The following issue that was submitted to the WEDI SNIP Issues Database and assigned to the Business Issues sub-Work Group for resolution. Please review the proposed response and submit comments to the Business Issues Listserv. If there are outstanding questions about the proposed response, we will discuss them during the 10/29 Business Issues Conference Call. Otherwise, we will forward this to the Transaction Workgroup to be approved for posting.
#160: Tracking utilization <http://snip.wedi.org/tracking/displaydata.cfm?ReferenceTrackingNumber=160 ISSUE: Two questions about tracking utilization / viewing of patient information: 1. Data must be stored for up to 6 years, but do the requirements state that it has to be easily retrievable during the same 6 year period? Can the information be stored on disk . . . some place other than the customer's server? The amount of information saved - transaction and tracking info - over a 6 year period will be difficult for many of our customers to store if it must be available at their finger tips. 2. Some of our patient information summaries are provided in a list (e.g, SSN + name only). If you pull up the name "Jones", all of the Jones' and their SSNs will appear. It is clear to us that we need to provide capabilities to our customers that track and record who accessed the detail and when, but do we also need to track the access to the summary list because it contains PHI too? Thanks for your comments. RESPONSE: From Leah Hole-Curry, JD FOX Systems, Inc. 1. Privacy does not require that PHI be stored for six years. Privacy requires under 164.530(j) that evidence of compliance with the rule (such as policies and procedures, written communications, or actions required to be documented in writing) be retained for six years. Thus, a privacy policy, the written disposition of a complaint, and an accounting of disclosures provided to an individual are all examples of documentation that must be retained for six years. This requirement is so that HHS can conduct a compliance review, so this documentation must be retrievable, but does not necessarily have to be "at the fingertips" of an entity. Disclosures subject to accounting under 164.528 must be tracked and information necessary to respond to an accounting request must be retained for six years. Note this accounting relates only to disclosures, not (internal) uses and that disclosures related to treatment, payment, and health care operations as well as a few others are not subject to tracking. Thus the amount of information needed to be stored for accounting for disclosures should be relatively small. When an individual requests an accounting, the covered entity has a maximum of 60 days to respond. For PHI, generally, state law and/or federal law determines the retention period of health information maintained by health plans and providers. Many entities retain for at least the statute of limitations period applicable to their activity which range from one to ten years. A common retention period would be six to ten years. Where and how much is stored would be a matter of state/other federal law or the company's business practices. 2. If the name and SS# (PHI) is disclosed for purposes other than the exceptions listed in 164.528, then it must be recorded along with the other requirements for the accounting. Again though, this appears to be either a use, or a disclosure for routine treatment, payment, or operations reasons and thus would not need to be accounted for. Finally, the proposed security regulations do require audit mechanisms (mechanisms to record and examine system activity) and internal audits or reviews of the records of system activity (such as logins, file accesses, and security incidents). However there is no specific guidance on whether a sampling or every login or access, etc., is required to be recorded and examined. Further, there are no current requirements for how long the audit log or the audit review need to be kept, or what needs to be kept from either the log or review (e.g. only sensitive data, all data, suspected or known violations or all activity, etc.). Thus company risk attitudes and security best practices would need to be consulted to determine what, how much, and for how long the audit logs and audit reviews should be held. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Business and enter your email address. The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
<<attachment: winmail.dat>>
