HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act; Request for Information, 23214-23216 [2010-10054]
Download as PDF
<![CDATA[
23214
Federal Register / Vol. 75, No. 84 / Monday, May 3, 2010 / Proposed Rules
power and responsibilities between the
Federal Government and Indian tribes.
Energy Effects
We have analyzed this proposed rule
under Executive Order 13211, Actions
Concerning Regulations That
Significantly Affect Energy Supply,
Distribution, or Use. We have
determined that it is not a ‘‘significant
energy action’’ under that order because
it is not a ‘‘significant regulatory action’’
under Executive Order 12866 and is not
likely to have a significant adverse effect
on the supply, distribution, or use of
energy. The Administrator of the Office
of Information and Regulatory Affairs
has not designated it as a significant
energy action. Therefore, it does not
require a Statement of Energy Effects
under Executive Order 13211.
Technical Standards
The National Technology Transfer
and Advancement Act (NTTAA) (15
U.S.C. 272 note) directs agencies to use
voluntary consensus standards in their
regulatory activities unless the agency
provides Congress, through the Office of
Management and Budget, with an
explanation of why using these
standards would be inconsistent with
applicable law or otherwise impractical.
Voluntary consensus standards are
technical standards (e.g., specifications
of materials, performance, design, or
operation; test methods; sampling
procedures; and related management
systems practices) that are developed or
adopted by voluntary consensus
standards bodies.
This proposed rule does not use
technical standards. Therefore, we did
not consider the use of voluntary
consensus standards.
emcdonald on DSK2BSOYB1PROD with PROPOSALS
Harbors, Marine safety, Navigation
(water), Reporting and record keeping
requirements, Security measures,
Waterways.
For the reasons discussed in the
preamble, the Coast Guard proposes to
amend 33 CFR Part 165 as follows:
PART 165—REGULATED NAVIGATION
AREAS AND LIMITED ACCESS AREAS
1. The authority citation for part 165
continues to read as follows:
Authority: 33 U.S.C. 1226, 1231; 46 U.S.C.
Chapter 701, 3306, 3703; 50 U.S.C. 191, 195;
33 CFR 1.05–1, 6.04–1, 6.04–6, 160.5; Pub. L.
107–295, 116 Stat. 2064; Department of
Homeland Security Delegation No. 0170.1
2. Add § 165.1334 to read as follows:
§ 165.1334 Security Zone; U.S. Coast
Guard BSU Seattle, Pier 36, Elliot Bay,
Seattle, WA.
(a) Location: The following area is a
security zone: All waters in Elliot Bay
east of a line from 47° 35.450′ N 122°
20.585′ W to 47° 35.409′ N 122°20.585′
W at Pier 36, Elliot Bay, Seattle, WA.
(b) Regulations: Under 33 CFR part
165, subpart D, no person or vessel may
enter or remain in the security zone
established by this section without the
permission of the Captain of the Port
Puget Sound or Designated
Representative.
(c) Authorization: To request
authorization to operate within this
security zone, contact United States
Coast Guard Sector Seattle Joint Harbor
Operations Center at 206–217–6001.
Dated: April 6, 2010.
S.E. Englebert,
Captain, U.S. Coast Guard, Captain of the
Port, Puget Sound.
[FR Doc. 2010–10209 Filed 4–30–10; 8:45 am]
Environment
We have analyzed this proposed rule
under Department of Homeland
Security Management Directive 023–01
and Commandant Instruction
M16475.lD, which guide the Coast
Guard in complying with the National
Environmental Policy Act of 1969
(NEPA) (42 U.S.C. 4321–4370f), and
have made a preliminary determination
that this action is one of a category of
actions that do not individually or
cumulatively have a significant effect on
the human environment. A preliminary
environmental analysis checklist
supporting this determination is
available in the docket where indicated
under ADDRESSES. We seek any
comments or information that may lead
to the discovery of a significant
environmental impact from this
proposed rule.
VerDate Mar<15>2010
List of Subjects in 33 CFR Part 165
16:30 Apr 30, 2010
Jkt 220001
BILLING CODE 9110–04–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0991–AB62
HIPAA Privacy Rule Accounting of
Disclosures Under the Health
Information Technology for Economic
and Clinical Health Act; Request for
Information
AGENCY: Office for Civil Rights,
Department of Health and Human
Services.
