Accounting of Disclosures: A Fresh Look

Discussions Resume on Long-Delayed HITECH-Mandated Rule
Accounting of Disclosures: A Fresh Look

Now that the long-awaited HIPAA Omnibus Rule has been released and will soon move into the enforcement phase, federal regulators are shifting attention on another overdue rule on the accounting of records disclosures.

See Also: The Guide to Consumer vs. Employee Privacy Rights

Federal advisers are planning an all-day virtual meeting on Sept. 6 to hear healthcare industry stakeholders' suggestions and feedback about the Department of Health and Human Services' Office for Civil Rights' controversial proposal that would change the HIPAA privacy rule's guidelines for accounting of disclosures (see: EHR Access Report Objections Pour In).

Back in May 2011, OCR issued a notice of proposed rulemaking soliciting comments on its preliminary concepts for a rule on accounting of disclosures. It received more than 400 comments, many of them critical of one proposal to provide patients with the right to request an "access report" with a complete list of everyone who has electronically viewed their information. The report would have to contain date and time of access, description of information accessed, and user action, such as creation, modification, or deletion of information.

Some patients and consumer advocates were supportive of the proposals in public comments. Dozens of healthcare organizations and health industry groups, however, expressed concerns that the record access report provision is impractical.

A common theme among groups opposed to the proposal was skepticism about the value that detailed access reports would provide patients, especially in light of the technical and other burdens it would create for healthcare organizations.

"We believe that HHS should significantly alter its approach to ensure that any final regulatory requirements appropriately fulfill the needs of patients who seek to understand how their PHI [protected health information] is disclosed, while simultaneously ensuring that covered entities are technically capable of providing such information without incurring unreasonable burdens to do so," wrote the American Hospital Association in its public comments.

Adam Greene, a privacy attorney at Davis Wright Tremaine, says OCR's renewed focus on the accounting of disclosures rule is a positive step. "I take this virtual hearing as a sign that they are very much open to ideas as to how to address their statutory mandate, and that they are receptive to the concerns expressed by the industry regarding their proposed access report," he says. "I imagine that OCR is struggling with a Congressional directive to expand a patient right that is already highly burdensome and rarely utilized. I think that all options remain on the table regarding how to best address the requirements of the HITECH Act, and the needs of patients, at a reasonable cost."

Taking a Closer Look

After many months of delay, OCR asked the HIT Policy Committee's Privacy and Security Tiger Team to host the hearing.

The hearing is meant "to explore realistic ways to provide patients with greater transparency about the uses and disclosures of their digital, identifiable health information," says Deven McGraw, tiger team chair.

"Such exploration should also help facilitate implementation of the HITECH Act requirement that a patient's right under the HIPAA Privacy Rule to an 'accounting' of disclosures include disclosures for 'treatment, payment and operations' when such disclosures are made through an electronic health record," noted material distributed for the tiger team's Aug. 8 meeting.

Tiger team member Leslie Francis noted during the meeting that OCR has also asked the National Commission on Vital Health Statistics to consider hosting a hearing. But Francis, who is co-chair of NCVHS' privacy committee, suggested that the tiger team and NCVHS privacy committee partner on one hearing. McGraw says the tiger team will consider how the two groups can combine their efforts.

"We are currently in the process of additional fact finding following the public comment received on the NPRM issued on the accounting provisions," an OCR spokeswoman said when asked about the status of the long-delayed rulemaking that was mandated under the HITECH Act.

According to a chart on the federal government's website, the next phase of OCR's rulemaking process - after completing evaluation of public comments to its proposed rule for accounting of disclosures - is to prepare an interim final rule or a final rule.

Fact-Finding Mission

Among the topics that various tiger team members suggested be examined during the hearing are what constitutes "access" and what kinds of access are capable of being captured by electronic health record technologies.

Tentative plans for the hearing call for a panel format, divided into functional groups. The team is working on a list of possible stakeholders to invite to testify from several areas of the health sector. That includes IT vendors, health information professional associations, large and small healthcare provider organizations, payers and patient advocacy groups.

The accounting of disclosures presents "a challenging mix of policy and technology issues," McGraw says.

Hearing Goals

McGraw says the hearing will help provide regulators with a greater understanding of:

  • What patients would like to know about uses and disclosures of their electronic PHI;
  • The capabilities of currently available, affordable technology that could be leveraged to provide patients with greater transparency related to access/disclosure of PHI;
  • How record access transparency technologies are currently being deployed by health care providers, health plans, and their business associates, such as health information exchange organizations;
  • Other issues raised as part of the initial proposed rule to implement HITECH changes.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.