromised. I shouldn’t have had to track it down like that, but I did. Ultimately, because this was TPO information, the OCR (not having implemented rules they should have) decided there was no violation even though one doctor did not note the disclosure. And as a patient, I was actively harmed by two providers as a result and no one was held accountable.
As I submit records requests, I always ask for an AoD now. I always look to see if there’s something that was shared that might compromise my care. That way I can talk to my doctors about it and be part of my care instead of care going on without me.
The question should be why can everyone else get information about me but me? My information is easily shared with other providers (whether I want it to or not), but I’m restricted in what I can know or what I get information about my own care. And if the OCR has its way, providers will have even more access to my information (see RFI section 1), as will friends and family (see RFI section 2)…
If we want a system where patients are engaged in their care and care is coordinated, then patients need access to all of their information – including AoDs. Patients shouldn’t need a reason to want their information, but here we are…
What detail is necessary if AoDs are expanded to include TPO disclosures?
37) What data elements should be provided in an accounting of TPO disclosures, and why? How important is it to individuals to know the specific purpose of a disclosure – i.e., would it be sufficient to describe the purpose generally (e.g., for “for treatment,” “for payment,” or “for health care operations purposes”), or is more detail necessary for the accounting to be of value? To what extent are individuals familiar with the range of activities that constitute “health care operations?” On what basis do commenters make this assessment?
Knowing the specific purpose of disclosures is the entire point of AoDs. It’s nice to know that it was shared, but we need to know why. There needs to be a justification for sending the information. It cannot just be shared with no accountability. The date, where it went, and what it was is not enough. The why is the fundamental portion of an AoD that needs to exist and rarely does. General purposes are not enough. “For treatment” is too broad.
In the example above, if a TPO disclosure was made, my doctors could have written “for treatment” when they were talking about sensitive information. But it wasn’t really “for treatment.” Without specifics though, providers can share all sorts of information without any recourse for patients. If providers are sharing information, they need a good, specific reason for it to be shared.
The second part of the question speaks to the first, most don’t know how broad “health care operations” is defined and putting things under such broad headings doesn’t allow patients to meaningfully be involved in their own care.
Following up on AoDs is another issue:
38) How frequently do individuals who obtain an accounting of disclosures request additional information not currently required to be included in the accounting (e.g., information about internal uses or about disclosures for TPO)? What additional information do they request, and do covered entities provide the additional information? Why or why not?
I have yet to request an AoD where I didn’t have to follow up – not for additional information, but quite literally just to get a full, compliant AoD. As I shared above, I tried once to follow up and ask why information was sent to a state agency and no one knew. So it’s pretty useless to follow up at this point. Providers are supposed to keep AoDs but they don’t have to do much more than that and it seems few care to.
Systems can already essentially generate a full AoD, but what if some can’t? I think the OCR’s idea goes a bit too far:
39) If covered entities are unable to modify existing systems or processes to generate a full accounting of disclosures for TPO (e.g., because modification would be prohibitively costly), should OCR instead require covered entities to conduct and document a diligent investigation into disclosures of PHI upon receiving an individual’s request for an accounting of disclosures for TPO? If not, are there certain circumstances or allegations that should trigger such an investigation and documentation by a covered entity? How much time should a covered entity be allowed to conduct and provide the results of such an investigation?
Should providers have to provide an AoD even if their system doesn’t record it? Yes. Sharing information needs to be tracked. I get that this may take time and resources, but it really should be done concurrently with any sharing and kept in the patient record. It should not be that much of a burden. And honestly, it’s in their best interest to track this information as well.
Should there be circumstances or allegations to trigger an investigation? No. Tracking AoDs should be automatic. Patients shouldn’t need to give a reason to start an entire investigative process. Already, patients who ask for this information, or even their record, can face discrimination by providers. Let’s not make it harder.
The OCR doubles down on investigations:
40) If OCR requires or permits covered entities to conduct an investigation into TPO disclosures in lieu of providing a standard accounting of such disclosures, what information should the entities be required to report to the individual about the findings of the investigation? For example, should OCR require covered entities to provide individuals with the names of persons who received TPO disclosures and the purpose of the disclosures?