ACTION: Request for information.
PO 00000
Frm 00024
Fmt 4702
Sfmt 4702
SUMMARY: Section 13405(c) of the Health
Information Technology for Economic
and Clinical Health (HITECH) Act
expands an individual’s right under the
Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
Privacy Rule to receive an accounting of
disclosures of protected health
information made by HIPAA covered
entities and their business associates. In
particular, section 13405(c) of the
HITECH Act requires the Department of
Health and Human Services
(‘‘Department’’ or ‘‘HHS’’) to revise the
HIPAA Privacy Rule to require covered
entities to account for disclosures of
protected health information to carry
out treatment, payment, and health care
operations if such disclosures are
through an electronic health record.
This document is a request for
information (RFI) to help us better
understand the interests of individuals
with respect to learning of such
disclosures, the administrative burden
on covered entities and business
associates of accounting for such
disclosures, and other information that
may inform the Department’s
rulemaking in this area.
DATES: Submit comments on or before
May 18, 2010.
ADDRESSES: Written comments may be
submitted through any of the methods
specified below. Please do not submit
duplicate comments.
• Federal eRulemaking Portal: You
may submit electronic comments at
https://www.regulations.gov. Follow the
instructions for submitting electronic
comments. Attachments should be in
Microsoft Word, WordPerfect, or Excel;
however, we prefer Microsoft Word.
• Regular, Express, or Overnight Mail:
You may mail written comments (one
original and two copies) to the following
address only: U.S. Department of Health
and Human Services, Office for Civil
Rights, Attention: HITECH Accounting
of Disclosures, Hubert H. Humphrey
Building, Room 509F, 200
Independence Avenue, SW.,
Washington, DC 20201.
• Hand Delivery or Courier: If you
prefer, you may deliver (by hand or
courier) your written comments (one
original and two copies) to the following
address only: Office for Civil Rights,
Attention: HITECH Accounting of
Disclosures, Hubert H. Humphrey
Building, Room 509F, 200
Independence Avenue, SW.,
Washington, DC 20201. (Because access
to the interior of the Hubert H.
Humphrey Building is not readily
available to persons without Federal
government identification, commenters
are encouraged to leave their comments
E:\FR\FM\03MYP1.SGM
03MYP1
Federal Register / Vol. 75, No. 84 / Monday, May 3, 2010 / Proposed Rules
in the mail drop slots located in the
main lobby of the building.)
Inspection of Public Comments: All
comments received before the close of
the comment period will be available for
public inspection, including any
personally identifiable or confidential
business information that is included in
a comment. We will post all comments
received before the close of the
comment period at https://
www.regulations.gov. Because
comments will be made public, they
should not include any sensitive
personal information, such as a person’s
social security number; date of birth;
driver’s license number, state
identification number or foreign country
equivalent; passport number; financial
account number; or credit or debit card
number. Comments also should not
include any sensitive health
information, such as medical records or
other individually identifiable health
information, or any non-public
corporate or trade association
information, such as trade secrets or
other proprietary information.
FOR FURTHER INFORMATION CONTACT:
Andra Wicks, 202–205–2292.
SUPPLEMENTARY INFORMATION:
emcdonald on DSK2BSOYB1PROD with PROPOSALS
I. Background
Covered entities under the Health
Insurance Portability and
Accountability Act of 1996 (HIPAA),
Title II, Subtitle F—Administrative
Simplification, Public Law 104–191,
110 Stat. 2021, are currently required by
the HIPAA Privacy Rule at 45 CFR
164.528 to make available to an
individual upon request an accounting
of certain disclosures of the individual’s
protected health information over the
past six years. For each disclosure, the
accounting must include: (1) The date of
the disclosure; (2) the name (and
address, if known) of the entity or
person who received the protected
health information; (3) a brief
description of the information
disclosed; and (4) a brief statement of
the purpose of the disclosure (or a copy
of the written request for the
disclosure). For multiple disclosures to
the same person for the same purpose,
the accounting is only required to
include: (1) For the first disclosure, a
full accounting, with the elements
described above; (2) the frequency,
periodicity, or number of disclosures
made during the accounting period; and
(3) the date of the last such disclosure
made during the accounting period.
