Reacting to Disclosures Rule Proposal

HITECH Rule Called 'Unreasonable' by Some, 'Overdue' by Others

By , June 2, 2011.
Reacting to Disclosures Rule Proposal (Page 2 of 2)


See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

a href="/interviews/dan-rode-training-key-to-hitech-prep-i-410">Dan Rode, vice president, policy and government relations at the American Health Information Management Association, notes: "The ability to accumulate data across the enterprise is always an issue." He's uncertain whether most hospitals, for example, can use their multiple information systems to track all access to designated record sets in a way that can be aggregated into one easily understandable report for a patient.

Audit Logs Called Overdue

But security specialist Kate Borten, president of The Marblehead Group, argues that hospitals and others should have implemented sophisticated audit logs for all their systems a long time ago. "The notice of proposed rulemaking assumes that, in compliance with HIPAA's Security Rule, covered entities and certain business associates already have access or audit logs showing record-level access, including read-only and print, in systems containing designated record sets," she says. "While this has always been the intent of the rule, compliance is very patchy."

Implementing audit logs will be a challenge for many vendors, healthcare organizations and business associates, Borten acknowledges, "but it's long overdue." She says the access reports "make sense because they can better identify inappropriate access, such as by inside snoopers."

Roe, the attorney, questions whether any consumers would find it useful to receive a complete, lengthy list of the names of everyone who has accessed their records. "There's legitimacy in OCR's effort to enable patients to understand how their information is used or disclosed," Roe says. "But I'm not confident access reports achieve that goal."

But Greene, the primary author of the proposed regulation, points out that under the proposal, a patient could simply request a report on whether a particular person, such as an ex-spouse who works at a hospital, has accessed their records, rather than a full report of everyone who's accessed the information.

HITECH EHR Incentive Criteria

Regulators listed as "optional" a software certification standard for stage one of the HITECH Act electronic health record incentive program calling for detailed audit log capabilities, citing the need to wait for the Accounting of Disclosures Rule. OCR noted in the proposed rule that it plans to work with the Office of the National Coordinator for Health IT to ensure that software certification standards for future stages of the incentive program will align with the new disclosure requirements.

In the meantime, Greene cautions against "spending huge resources to come into compliance with the content of the proposed rule" because it could be changed once it's finalized. "It's a good time, though, to look at your audit systems and make sure they are turned on," he stresses. And he advises healthcare organizations to document all of the information systems that contain designated record sets.

Consultant Rebecca Herold, owner of Rebecca Herold & Associates, also stresses that "determining where all designated record sets exist now would be prudent, even if the rule is not yet finalized. Entities need to have this information documented anyway, and most do not."

Herold also notes that under the proposed rule, business associates must work with covered entities to comply with both the access report and accounting of disclosures provisions if they have access to designated record sets. "It will be a challenge not only for the business associates to get this in place, but also for the covered entities to ensure they will actually get this information from their business associates when the occasion calls for it," she says. "Having such a requirement in the business associate agreement is certainly necessary."

Follow Howard Anderson on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Nine Plead Guilty in $20 Million Fraud Scheme

Nine individuals have pleaded guilty to charges stemming from their roles in an identity fraud...

Latest Tweets and Mentions

ARTICLE Nine Plead Guilty in $20 Million Fraud Scheme

Nine individuals have pleaded guilty to charges stemming from their roles in an identity fraud...

The ISMG Network