Revised Accounting of Disclosures Rule

Revised Accounting of Disclosures Rule

A federal advisory panel will recommend that the Department of Health and Human Services take an incremental approach to implement a revised HIPAA Accounting of Disclosures rule.

At its recent meeting, the Privacy and Security Tiger Team fine-tuned recommendations it plans to make to the HIT Policy Committee, which advises the Office of the National Coordinator for Health IT.

In September, the team held a virtual meeting with healthcare industry stakeholders to explore ways to provide patients with greater transparency about the uses and disclosures of their digital identifiable health information. The team considered feedback from the meeting, as well as public comments in formulating its recommendations.

The team plans to recommend that HHS take a "step-wise" approach to pursue an implementation pathway that is workable from a technology and policy perspective.

As part of that recommendation, the team will suggest that HHS initially focus its attention on regulating disclosures made to those outside of a covered entity or an "organized healthcare arrangement," also known as an OHCA.

A "disclosure" of information would be when "data leaves a trusted environment where a provider is no longer in control of the data," such as when records go to a health information exchange.

In contrast, an OHCA relationship might include, for instance: a community physician who is not employed by a hospital; but who has credentials to access the hospital's electronic health record system. Under the tiger team's proposed recommendations, that community physician would be considered an internal user, and his access would not be considered a "disclosure."

The tiger team will also recommend that an accounting of disclosures should focus on providing patients with "quality not quantity" of information about the data disclosed. For example, patient information disclosures by a healthcare organization through a networked e-prescription service would provide an accounting of disclosures to the patients, rather than a list of each e-prescription transaction.

Back in May 2011, the HHS Office for Civil Rights issued a notice of proposed rulemaking soliciting comments on its preliminary concepts for revising HIPAA's accounting of disclosures provisions. It received more than 400 comments. Many of these comments were critical of one proposal to provide patients with the right to request an "access report" with a complete list of everyone; including internal users; who had electronically viewed their information. The report would have to contain the date and time of access, description of information accessed, and user action; such as creation, modification, or deletion of information.

Some patients and consumer advocates were supportive of the access proposal. But dozens of healthcare organizations and health industry groups expressed concerns that the record access report provision is impractical.

The virtual hearing hosted by the tiger team on Sept. 30 delved into some of the concerns of healthcare industry stakeholders, as well as consumer groups, about the OCR proposals.

As a result of the public feedback, the tiger team is recommending that aspects of the access report proposal be scaled back. For example, the team plans to recommend enabling patients to demand a specific investigation of suspected inappropriate access.

At the virtual hearing in September, several attendees indicated that focusing on the investigation of inappropriate access rather than all access might be sufficient to satisfy patient concerns of privacy violation. An example of inappropriate privacy access would be a violation by a nosy neighbor who works at the hospital.

To improve the ability of covered entities to conduct investigations of inappropriate access, the tiger team will recommend that HHS clarify the audit controls standard of the HIPAA Security Rule. Currently, that audit controls provision states: "Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronically protected health information."

The tiger team will recommend that implementation specifications for this auditing provision be clarified and that the HIPAA Security Rule requires that information collected in the audit trail be sufficient to support the detection and investigation of potential inappropriate accesses or uses of PHI.