Skip Navigation

This document is intended to provide general information to assist in the discussions of the CPS Workgroup. The document may contain general legal information and should not be construed as legal advice to be applied to any factual situation. Neither the CPS Workgroup nor its staff makes any claims, promises, or guarantees about the accuracy, completeness, or adequacy of the information contained in this document.

Introduction:

On September 18, 2007, members of the Model Requirements Executive Team (MRET) (brought together under a contract awarded to RTI International by ONC) presented recommendations to the American Health Information Community (AHIC) on initial requirements for EHRs that seek to increase accuracy and fraud management within the health care system. At the AHIC meeting it was discussed that several AHIC Workgroups would be asked to evaluate MRET recommendations in their areas of expertise. The CPS Workgroup has been asked to evaluate Requirement #8, Auditor Access to Patient Record:

8. The system shall have the capacity to allow authorized entities read-only access to the EHR according to agreed upon uses and only as a part of an identified audit subject to appropriate authentication, authorization, and access control functionality. Such access controls shall also support the applicable release of information protocols, local audit policies, minimum necessary criteria, and other contractual arrangements and, laws, and:

8.1 Require “auditor” be a supported class of user.

8.2 Limit access to pertinent functions and views only for patient records covered by the audit.

8.3 Access remains controlled by the facility and the same authentication and audit supports would apply.

8.4 Remote access may be offered if agreed to by the organization subject to the aforementioned protocols and suitable authentication.

8.5 Demonstrate the ability to provide a paper copy of such information in the event access to the EHR is not possible.

Rationale: Detection of a fraudulent claim is often difficult when a payer has access only to EHR information for a single encounter. Reviewing information over an entire episode of care for a single patient allows greater ability to detect fraud. Such access should be subject to appropriate protocols for release of information, local audit policies, minimum necessary criteria, contractual requirements, federal and state laws, and applicable contractual agreements between the provider organization and the payer.

Scenario Environment:

HIE-DC is a local health information exchange comprised of 100 providers (primary care, specialists, dentists, etc.) 10 hospitals, 3 insurers, and 2 labs.

Scenario Description:

The following scenario begins with a triggering event to identify the baseline (i.e., most typical/relevant) HIPAA Privacy Rule components one would need to know in order to perform a comparative analysis of the current and, forthcoming, electronic health information exchange environment. Following the baseline section is a “differences section” which attempts to identify what, if any, differences exist in how the HIPAA Privacy Rule operates in an electronic environment compared to the current environment.

Definitions:

  • “Repository” model electronic health records (EHRs) reside on HIE-DC’s system and are available 24/7.

  • “Non-repository” model EHRs are not held by HIE-DC but are locatable and available 24/7.

  • Disclosure as defined in Section 160.103 means the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.

Scenario Auditor Access:

Capital Insurance believes that it has been receiving fraudulent claims from Capital Hospital and initiates an investigation.

Privacy Rule Notes (some sections may be paraphrased):

Section 164.506 (c) -- Uses and disclosures to carry out treatment, payment, or health care operations.

  • A covered entity may disclose protected health information to another covered entity or a health care provider for the payment activities of the entity that receives the information.

  • A covered entity may disclose protected health information to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the protected health information being requested, the protected health information pertains to such relationship, and the disclosure is:

    • For a purpose listed in paragraph (1) or (2) of the definition of health care operations; or

  • For the purpose of health care fraud and abuse detection or compliance.

Section 164.514(d) -- Minimum necessary requirements uses of protected health information.

  • For any type of disclosure that it makes on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.

  • For all other disclosures, a covered entity must:

    • Develop criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought; and

    • Review requests for disclosure on an individual basis in accordance with such criteria.

  • A covered entity may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when the information is requested by another covered entity.

  • A covered entity must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose for which the request is made, when requesting such information from other covered entities.

Security Rule Notes (some sections may be paraphrased):

Administrative Safeguards

  • Standard: Information access management Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of the Privacy Rule.

    • Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.

    • Access establishment and modification (Addressable). Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.

Technical Safeguards

  • Standard: Access control Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).

  • Standard: Person or entity authentication Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Differences from Baseline Questions:

  • Do these requirements in any way increase the type of access auditors currently receive?

  • Does the fact that this type of audit would be conducted with an EHR rather than paper records make a difference?

  • Is the permitted requirement about remote access a “difference” or is it appropriately addressed already?