One of the Meaningful use requirements for Security and Privacy is given below
Record disclosures made for treatment, payment, and health care operations in accordance with the standard specified. The date, time, patient identification (name or number), user identification (name or number), and a description of the disclosure must be recorded.
Based on our analysis, we didn’t find any specification mentioned by the government for the above policy
We believe that storing the scanned disclosure forms would solve the above said requirement. Do share your views.
What the government is talking about here is that HIPPA requires medical facilities to keep a log of all disclosures to third parties of health related information. We are supposed to log whenever we sens records to and insurance company, to a hospital or to another medical facility. It is very common for insurance to request copies of progress notes for the insurance company to determine whether a particular office visit is a covered service. This needs to logged with a description of the released information.
A common scenario is the insurance company received a claim for “back sprain.” The use of the word “sprain” implies an injury. Sprains are are commonly related to work related injuries or automobile accidents, neither of which are covered by typical US health insurance companies. The insurance company won’t pay the claim until the claim is reviewed and proven that this is not related to an accidental or work related injury. To determine this the insurance company requests a copy of the office visit. This type of release of information has to be logged. The entity to whom the release is made, the type of medical information released and which user made the release of information.
This is not the consent form. The consent form controls what medical information if any can be released to other third parties. This does need to be recorded as well.
Based on our understanding, we didn’f find any specification defined for storing the disclosures.
Hence, we believe that we can store the scanned copy of the disclosures with the following information whenever the
disclosures are exchanged.
Date, time
Patient identification
User identification
Recipient of the disclosure
Type of medical information released
Description of the disclosure
Scanned copy of the disclosure
We can create a new Document Category called “Disclosures”.
The requirement to record the release of information is in a different statute. The phrase “Record disclosures made for treatment, payment, and health care operations in accordance with the standard specified.” is somewhat non-specific but is spelled out in the HIPPA statute. There is more to the Privacy and Security than just the Meaningful Use requirements. “Privacy and Security” in general referring to pre-existing law before the electronic health record came into existence. This was required by the HIPPA statute since about 1996 was required even for paper medical records. The “Meaningful Use” references to “Privacy and Security” are an interpretation of the earlier law made for paper records.
The requirement to “Record disclosures made for treatment, payment, and health care operations in accordance with the standard specified.” is a log of all disclosures of medical information to third parties. This is a log of what is released, by which employee / user, to which entity, for what reason. This is not a document to be scanned. The information being released in this context are forms and information contained in the database. To generate a printed document to scan back into the system is not the right idea and seriously violates database normalization. The data being released is already contained in the database. Just record the forms being released.
Date, time
Patient identification
User identification
Recipient of the disclosure
Type of medical information released
Description of the disclosure
Scanned copy of the disclosure
forms:id
forms:date
forms:encounter
forms:form_name
forms:form_id
This probably also needs to be generalized for the release of other types of information such as insurance information, patient “notes”.
The reason I wanted to work on having the BPPC is that I would like for patients to be able to consent to this without scanning a privacy form. This way the patients can provide their privacy consent on-line, over the web, or from a kiosk in the lobby.
Thanks for your views here. It certainly helps us to get good understanding about recording disclosures.
One concern we’re having at this point is we aren’t sure whether we can capture all those disclosure information while transferring to third parties.
For ex, We’ve options to create insurance claims (x12 format), but we don’t have an interface that captures when those claims
are transferred to the insurance companies
Please do share your views on recording disclosures. Your inputs will help us a lot to freeze the requirements soon.
One concern we’re having at this point is we aren’t sure whether we can capture all those disclosure information while transferring to third parties. Let us know your stand here.
I know that the law requires the information to be logged when these disclosures occur.
Our current billing system produces a new log entry every time an electronic claim is sent. This log contains:
Date processed:
Type of info: Insurance Claim
Notes: either primary Insurance, Secondary, Tertiary or hard copy
User ID: username or id number
Claim amount:
A lot of our releases of protected health information are logged manually in the “pnotes”. Typical examples:
Release by telephone to a relative listed as OK to receive the information (such as a spouse).
Copies of notes. we type in who we are releasing the information in and why.
Releases of information to attorneys, other medical offices, hospitals.
Digital copies of X-rays on CD-ROM.
Since all the disclosure information can be logged thorugh “pnotes”, we believe that this MUO requirement is already satisfied in OpenEMR. Do share your views here.
I don’t think relying manual actions to log the release of information and or documents is good enough. The pnotes/messages could be used as the place to put the log information in a category for that purpose but as much if it as can be automatically logged should be. The other option is to enhance the audit logs formats to include this data. I would automate what is possible and allow an patient/note message for ‘released’ info also write to the audit logs.
A new table for information release logs would work as well. Both automation and manual entry should be allowed. A nice popup from the patient demographic screen would be a good.
We can certainly use new audit log format to store these disclosures. But we are having difficulty in identifying the disclosures which can be recorded automatically. In openemr, even for electronic claims, we don’t have options to identify when exactly the electronic claims are sent since we don’t have an “Send” button. Do let us know if our understanding is correct here.
The other items what Sam mentioned in the form of pnotes are for manual entry only.
I have to merge recording disclosure in my application but I was wondering that the number of recorded disclosure to be displayed has been fixed to limit 15 .Is their any specific reason limit has been fixed to 15.
Having considered the limits in ‘notes’ section, recording disclosures is limited to 15. If needed, with a minor code tweak, the number of items to display can be customized.