Gartner Blog Network


Uh-Oh … Proposed Rule for HIPAA vs. Departmental Systems

by Wes Rishel  |  May 31, 2011  |  1 Comment

A shoe has dropped.

The HITECH act requires separate rules for accounting for disclosure under HIPAA when the disclosures are made from an EHR. The notice of proposed rule making (NPRM) is now on public display. It will appear in the Federal Register this week. The 60 day comment period closes approximately Aug 1. Enforcement will begin 8 months after the issuance of the final rule. The final rule could be issued as early as Sept 2011 but may be delayed substantially longer.

It removes certain exemptions on accounting for disclosure if the disclosure occurred through an EHR.

Definition of EHR

The NPRM quotes the following from the HITECH act:

Section 13400 of the HITECH Act defines an electronic health record (“EHR”) as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.” Under section 13405(c), an individual has a right to receive an accounting of such disclosures made during the three years prior to the request.

One gets the sense that the Office of Civil Rights (OCR), which develops rules for HIPAA, believes that certified EHR technology provides a control-point where all outgoing electronic information from a hospital or practice can be logged for reporting on disclosures. This ideal is rarely true. Most hospitals have a dozen or more departmental systems from specialized vendors that are not routinely certified as modules of an EHR under the HITECH rules. Frequently the specialized systems are highly integrated with special imaging hardware for specific procedures such as endoscopy or spirometry.

In the era of meaningful use and ICD-10 it might be worthwhile to catalog the  vendor products that are likely to require upgrades or special new integration in order to meet the new accounting requirements. Then it would be helpful to provide estimates of the cost and staff expenditures required in comments to the NPRM.

Data is far more persuasive in NPRM comments than opinion.

In commenting, give special attention to the possible enforcement deadline, which could be as early as 1 June 2012.

Category: healthcare-providers  

Tags: arra  ehr  hipaa  

Wes Rishel
VP Distinguished Analyst
12 years at Gartner
45 years IT industry

Wes Rishel is a vice president and distinguished analyst in Gartner's healthcare provider research practice. He covers electronic medical records, interoperability, health information exchanges and the underlying technologies of healthcare IT, including application integration and standards. Read Full Bio


Thoughts on Uh-Oh … Proposed Rule for HIPAA vs. Departmental Systems


  1. Guillermo Diaz says:

    I wonder if somewhere the language could say …an individual has a right to recieve a “good faith” accounting of such disclosures. This would leave room for those to comply by the June 2012 timeline while allowing for subsystems to catch up to the required laws and provide the more robust accounting in due time. One would only report what one could in good faith(within the lmits of thier system) report.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.