Proposed New Disclosure Rule
At an online hearing Sept. 30, federal advisers heard concerns from healthcare providers, electronic health records system vendors and others about the cost and impracticality of a proposal to require giving patients an access report listing all caregivers who had viewed their medical records. But a privacy advocate argued the access report proposal didn't go far enough to protect patients' rights.
The hearing was held as federal regulators re-evaluate how to best implement a HITECH Act mandate to update requirements for an accounting of disclosures of health information.
For Utah-based Intermountain Healthcare, which treats 6 million patients annually at 22 hospitals and more than 180 other facilities, complying with the proposed access report requirement would cost $100 million, Jutta Williams, chief privacy officer, testified at the hearing. "That's … about the same cost of building a rural hospital," she said.
In May 2011, the Department of Health and Human Services' Office for Civil Rights issued a notice of proposed rulemaking for accounting of disclosures, which generated hundreds of complaints from healthcare providers and others that the access report provision would prove to be technically unfeasible, complex and expensive to implement.
As proposed, the access report would need to contain date and time of access, name of the person or entity accessing protected health information, and a description of information and user action, such as whether information was created, modified or deleted. The proposal would also provide patients with the right for an accounting of disclosures of electronic PHI made up to three years prior to the request.
That access report would include electronic health record disclosures for treatment, operations and payment, which are categories of disclosures exempt from the current accounting of disclosures rule. Under current regulations, covered entities need to account for certain disclosures of records to third parties for certain purposes, such as for litigation, court actions and public health.
In arguing against expanding the accounting of disclosures requirements to include a broad access report, some healthcare providers testified that since the narrower accounting of disclosure requirement under the HIPAA Privacy Rule for paper-based and electronic records first went into effect in 2003, they've received very few requests from patients for that information.
Williams of Intermountain said that over the last 10 years, the large integrated delivery system has received about one request per year. And usually those requests have been from patients "who know who and when the inappropriate access occurred," she noted.
Among the others who testified about challenges of the accounting of disclosure and access report proposal were vendors of EHR software and security technology products.
Kurt Long, CEO of Fairwarning, which sells privacy monitoring products, testified that the access report proposal as written "is not feasible today." When his company deploys its monitoring products, some healthcare providers have dozens to more than 100 applications that store protected health information, including data related to treatment, operations and billing, which makes compiling an access report challenging. To make an access report more feasible, he said, "we'd like to see more affordable access logs in a common format."
Eric Cooper, health information and identity management product lead at EHR vendor Epic Systems Corp., said in his written testimony that both access reports and patient disclosure logs can be generated on demand using the company's EHR. "Organizations tell us they seldom or never need to generate these types of reports to present to a patient. They typically use the access log reports to perform necessary audits. …"
Cooper summarized Epic's concerns: "We want to make sure that the access report requirements do not require covered entities to invest unreasonable technology resources to capture and store additional access log data for all patients, when that data likely provides little value for a very small number of patients who request it."
A privacy advocate, however, testified that the proposed access reports don't go far enough.
"Unless accounting of disclosures are automated and include all the detailed information about all treatment, payment and operations uses and disclosures, individuals literally have no way to know to whom their PHI goes, or what was disclosed or used," Deborah Peel, M.D., founder of the advocacy group Patient Privacy Rights, said in written testimony. "We can't check our own PHI or get independent agents or decision support unless we can obtain robust accounting of disclosures, including the copies of the PHI used or disclosed."