Section 164.528(a)(1)(i) of the Privacy
Rule currently exempts disclosures to
carry out treatment, payment, and
VerDate Mar<15>2010
16:30 Apr 30, 2010
Jkt 220001
health care operations from these
accounting requirements.1
Section 13405(c) of the Health
Information Technology for Economic
and Clinical Health (HITECH) Act,
Public Law 111–5, 123 Stat. 265–66,
provides that the exemption at
§ 164.528(a)(1)(i) of the Privacy Rule for
disclosures to carry out treatment,
payment, and health care operations no
longer applies to disclosures ‘‘through
an electronic health record.’’ Under
section 13405(c), an individual has a
right to receive an accounting of such
disclosures that covers disclosures made
during the three years prior to the
request. Section 13400 of the statute
defines ‘‘electronic health record’’ as ‘‘an
electronic record of health-related
information on an individual that is
created, gathered, managed, and
consulted by authorized health care
clinicians and staff.’’ We take the
opportunity in this RFI to request public
comment to inform our regulations
under the HITECH Act, which requires
that we take into account both the
interests of individuals in learning the
circumstances under which their
protected health information is being
disclosed and the administrative burden
of accounting for disclosures for
treatment, payment, and health care
operations through an electronic health
record.
We request comments specifically on
the questions below. The Department
welcomes comments from all
stakeholders on these issues, but in
addition to hearing from covered
entities, is particularly interested in
hearing from individuals, consumer
advocates and groups, and, regarding
technical capabilities, from vendors of
electronic health record systems.
II. Questions
1. What are the benefits to the
individual of an accounting of
disclosures, particularly of disclosures
made for treatment, payment, and
health care operations purposes?
2. Are individuals aware of their
current right to receive an accounting of
disclosures? On what do you base this
assessment?
3. If you are a covered entity, how do
you make clear to individuals their right
to receive an accounting of disclosures?
How many requests for an accounting
have you received from individuals?
4. For individuals that have received
an accounting of disclosures, did the
accounting provide the individual with
the information he or she was seeking?
1 The core health care activities of ‘‘Treatment,’’
‘‘Payment,’’ and ‘‘Health Care Operations’’ are
defined in the Privacy Rule at 45 CFR 164.501.
PO 00000
Frm 00025
Fmt 4702
Sfmt 4702
23215
Are you aware of how individuals use
this information once obtained?
5. With respect to treatment, payment,
and health care operations disclosures,
45 CFR 170.210(e) currently provides
the standard that an electronic health
record system record the date, time,
patient identification, user
identification, and a description of the
disclosure. In response to its interim
final rule, the Office of the National
Coordinator for Health Information
Technology received comments on this
standard and the corresponding
certification criterion suggesting that the
standard also include to whom a
disclosure was made (i.e., recipient) and
the reason or purpose for the disclosure.
Should an accounting for treatment,
payment, and health care operations
disclosures include these or other
elements and, if so, why? How
important is it to individuals to know
the specific purpose of a disclosure—
i.e., would it be sufficient to describe
the purpose generally (e.g., for ‘‘for
treatment,’’ ‘‘for payment,’’ or ‘‘for health
care operations purposes’’), or is more
detail necessary for the accounting to be
of value? To what extent are individuals
familiar with the different activities that
may constitute ‘‘health care operations?’’
On what do you base this assessment?
6. For existing electronic health
record systems:
(a) Is the system able to distinguish
between ‘‘uses’’ and ‘‘disclosures’’ as
those terms are defined under the
HIPAA Privacy Rule? Note that the term
‘‘disclosure’’ includes the sharing of
information between a hospital and
physicians who are on the hospital’s
medical staff but who are not members
of its workforce.
(b) If the system is limited to only
recording access to information without
regard to whether it is a use or
disclosure, such as certain audit logs,
what information is recorded? How long
is such information retained? What
would be the burden to retain the
information for three years?
(c) If the system is able to distinguish
between uses and disclosures of
information, what data elements are
automatically collected by the system
for disclosures (i.e., collected without
requiring any additional manual input
by the person making the disclosure)?
What information, if any, is manually
entered by the person making the
disclosure?
