The Medical Group Management Association didn't mince words in criticizing a new, expanded legal requirement to track and report the disclosure of patient information under the privacy provisions of the American Recovery and Reinvestment Act of 2009.
MGMA lashes out at patient-disclosure provision
But data from a survey of hundreds of MGMA members with electronic health-records systems indicate most of those systems can't produce reports on disclosures in compliance with the existing federal privacy rules, much less the new, more-stringent privacy provisions that could go into effect next year.
In a 22-page letter sent May 18 from MGMA President and CEO William Jessee to Georgina Verdugo, director of the Office for Civil Rights at HHS, Jessee called the new requirement “onerous” and said it will be “extremely difficult to achieve without an enormous outlay of resources” that would be better expended on patient care.
The letter was in response to a formal request for public recommendations on the new law. The civil rights office had the request published May 3 in the Federal Register. The office enforces the privacy and security provisions of the Health Insurance Portability and Accountability Act, which were amended by the stimulus law.
The HIPAA privacy rule took effect in 2003. Under its provisions, patients have had the right to request an accounting of certain disclosures of their protected healthcare going back six years. According to Jesse, who cited the MGMA survey, “very few” patients exercise this right.
The 2003 HIPAA regulations exempted from the reporting requirement disclosures for treatment, payment or other healthcare operations, primarily because they occur in such great numbers that “tracking them would be unduly burdensome.”
The stimulus law, however, adds a patient right to demand an accounting of disclosures even for treatment, payment and other healthcare operations if a physician uses an EHR system. The look-back period on these disclosures was shortened to three years.
According to Jessee, implicit in that requirement is the notion that a physician stores all disclosed data in an EHR, and, he said, “This is simply not the case.”
Many physicians store their administrative claims data in a practice-management system, not an EHR, he argued. Thus, satisfying a patient's request for an accounting of disclosures for treatment, payment and other healthcare information would require “a substantial amount of manual collection from multiple data sources.”
Forcing physicians to account for disclosures to health insurance companies could lead physicians to drop the common office courtesy of filing the claim on the patient's behalf and could lead to “an increased number of patients (being) asked to pay in full at the time of treatment and submit claims on their own to their health plan.”
The bottom line, according to Jessee, is that the requirement “may be such a significant impediment for physician practices” as to deter the adoption of EHR technology.
To address the issues raised by the new disclosure requirement, the MGMA conducted a survey of member medical groups that use EHR systems. A total of 369 medical groups, representing more than 7,000 physicians, participated, according to the MGMA.
According to Jessee's letter, 69% of practices reported that they had received no requests from patients for an accounting of disclosures of their health information in the past 12 months. Slightly more than one-fifth (22%) reported having received between one and 10 such accounting requests.
Only 26% of respondents said their EHR was capable of producing a report on disclosures as required under the existing HIPAA rule, even when disclosures for treatment, payment and other healthcare operations, or TPO, are excluded. Just 14% of respondents indicated their systems were capable of tracking disclosures that included TPO; 45% responded that their systems couldn't do it; and 41% didn't know whether their systems could produce the reports.
According to the stimulus law, the new requirement to track and report disclosures for TPO will take effect Jan. 1, 2011, for those practices that have an EHR purchased after Jan. 1, 2009. The government can extend the compliance deadline to no later than 2013.
Fifty-five percent of those surveyed said meeting the heightened requirement to track and report disclosures for TPO would be “extremely burdensome” on their practices.
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.