While I don’t like the idea of an investigation, if there has to be one, the same information that is required in current AoDs should be required in any investigation (perhaps more). It is not that hard to include these details. The whole point is the 4 things that are already in law. Limiting it to less would make the idea of AoDs meaningless.
AoDs should not be limited to EHR disclosures either:
41) The HITECH Act section 13405(c) only requires the accounting of disclosures for TPO to include disclosures through an EHR. In its rulemaking, should OCR likewise limit the right to obtain an accounting of disclosures for TPO to PHI maintained in, or disclosed through, an EHR? Why or why not? What are the benefits and drawbacks of including TPO disclosures made through paper records or made by some other means such as orally? Would differential treatment between PHI maintained in other media and PHI maintained electronically in EHRs (where only EHR related accounting of disclosures would be required) disincentivize the adoption of, or the conversion to, EHRs?
If AoDs are limited to EHR disclosures, providers can then easily get around reporting disclosures. As above with my 2 doctors sharing information, it was on a phone call. I knew because one doctor noted it (as they should) and the other didn’t. It is literally just good record keeping to write down when doctors share information about a patient. I’ve gone over this with providers I’ve trained. It may seem like extra work, but it can save you if a lawsuit arises.
Keeping a call log or an email trail is evidence that can be in a provider’s favor – e.g. if a patient says the doctor didn’t relay information they should have, or if the patient says information was shared that wasn’t. Good record keeping is just good business.
Good record keeping also establishes trust. For patients, knowing their health info is private & secure establishes trust. If they have access to this information, they can further be a part of their care & trust that they are at the center of it with their rights respected.
Finally, the OCR asks:
42) Please provide any other information that OCR should consider when developing a proposed rule on accounting for disclosures for TPO.
Here’s the thing, these questions will allow for feedback that says AoDs in general are too hard, they take up too much time, and they aren’t useful. They set up the idea that adding disclosures around treatment would be a burden.
The real issues are that offices don’t know what they are and how to account for disclosures so they aren’t currently complying even though they have the capability and there are too many exceptions (for ex: “incidental” disclosures is defined too broadly).
I’ll reiterate, AoDs should be part of the patient record. Especially if the OCR is considering opening up who has access to health information. AoDs should be automatic and as robust as possible.
To recap these first 3 sections of the RFI, in concert I am scared that privacy rights of patients are being chipped away at. I know few patients will send comments to the OCR but here’s the big picture:
Part 1 of the RFI talks mostly about expanding access to your records for “care coordination.” This is generally talked about in ways that don’t include the patient and don’t leave the patients at the center of their own care.
Part 2 talks about expanding access to friends and family of sensitive health information including substance use and mental health information. Also ostensibly for care coordination (and to somehow combat the “opioid crisis”).
Part 3 essentially talks about how useful Accounting of Disclosures are.
Part 4 (analysis to come) talks about how useful Notice of Privacy Practices are.
Together, these are ideas about increasing access to your info without your consent and with less notification about it all. You better believe doctors and hospitals will be in here saying HIPAA is too hard and they need not protect your info as diligently – that they should be able to share more and they shouldn’t have to account for it.
And you better believe that insurers and government programs are chomping at the bit to get access to more information in ways that will not benefit patients. Without the patient voice, patients lose the rights HIPAA gave them.
This isn’t an esoteric argument either. We’ve been through it before when the HITECH Act updated HIPAA. I’ve been through it before in legislative fights about access to records for years.
Medical lobbies are strong and they’re not here to assist patients with ensuring their rights to their information. I hope that helping people understand what an Accounting of Disclosure is and the issues here can help combat any attempt to take them away.
To see what an AoD looks like from a hospital system, I’ve excerpts from one below. Yes they are very hard to read – this is how it was sent to me. The top line columns read: Requester, Release type, Selected Records, Disclosed Information, Auth Type, Date Released, Address, Phone. (Side note: What’s interesting is that most the “requesters” never knew they requested any information at all…). below the AoDs I also put the explanation offered by the system when I asked what “Care Everywhere” is and what documents they were sending.