(d) If the system is able to distinguish
between uses and disclosures of
information, does it record a description
of disclosures in a standardized manner
(for example, does the system offer or
require a user to select from a limited
list of types of disclosures)? If yes, is
E:\FR\FM\03MYP1.SGM
03MYP1
23216
Federal Register / Vol. 75, No. 84 / Monday, May 3, 2010 / Proposed Rules
emcdonald on DSK2BSOYB1PROD with PROPOSALS
such a feature being utilized and what
are its benefits and drawbacks?
(e) Is there a single, centralized
electronic health record system? Or is it
a decentralized system (e.g., different
departments maintain different
electronic health record systems and an
accounting of disclosures for treatment,
payment, and health care operations
would need to be tracked for each
system)?
(f) Does the system automatically
generate an accounting for disclosures
under the current HIPAA Privacy Rule
(i.e., does the system account for
disclosures other than to carry out
treatment, payment, and health care
operations)?
i. If yes, what would be the additional
burden to also account for disclosures to
carry out treatment, payment, and
health care operations? Would there be
additional hardware requirements (e.g.,
to store such accounting information)?
Would such an accounting feature
impact system performance?
VerDate Mar<15>2010
16:30 Apr 30, 2010
Jkt 220001
ii. If not, is there a different
automated system for accounting for
disclosures, and does it interface with
the electronic health record system?
7. The HITECH Act provides that a
covered entity that has acquired an
electronic health record after January 1,
2009 must comply with the new
accounting requirement beginning
January 1, 2011 (or anytime after that
date when it acquires an electronic
health record), unless we extend this
compliance deadline to no later than
2013. Will covered entities be able to
begin accounting for disclosures
through an electronic health record to
carry out treatment, payment, and
health care operations by January 1,
2011? If not, how much time would it
take vendors of electronic health record
systems to design and implement such
a feature? Once such a feature is
available, how much time would it take
for a covered entity to install an updated
electronic health record system with
this feature?
PO 00000
Frm 00026
Fmt 4702
Sfmt 9990
8. What is the feasibility of an
electronic health record module that is
exclusively dedicated to accounting for
disclosures (both disclosures that must
be tracked for the purpose of accounting
under the current HIPAA Privacy Rule
and disclosures to carry out treatment,
payment, and health care operations)?
Would such a module work with
covered entities that maintain
decentralized electronic health record
systems?
9. Is there any other information that
would be helpful to the Department
regarding accounting for disclosures
through an electronic health record to
carry out treatment, payment, and
health care operations?
Dated: April 26, 2010.
Georgina Verdugo,
Director, Office for Civil Rights.
[FR Doc. 2010–10054 Filed 4–30–10; 8:45 am]
BILLING CODE 4153–01–P
E:\FR\FM\03MYP1.SGM
03MYP1
]]>Agencies
[Federal Register Volume 75, Number 84 (Monday, May 3, 2010)]
[Proposed Rules]
[Pages 23214-23216]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-10054]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0991-AB62
HIPAA Privacy Rule Accounting of Disclosures Under the Health
Information Technology for Economic and Clinical Health Act; Request
for Information
AGENCY: Office for Civil Rights, Department of Health and Human
Services.
ACTION: Request for information.
-----------------------------------------------------------------------
SUMMARY: Section 13405(c) of the Health Information Technology for
Economic and Clinical Health (HITECH) Act expands an individual's right
under the Health Insurance Portability and Accountability Act of 1996
(HIPAA) Privacy Rule to receive an accounting of disclosures of
protected health information made by HIPAA covered entities and their
business associates. In particular, section 13405(c) of the HITECH Act
requires the Department of Health and Human Services (``Department'' or
``HHS'') to revise the HIPAA Privacy Rule to require covered entities
to account for disclosures of protected health information to carry out
treatment, payment, and health care operations if such disclosures are
through an electronic health record. This document is a request for
information (RFI) to help us better understand the interests of
individuals with respect to learning of such disclosures, the
administrative burden on covered entities and business associates of
accounting for such disclosures, and other information that may inform
the Department's rulemaking in this area.
DATES: Submit comments on or before May 18, 2010.
ADDRESSES: Written comments may be submitted through any of the methods
specified below. Please do not submit duplicate comments.
Federal eRulemaking Portal: You may submit electronic
comments at https://www.regulations.gov. Follow the instructions for
submitting electronic comments. Attachments should be in Microsoft
Word, WordPerfect, or Excel; however, we prefer Microsoft Word.
