HIPAA Disclosures Rule Revamp Endorsed

Federal Advisers Spell Out Revisions

By , December 5, 2013.
HIPAA Disclosures Rule Revamp Endorsed

The Department of Health and Human Services should make several revisions in its long-delayed plans for a revamp of the HIPAA accounting of disclosures rule and conduct pilot tests before implementing a final rule, an advisory committee recommends.

See Also: Looking for Anomalies: Try Machine Data

At its Dec. 4 meeting, the Health IT Policy Committee endorsed the recommendations of its Privacy and Security Tiger Team regarding guidelines for disclosing access to patients' electronic health records. Those include:

  • Taking an incremental approach to implementing the requirements;
  • Initially focusing on disclosures of records to those outside of a covered entity;
  • Greatly scaling back plans for providing patients with detailed access reports, providing them only if patients request investigations into suspected inappropriate access;
  • Conducting technology pilots before a rule is finalized by HHS' Office for Civil Rights.

Once the pilots are completed, OCR will resume work on a revised rule that takes the recommendations and pilot findings into account.

Incremental Approach

Conducting tests to prove that providers can comply with updated disclosure requirements is essential, says Deven McGraw, tiger team chairman and director of the health privacy project at the Center of Democracy and Technology (see: Fine-Tuning the HIPAA Disclosure Rule).

An incremental approach is needed, McGraw says, so HHS can determine how best to provide patients with transparency about data disclosures while not overburdening healthcare organizations.

Paul Egerman, tiger team co-chair, told the HIT Policy Committee: "HHS should approach this in a step-wise fashion, initially pursuing an implementation pathway that is workable from both a policy and technology perspective.

"We urge HHS to pursue a more focused approach that prioritizes quality over quantity, where the scope of disclosures and related details to be reported to patients provides information that is useful to patients, without overwhelming them or placing undue burden on covered entities."

Revised Requirements

The incremental approach should begin with providing patients with a report of disclosures made to parties outside of a healthcare organization that has control of the electronic information.

With that in mind, HHS should pursue a "follow the data" approach, for which disclosure reports would be triggered when an entity transfers control over information to an external party, such as a hospital providing a patient's information to a health information exchange organization, Egerman explained.

The HIPAA Privacy Rule currently requires covered entities to make available, upon request, an accounting of certain disclosures of an individual's protected health information on paper or in electronic form made up to six years prior to the request. Those disclosures include, for example, those for public health and various judicial and administrative proceedings.

The HITECH Act calls for revising the disclosure requirement to include disclosures made for healthcare treatment, payment or operations made using an electronic health record.

Access Reports

In May 2011, OCR issued a notice of proposed rulemaking to carry out that HITECH Act requirement. But it included another, controversial provision calling for offering patients, upon request, an "access report" to list everyone, including internal users, who had electronically viewed their information. The provision would require providing patients with the date and time of access; name of the person or entity accessing PHI; description of information disclosed; and user action, such as creation, modification or deletion of information.

The HIT Policy Committee, in approving the tiger team's recommendations, endorsed scaling back on access reports. Instead, it backs allowing patients who suspect inappropriate access to their electronic health information to request an investigation of records access inside the entity that has control of the information. For example, a patient could request an investigation if he suspects a nosey neighbor who works at a hospital snooped at their records.

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Compromise on Info-Sharing Measure Grows

A willingness to compromise expressed at a House hearing on President Obama's cyberthreat...

Latest Tweets and Mentions

ARTICLE Compromise on Info-Sharing Measure Grows

A willingness to compromise expressed at a House hearing on President Obama's cyberthreat...

The ISMG Network