Many predict regulators will receive an overwhelming number of comments in the coming two months before work begins on a final version of the proposal to modify the HIPAA Privacy Rule, which was unveiled May 27. That's because some observers contend that creating access reports as envisioned under the proposal will prove cumbersome and impractical.
But others say the reports offer a valuable way to identify records snoops and provide patients with a method to monitor who has accessed their information.
Access ReportsUnder the proposed rule, drafted by the Department of Health and Human Services' Office for Civil Rights, patients could request an access report that lists the names of those who have electronically accessed a "designated record set" for many purposes, including treatment, payment and healthcare operations. These reports would only include the names of those who accessed the information, as well as the date and time of the access, says Adam Greene, a former OCR official who was primary author of the proposal (see Author Describes Disclosures Rule).
The reports would account for electronic access to information by a wide variety of individuals, including those employed by a hospital or clinic, independent physicians with hospital admitting privileges or business associates.
The reports also could include what kind of information was accessed, and whether the user modified the record, but only if the organization has a newer information system that can readily provide that information, says Greene, who's now a partner with the Washington law firm Davis Wright Tremaine LLP.
A designated record set includes medical records, billing records "and other information that may have been used to make decisions about treatment or payment," Greene explains.
The proposed rule contains a second provision on "accounting of disclosures," streamlining what's already required under HIPAA. That provision goes beyond addressing "who" accessed a record to spell out "why" it was disclosed to an outside party for certain limited purposes, such as law enforcement, judicial proceedings and public health.
Greene says it could take OCR six months to a year to complete a final version of the rule after the 60-day comment period ends August 1.
Unreasonable Rule?Kirk Nahra, a partner at the Washington law firm Wiley Rein, contends that this latest in a series of rules to carry out HITECH Act mandates is far less reasonable than previously released rules, including the breach notification rule. "It strikes me as fundamentally inconsistent with the normally very reasonable approach regulators have taken with most of these rules," he says.
The latest rule's access report provision is based on the faulty premise that most healthcare organizations already track every instance when patient information is accessed so they can comply with the HIPAA Security Rule, Nahra contends. He argues that the security rule does not explicitly mandate this approach because it does not provide details on the technology or methods that must be used to monitor access. And he asserts that very few organizations do this level of access tracking, focusing instead on more practical strategies, such as conducting periodic checks to determine, for example, if unauthorized staff members are accessing records.
He advises healthcare organizations to "get your comment letters going and point out all the problems" to make sure regulators are aware of how difficult it will be to comply.
Likewise, Kathryn Roe, principal at The Health Law Consultancy in Chicago, says it's "incumbent upon covered entities to come back with hard facts as to why this approach may not be the best course of action."
She points out that many legacy information systems lack the capability to create logs that would capture the information needed for access reports. And she agrees with Nahra that the HIPAA Security Rule is not "prescriptive" and thus does not require the use of specific technologies to track all access.
Dan Rode, vice president, policy and government relations at the American Health Information Management Association, notes: "The ability to accumulate data across the enterprise is always an issue." He's uncertain whether most hospitals, for example, can use their multiple information systems to track all access to designated record sets in a way that can be aggregated into one easily understandable report for a patient.
Audit Logs Called OverdueBut security specialist Kate Borten, president of The Marblehead Group, argues that hospitals and others should have implemented sophisticated audit logs for all their systems a long time ago. "The notice of proposed rulemaking assumes that, in compliance with HIPAA's Security Rule, covered entities and certain business associates already have access or audit logs showing record-level access, including read-only and print, in systems containing designated record sets," she says. "While this has always been the intent of the rule, compliance is very patchy."
Implementing audit logs will be a challenge for many vendors, healthcare organizations and business associates, Borten acknowledges, "but it's long overdue." She says the access reports "make sense because they can better identify inappropriate access, such as by inside snoopers."
Roe, the attorney, questions whether any consumers would find it useful to receive a complete, lengthy list of the names of everyone who has accessed their records. "There's legitimacy in OCR's effort to enable patients to understand how their information is used or disclosed," Roe says. "But I'm not confident access reports achieve that goal."
But Greene, the primary author of the proposed regulation, points out that under the proposal, a patient could simply request a report on whether a particular person, such as an ex-spouse who works at a hospital, has accessed their records, rather than a full report of everyone who's accessed the information.
HITECH EHR Incentive CriteriaRegulators listed as "optional" a software certification standard for stage one of the HITECH Act electronic health record incentive program calling for detailed audit log capabilities, citing the need to wait for the Accounting of Disclosures Rule. OCR noted in the proposed rule that it plans to work with the Office of the National Coordinator for Health IT to ensure that software certification standards for future stages of the incentive program will align with the new disclosure requirements.
In the meantime, Greene cautions against "spending huge resources to come into compliance with the content of the proposed rule" because it could be changed once it's finalized. "It's a good time, though, to look at your audit systems and make sure they are turned on," he stresses. And he advises healthcare organizations to document all of the information systems that contain designated record sets.
Consultant Rebecca Herold, owner of Rebecca Herold & Associates, also stresses that "determining where all designated record sets exist now would be prudent, even if the rule is not yet finalized. Entities need to have this information documented anyway, and most do not."
Herold also notes that under the proposed rule, business associates must work with covered entities to comply with both the access report and accounting of disclosures provisions if they have access to designated record sets. "It will be a challenge not only for the business associates to get this in place, but also for the covered entities to ensure they will actually get this information from their business associates when the occasion calls for it," she says. "Having such a requirement in the business associate agreement is certainly necessary."