Regular, Express, or Overnight Mail: You may mail written
comments (one original and two copies) to the following address only:
U.S. Department of Health and Human Services, Office for Civil Rights,
Attention: HITECH Accounting of Disclosures, Hubert H. Humphrey
Building, Room 509F, 200 Independence Avenue, SW., Washington, DC
20201.
Hand Delivery or Courier: If you prefer, you may deliver
(by hand or courier) your written comments (one original and two
copies) to the following address only: Office for Civil Rights,
Attention: HITECH Accounting of Disclosures, Hubert H. Humphrey
Building, Room 509F, 200 Independence Avenue, SW., Washington, DC
20201. (Because access to the interior of the Hubert H. Humphrey
Building is not readily available to persons without Federal government
identification, commenters are encouraged to leave their comments
[[Page 23215]]
in the mail drop slots located in the main lobby of the building.)
Inspection of Public Comments: All comments received before the
close of the comment period will be available for public inspection,
including any personally identifiable or confidential business
information that is included in a comment. We will post all comments
received before the close of the comment period at https://www.regulations.gov. Because comments will be made public, they should
not include any sensitive personal information, such as a person's
social security number; date of birth; driver's license number, state
identification number or foreign country equivalent; passport number;
financial account number; or credit or debit card number. Comments also
should not include any sensitive health information, such as medical
records or other individually identifiable health information, or any
non-public corporate or trade association information, such as trade
secrets or other proprietary information.
FOR FURTHER INFORMATION CONTACT: Andra Wicks, 202-205-2292.
SUPPLEMENTARY INFORMATION:
I. Background
Covered entities under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), Title II, Subtitle F--
Administrative Simplification, Public Law 104-191, 110 Stat. 2021, are
currently required by the HIPAA Privacy Rule at 45 CFR 164.528 to make
available to an individual upon request an accounting of certain
disclosures of the individual's protected health information over the
past six years. For each disclosure, the accounting must include: (1)
The date of the disclosure; (2) the name (and address, if known) of the
entity or person who received the protected health information; (3) a
brief description of the information disclosed; and (4) a brief
statement of the purpose of the disclosure (or a copy of the written
request for the disclosure). For multiple disclosures to the same
person for the same purpose, the accounting is only required to
include: (1) For the first disclosure, a full accounting, with the
elements described above; (2) the frequency, periodicity, or number of
disclosures made during the accounting period; and (3) the date of the
last such disclosure made during the accounting period. Section
164.528(a)(1)(i) of the Privacy Rule currently exempts disclosures to
carry out treatment, payment, and health care operations from these
accounting requirements.\1\
---------------------------------------------------------------------------
\1\ The core health care activities of ``Treatment,''
``Payment,'' and ``Health Care Operations'' are defined in the
Privacy Rule at 45 CFR 164.501.
---------------------------------------------------------------------------
Section 13405(c) of the Health Information Technology for Economic
and Clinical Health (HITECH) Act, Public Law 111-5, 123 Stat. 265-66,
provides that the exemption at Sec. 164.528(a)(1)(i) of the Privacy
Rule for disclosures to carry out treatment, payment, and health care
operations no longer applies to disclosures ``through an electronic
health record.'' Under section 13405(c), an individual has a right to
receive an accounting of such disclosures that covers disclosures made
during the three years prior to the request. Section 13400 of the
statute defines ``electronic health record'' as ``an electronic record
of health-related information on an individual that is created,
gathered, managed, and consulted by authorized health care clinicians
and staff.'' We take the opportunity in this RFI to request public
comment to inform our regulations under the HITECH Act, which requires
that we take into account both the interests of individuals in learning
the circumstances under which their protected health information is
being disclosed and the administrative burden of accounting for
disclosures for treatment, payment, and health care operations through
an electronic health record.
We request comments specifically on the questions below. The
Department welcomes comments from all stakeholders on these issues, but
in addition to hearing from covered entities, is particularly
interested in hearing from individuals, consumer advocates and groups,
and, regarding technical capabilities, from vendors of electronic
health record systems.
II. Questions
1. What are the benefits to the individual of an accounting of
disclosures, particularly of disclosures made for treatment, payment,
and health care operations purposes?
