The recent unveiling of the final HIPAA omnibus rule has CIOs scratching their heads, according to the February healthsystemCIO.com Snap Survey, which found that just 17 percent have a “solid understanding” of the rule. The majority of CIOs (71 percent) comprehend the requirements “somewhat,” with a number of respondents noting that they haven’t had time to familiarize themselves with the rule.
Enabling patients who pay for treatments out of pocket to control who sees that information could place an even greater burden on clinicians, which can lead to increased use of workarounds and a higher risk of error, CIOs fear. “If a patient pays for a procedure and decides not to share the information related to that procedure,” asked one CIO, “what are the clinical implications for others who treat this person in the future and don’t know this information?”
The survey also found that half of CIOs believe patients should have input on whether their information is shared — but only in certain situations. A few respondents voiced concerns about the technical issues involved in sharing only part of a record, as well as liability issues that could surface. “I have serious concerns about the logistics of being able to track who is doing what related to those releases,” stated one respondent.
In terms of how the new rule will impact overall strategy, 58 percent of CIOs said they plan to reallocate resources and reprioritize projects. “We seem to be in a constant state of prioritization when it comes to all these changes,” noted one CIO.
(SnapSurveys are answered by the healthsystemCIO.com CIO Advisory Panel. To see a full-size version of all charts, click here. To go directly to a full-size version of any individual chart, click on that chart.)
1. How would you characterize your understanding of the final HIPAA omnibus rule?
I have a solid understanding of it
I understand it somewhat
- Our legal department and security firm along with our CISO are putting together an education session for our organization.
- I have not had enough time to become really familiar with it.
- I haven’t read the 138 page, three-column version yet. Aware of the hot button issues, plan to get smarter on it in the coming month. Goes into effect end of March.
I don’t understand it
- I haven’t seen the final rules around these changes.
2. Do you believe patients should be entitled to control the sharing of their records?
- I have serious concerns about the logistics of being able to track who is doing what related to those releases.
- There is a difference between the whole record and parts of the record. There are technical issues with controling parts of the record, so that may not be feasible until the vendors catch up.
- Yes, but current EHR products do not support the granularity to administer patient control.
Yes, but only in certain situations
- Reasonable tests ought to be applied, and defined.
- We, as a society, need to get real about this. Talk to your friends and family. If they are anything like mine, once they know how the information will be shared, they are most willing to have it shared. We (our state and national ‘leaders’) are allowing the vocal majority of privacy radicals set the discussion tone. If we (the great US of A) want to drive waste out of healthcare, it starts with the sharing of healthcare data. Will accept a VERY few set of minor exceptions (HIV as one example).
- I believe physicians treating a patient have the right to have the patient’s complete medical history, regardless of patient content. I do not agree that insurance companies have a right to any information that the patient paid for out of pocket.
3. What is your biggest concern in terms of ensuring compliance with the rule?
Added burden on providers
Increased risk for error
Use of workarounds
All of the above
- If a patient pays for a procedure and decides not to share the information related to that procedure, what are the clinical implications for others who treat this person in the future and don’t know this information?
- Based on total number of breaches to date, healthcare in general is not in compliance with previous rules. My guess is that most organization will be in non-compliance when this rule takes effect.
- The tools to make it easy on the providers may not be there — without the tools to make this happen at a “push of the button,” all of the issues you call out will be incurred.
- Technical challenges.
4. Do you plan to use consultants to ensure your organization is prepared to comply with the rule?
- Attorneys yes, consultants no.
- We already have a security firm under contract based on previous rules. This will just be added to the mix.
Not sure yet
- Probably not.
5. In what ways will the new rule impact your overall strategy?
We’ll reallocate resources
We’ll reprioritize projects
- Not entirely sure at this point. Most likely it will be both a need to reallocate or allocate resources. We seem to be in a constant state of prioritization when it comes to all these changes.
None of the above
- Just have to figure out how to get this done while addressing all other existing priorities. Do more with less.
- Compared to previous rules, this one should not require reprioritization or reallocation of resources; that is, unless you are still catching up on compliance with previous rules.
- Not certain yet.
- We need time to fully assess implications but expect to fit the work into our schedule.