* See update below
I hope this has been information in explaining AoDs and the HIPAA rule changes that might be ahead. I’d love to hear stories from patients about how their information has/has not been shared and if they’ve ever asked for an AoD (and what came of that request). If you have asked for an AoD, what do you think about the questions here?
This ends the third section of the RFI. I’ll be working on posting the threads for the next section on Notice of Privacy Practice Documents soon.
* Update (2/18/19): I finally got a little more clarification on the “Continuity of Care” document contents. Note: It’s a LOT of information, a lot of which some patients may not want shared:
Sections in Continuity of Care Documents
Below are descriptions of the clinical information included in Continuity of Care Documents (CCDs).
The Problems section lists active and resolved problems.
The Administered Medications section displays non-facility-administered medications for the encounter.
This information comes from any medications, except facility administered medications, given to a patient during the encounter.
The Admitting Diagnosis section displays the diagnosis with which a patient was admitted for the encounter.
Allergies and Adverse Reactions
The Adverse Reactions section displays allergies that were noted by the clinician at the source organization. If allergies were not noted, this section displays Not on File. If the physician has reviewed the patient’s allergies and the patient is not allergic to anything, it displays None known, reviewed with patient.
Allergies appear in alphabetical order.
Discharge instructions show the instructions and notes given to a patient by a clinician at the close of the encounter.
The Discharge Summaries section contains a patient’s discharge summary from his most recent encounter.
The Discontinued Medications section shows prescriptions that were discontinued during an encounter.
Encounters from (three months ago) to (today)
The Encounters from [three months ago] to [today] section displays the patient’s encounters from the past three months before the document was requested. Discharge notes associated with a hospital encounter also appear in this section.
The date range of the encounters appears in the header of the section. For example, if you request a CCD on 12/15/2012, the title appears as Encounters from 9/15/12 to 12/15/2012.
The Functional Status section displays a patient’s ability to see, hear, walk, and perform other similar tasks.
This section also includes the patient’s cognitive status.
The Immunizations section displays immunizations that have been administered to the patient and the dates they were administered.
The Insurance section displays the patient’s coverage and guarantor information.
Last Filed Vital Signs
The Last Filed Vitals section displays a patient’s vital information. For an outpatient visit, it displays the most recent values for vital readings taken during that visit. For an inpatient visit, it displays up to the three most recent values for that visit.
The Medications section displays medications that the patient is taking, divided into the following categories:
Prescription – current outpatient prescriptions
Hospital, Clinic, or Other Facility Administered Medication – current inpatient medications
Expired/Suspended Prescription – outpatient prescriptions that have ended within 30 days of the request for the patient’s outside record
Ended Hospital, Clinic, or Other Facility Administered Medication – inpatient medications that have ended within 30 days of the request for the patient’s outside record
If a medication is expired or ended, it appears in gray.
Note: Epic sends medications for the last 30 days from when the request was received.
Plan of Care
The Plan of Care section shows a patient’s plan of care, which can include patient instructions, patient goals, and upcoming appointments.
The Procedures section shows any procedures performed during the encounter.
Procedures from (three months ago) to (today)
The Procedures section shows procedures that have been ordered for the patient within the last three months.
The date range of the encounters appears in the header of the section. For example, if you request a CCD on 12/15/2012, the title appears as Procedures from 9/15/12 to 12/15/2012.
The Progress Notes section shows progress notes documented during an encounter.
Reason for Incoming Referral
The Reason for Referral section displays information about why the patient was referred for this encounter.
Reason for Visit/Chief Complaint
The Reason for Visit section displays the reason that the patient sought treatment. Reason for visit is used synonymously with the terms chief complaint and reason for call.
The Results section displays the last three months of the patient’s results, which include lab results, microbiology results, and textual radiology results. Only the most recent result appears for each procedure.
If no tests were resulted for the patient, this section displays Not on File.
The Social History section displays information about tobacco or alcohol use.
The Vital Signs section shows the patient’s vital signs for the encounter. Vital signs can include blood pressure, height, and weight.
The Visit Diagnoses section displays all of the diagnoses for a patient in the encounter. The primary diagnosis is listed first and the word “Primary” appears next to it.