2. Are individuals aware of their current right to receive an
accounting of disclosures? On what do you base this assessment?
3. If you are a covered entity, how do you make clear to
individuals their right to receive an accounting of disclosures? How
many requests for an accounting have you received from individuals?
4. For individuals that have received an accounting of disclosures,
did the accounting provide the individual with the information he or
she was seeking? Are you aware of how individuals use this information
once obtained?
5. With respect to treatment, payment, and health care operations
disclosures, 45 CFR 170.210(e) currently provides the standard that an
electronic health record system record the date, time, patient
identification, user identification, and a description of the
disclosure. In response to its interim final rule, the Office of the
National Coordinator for Health Information Technology received
comments on this standard and the corresponding certification criterion
suggesting that the standard also include to whom a disclosure was made
(i.e., recipient) and the reason or purpose for the disclosure. Should
an accounting for treatment, payment, and health care operations
disclosures include these or other elements and, if so, why? How
important is it to individuals to know the specific purpose of a
disclosure--i.e., would it be sufficient to describe the purpose
generally (e.g., for ``for treatment,'' ``for payment,'' or ``for
health care operations purposes''), or is more detail necessary for the
accounting to be of value? To what extent are individuals familiar with
the different activities that may constitute ``health care
operations?'' On what do you base this assessment?
6. For existing electronic health record systems:
(a) Is the system able to distinguish between ``uses'' and
``disclosures'' as those terms are defined under the HIPAA Privacy
Rule? Note that the term ``disclosure'' includes the sharing of
information between a hospital and physicians who are on the hospital's
medical staff but who are not members of its workforce.
(b) If the system is limited to only recording access to
information without regard to whether it is a use or disclosure, such
as certain audit logs, what information is recorded? How long is such
information retained? What would be the burden to retain the
information for three years?
(c) If the system is able to distinguish between uses and
disclosures of information, what data elements are automatically
collected by the system for disclosures (i.e., collected without
requiring any additional manual input by the person making the
disclosure)? What information, if any, is manually entered by the
person making the disclosure?
(d) If the system is able to distinguish between uses and
disclosures of information, does it record a description of disclosures
in a standardized manner (for example, does the system offer or require
a user to select from a limited list of types of disclosures)? If yes,
is
[[Page 23216]]
such a feature being utilized and what are its benefits and drawbacks?
(e) Is there a single, centralized electronic health record system?
Or is it a decentralized system (e.g., different departments maintain
different electronic health record systems and an accounting of
disclosures for treatment, payment, and health care operations would
need to be tracked for each system)?
(f) Does the system automatically generate an accounting for
disclosures under the current HIPAA Privacy Rule (i.e., does the system
account for disclosures other than to carry out treatment, payment, and
health care operations)?
i. If yes, what would be the additional burden to also account for
disclosures to carry out treatment, payment, and health care
operations? Would there be additional hardware requirements (e.g., to
store such accounting information)? Would such an accounting feature
impact system performance?
ii. If not, is there a different automated system for accounting
for disclosures, and does it interface with the electronic health
record system?
7. The HITECH Act provides that a covered entity that has acquired
an electronic health record after January 1, 2009 must comply with the
new accounting requirement beginning January 1, 2011 (or anytime after
that date when it acquires an electronic health record), unless we
extend this compliance deadline to no later than 2013. Will covered
entities be able to begin accounting for disclosures through an
electronic health record to carry out treatment, payment, and health
care operations by January 1, 2011? If not, how much time would it take
vendors of electronic health record systems to design and implement
such a feature? Once such a feature is available, how much time would
it take for a covered entity to install an updated electronic health
record system with this feature?
8. What is the feasibility of an electronic health record module
that is exclusively dedicated to accounting for disclosures (both
disclosures that must be tracked for the purpose of accounting under
the current HIPAA Privacy Rule and disclosures to carry out treatment,
payment, and health care operations)? Would such a module work with
covered entities that maintain decentralized electronic health record
systems?
9. Is there any other information that would be helpful to the
Department regarding accounting for disclosures through an electronic
health record to carry out treatment, payment, and health care
operations?
Dated: April 26, 2010.
Georgina Verdugo,
Director, Office for Civil Rights.
[FR Doc. 2010-10054 Filed 4-30-10; 8:45 am]
BILLING CODE 4153-01-P
