The Chicago-based organization has submitted a comment letter to the Department of Health and Human Services' Office for Civil Rights on a proposed rule published July 14. The rule, mandated under the HITECH Act, would make changes to the HIPAA privacy, security and enforcement rules.
Existing HIPAA rules permit a health plan to define what it believes is the minimum necessary amount of information it needs, which often conflicts with a provider's belief, according to the comment letter. Providers, AHIMA notes, often cannot get paid unless they provide the information the health plan requests.
"Members also note that there is a pending CMS final rule on HIPAA 'Attachment' standards which, if it follows the current CMS NPRM approach, would violate minimum necessary since one of the alternatives opens provider electronic records to direct access by health plans for payment purposes," according to AHIMA's comments. As the Office for Civil Rights considers the issue of minimum necessary, "it should include a prohibition on health plan access to an individual's PHI under guardianship of a healthcare provider," the association contends.
AHIMA also suggests a requirement for minimum necessary access in information systems should be considered under a future stage of meaningful use of electronic health records criteria.
To access the 18-page comment letter, which addresses a multitude of issues, click here.
--Joseph Goedert
Be the first to comment on this post using the section below.