Regulators to Tackle Privacy IssuesTo-Do List Includes Accounting of Disclosures Rule
That includes a long-delayed accounting of disclosures rule; a change to HIPAA Privacy Rule that will allow patients to directly access test result data from many labs; and guidelines for the third phase of the HITECH Act electronic health record incentive program. Plus, federal authorities will continue taking steps to help ensure that new state health insurance exchanges, which open Oct. 1, adequately protect consumer data.
A proposed accounting of disclosures rule, which was mandated by the HITECH Act, has been stalled since it was proposed back in May 2011.
Many of the more than 400 public comments received about the proposal were critical of a provision to provide patients with the right to request an "access report" with a complete list of everyone who has electronically viewed their health information. That provision could be overly burdensome to healthcare entities, critics say, because many electronic health record systems don't have technical capability to easily produce the detailed and complex access reports proposed. p>
The Privacy and Security Tiger Team, a government advisory group, will host a virtual hearing Sept. 30 to discuss the proposed rule (see: Accounting of Disclosures: A Fresh Look).
After the hearing, the team will make recommendations to the Department of Health and Human Services regarding potential changes in the rule, says Deven McGraw, who chairs the team. After those recommendations are made, HHS could issue a new or revised proposed rule, says McGraw, who is also director of the health privacy project at the Center for Democracy & Technology, a consumer advocacy group.
Lab Data Access
Another privacy topic expected to resurface is a proposal HHS made in 2011 that would give patients the right to access their clinical lab test results directly from many labs, instead of through healthcare providers. With the exception of a few states, current laws prohibit most labs from directly releasing test result data to patients.
While the HHS Office for Civil Rights issued a proposal in 2011 to eliminate that barrier, the rule hasn't moved forward, having been overshadowed by other regulations, including HIPAA Omnibus, says Alice Leiter, a policy counsel at the Center for Democracy & Techology.
"It's been two years [since the lab data proposal was issued] and nothing's happened. ... It's ridiculous it's been this long without any progress," Leiter says.
OCR indicated this month that it might soon refocus on getting its lab data proposal finalized. As a result, OCR noted in a statement that it would give certain labs more time beyond the Sept. 23 HIPAA Omnibus Rule enforcement date to update their notices of privacy practices for patients.
"In the coming months, [HHS] anticipates publishing an amendment to the HIPAA Privacy Rule ... regarding the right of individuals to receive their test reports directly from [certain] laboratories. ... If the amendment is finalized as proposed, it would result in a material change to the privacy practices of the HIPAA-covered laboratories. ... Consequently, the affected laboratories would need to ensure that their NPPs inform individuals of this new right and include a brief description of how to exercise the right."
In other regulatory activity this fall, federal advisers also will continue to hammer out potential privacy and security requirements for Stage 3 of the HITECH Act electronic health record incentive program.
Insurance Exchange Security
Meanwhile, the security of state health insurance exchanges is in the spotlight as the exchanges prepare to handle open enrollment starting Oct. 1 (see: Federal Data Hub Passes Security Testing).
Addressing concerns about data security as the exchanges, mandated under federal healthcare reform, are launched, the Obama administration on Sept. 18 announced a comprehensive interagency initiative designed to help prevent fraud and privacy violations.
The initiative, which involves HHS, the U.S Justice Department and Federal Trade Commission, includes:
- Creating an FTC call center with trained staff to handle customer concerns about insurance exchanges;
- Connecting HHS' HealthCare.gov site to the FTC's Complaint Assistant service;
- Developing a system for routing complaints through the FTC's Consumer Sentinel Network for analysis and referral as appropriate;
- Establishing of a rapid response mechanism for addressing privacy or cybersecurity threats;
- Ramping up public education about the exchanges.
To learn more about enforcement of the HIPAA Omnibus Rule, read Enforcing HIPAA Omnibus: What to Expect.