Concerns Voiced About Disclosure RuleDebating the Access Report Proposal
At an online hearing Sept. 30, federal advisers heard concerns from healthcare providers, electronic health records system vendors and others about the cost and impracticality of a proposal to require giving patients an access report listing all caregivers who had viewed their medical records. But a privacy advocate argued the access report proposal didn't go far enough to protect patients' rights.
The hearing was held as federal regulators re-evaluate how to best implement a HITECH Act mandate to update requirements for an accounting of disclosures of health information.
For Utah-based Intermountain Healthcare, which treats 6 million patients annually at 22 hospitals and more than 180 other facilities, complying with the proposed access report requirement would cost $100 million, Jutta Williams, chief privacy officer, testified at the hearing. "That's ... about the same cost of building a rural hospital," she said.
Plenty of Complaints
In May 2011, the Department of Health and Human Services' Office for Civil Rights issued a notice of proposed rulemaking for accounting of disclosures, which generated hundreds of complaints from healthcare providers and others that the access report provision would prove to be technically unfeasible, complex and expensive to implement (see: EHR Access Report Objections Pour In).
As proposed, the access report would need to contain date and time of access, name of the person or entity accessing protected health information, and a description of information and user action, such as whether information was created, modified or deleted. The proposal would also provide patients with the right for an accounting of disclosures of electronic PHI made up to three years prior to the request.
That access report would include electronic health record disclosures for treatment, operations and payment, which are categories of disclosures exempt from the current accounting of disclosures rule. Under current regulations, covered entities need to account for certain disclosures of records to third parties for certain purposes, such as for litigation, court actions and public health.
In light of all the comments on the notice of proposed rulemaking, The HIT Policy Committee's Privacy and Security Tiger Team, which advises the Office of the National Coordinator for Health IT, held the hearing to explore ways to provide patients with greater transparency about the uses and disclosures of their digital, identifiable health information, Deven McGraw, who chairs the team, explained. McGraw is director of the Health Privacy Project of the Center for Democracy & Technology, an advocacy group.
The next step in the process will be for Tiger Team members to discuss the hearing testimony, as well as feedback on a blog posting about the hearing, at its next meeting, tentatively slated for Oct. 9.
"We hope to make recommendations to the Health IT Policy Committee ... by its November meeting," McGraw told Information Security Media Group. Eventually, HHS will determine what steps to take next, such as moving forward with the current proposal, modifying it or crafting a new one.
McGraw noted, however, that the partial government shutdown could prevent the Tiger Team from meeting Oct. 9 and could affect the overall timeline as well (see: Two HHS Units Hit Hard by Shutdown).
In arguing against expanding the accounting of disclosures requirements to include a broad access report, some healthcare providers testified that since the narrower accounting of disclosure requirement under the HIPAA Privacy Rule for paper-based and electronic records first went into effect in 2003, they've received very few requests from patients for that information.
Williams of Intermountain said that over the last 10 years, the large integrated delivery system has received about one request per year. And usually those requests have been from patients "who know who and when the inappropriate access occurred," she noted.
In written testimony, Scott Morgan, executive director and national privacy and security officer at the Kaiser Permanente Medical Care Program, said: "Considering how rarely individuals ask for reports and how few instances of inappropriate access or disclosure are discovered, the added benefits to consumers seem small compared to the added cost to automate both treatment, operations and payment disclosure accounting and access reports. The administrative burden would far exceed the actual demand and ultimately would divert valuable, scarce resources that could be devoted to improving patient care."
Morgan added: "While it may be possible over time to build the technological capability to track all disclosures ... and to provide access reports, we question whether that effort would balance the benefits to consumers and the burdens to covered entities."
But Dixie Baker, a security consultant who's a member of the tiger team and other federal advisory groups, commented that one reason why so few patients have requested an accounting of disclosures so far is "until now, consumers really weren't aware they could get an accounting of disclosures and potentially a report of who accesses their records."
Among the others who testified about challenges of the accounting of disclosure and access report proposal were vendors of EHR software and security technology products.
Kurt Long, CEO of Fairwarning, which sells privacy monitoring products, testified that the access report proposal as written "is not feasible today." When his company deploys its monitoring products, some healthcare providers have dozens to more than 100 applications that store protected health information, including data related to treatment, operations and billing, which makes compiling an access report challenging. To make an access report more feasible, he said, "we'd like to see more affordable access logs in a common format."
Eric Cooper, health information and identity management product lead at EHR vendor Epic Systems Corp., said in his written testimony that both access reports and patient disclosure logs can be generated on demand using the company's EHR. "Organizations tell us they seldom or never need to generate these types of reports to present to a patient. They typically use the access log reports to perform necessary audits. ..."
Cooper summarized Epic's concerns: "We want to make sure that the access report requirements do not require covered entities to invest unreasonable technology resources to capture and store additional access log data for all patients, when that data likely provides little value for a very small number of patients who request it."
Patient Advocate Concerns
A privacy advocate, however, testified that the proposed access reports don't go far enough.
"Unless accounting of disclosures are automated and include all the detailed information about all treatment, payment and operations uses and disclosures, individuals literally have no way to know to whom their PHI goes, or what was disclosed or used," Deborah Peel, M.D., founder of the advocacy group Patient Privacy Rights, said in written testimony. "We can't check our own PHI or get independent agents or decision support unless we can obtain robust accounting of disclosures, including the copies of the PHI used or disclosed."