The Department of Health and Human Services should make several revisions in its long-delayed plans for a revamp of the HIPAA accounting of disclosures rule and conduct pilot tests before implementing a final rule, an advisory committee recommends.
At its Dec. 4 meeting, the Health IT Policy Committee endorsed the recommendations of its Privacy and Security Tiger Team regarding guidelines for disclosing access to patients' electronic health records. Those include:
- Taking an incremental approach to implementing the requirements;
- Initially focusing on disclosures of records to those outside of a covered entity;
- Greatly scaling back plans for providing patients with detailed access reports, providing them only if patients request investigations into suspected inappropriate access;
- Conducting technology pilots before a rule is finalized by HHS' Office for Civil Rights.
Once the pilots are completed, OCR will resume work on a revised rule that takes the recommendations and pilot findings into account.
Conducting tests to prove that providers can comply with updated disclosure requirements is essential, says Deven McGraw, tiger team chairman and director of the health privacy project at the Center of Democracy and Technology (see: Fine-Tuning the HIPAA Disclosure Rule).
An incremental approach is needed, McGraw says, so HHS can determine how best to provide patients with transparency about data disclosures while not overburdening healthcare organizations.
Paul Egerman, tiger team co-chair, told the HIT Policy Committee: "HHS should approach this in a step-wise fashion, initially pursuing an implementation pathway that is workable from both a policy and technology perspective.
"We urge HHS to pursue a more focused approach that prioritizes quality over quantity, where the scope of disclosures and related details to be reported to patients provides information that is useful to patients, without overwhelming them or placing undue burden on covered entities."
The incremental approach should begin with providing patients with a report of disclosures made to parties outside of a healthcare organization that has control of the electronic information.
With that in mind, HHS should pursue a "follow the data" approach, for which disclosure reports would be triggered when an entity transfers control over information to an external party, such as a hospital providing a patient's information to a health information exchange organization, Egerman explained.
The HIPAA Privacy Rule currently requires covered entities to make available, upon request, an accounting of certain disclosures of an individual's protected health information on paper or in electronic form made up to six years prior to the request. Those disclosures include, for example, those for public health and various judicial and administrative proceedings.
The HITECH Act calls for revising the disclosure requirement to include disclosures made for healthcare treatment, payment or operations made using an electronic health record.
In May 2011, OCR issued a notice of proposed rulemaking to carry out that HITECH Act requirement. But it included another, controversial provision calling for offering patients, upon request, an "access report" to list everyone, including internal users, who had electronically viewed their information. The provision would require providing patients with the date and time of access; name of the person or entity accessing PHI; description of information disclosed; and user action, such as creation, modification or deletion of information.
The HIT Policy Committee, in approving the tiger team's recommendations, endorsed scaling back on access reports. Instead, it backs allowing patients who suspect inappropriate access to their electronic health information to request an investigation of records access inside the entity that has control of the information. For example, a patient could request an investigation if he suspects a nosey neighbor who works at a hospital snooped at their records.
The tiger team recommendations were crafted over the last several months, taking into account a great deal of public and industry feedback about the OCR's original rule revision proposal, most of which was critical of the access report plan (see: Concerns Voiced About Disclosure Rule). The tiger team came to the conclusion that the access reports, as originally proposed, were not do-able, at least with current technologies, Egerman says.
To improve the ability of covered entities to conduct investigations of inappropriate access, the committee recommends that OCR add two implementation specifications to the current audit control standard in the HIPAA Security Rule:
- Addressable audit controls must record protected health information access activities to the granularity of the individual user and the individual whose PHI is accessed; and
- Information recorded by the audit controls must be sufficient to support the information system activity review required by the HIPAA Security Rule and the investigation of potential inappropriate access to PHI.
In addition to the recommendations made by the tiger team, the HIT Policy Committee approved an additional proposal from committee member Christine Bechtel that OCR "further explore" how inappropriate access complaints and investigations are currently handled by covered entities.
Other HIPAA Matters
At the Dec. 4 meeting, HIT Policy Committee members also were provided an update on OCR's various HIPAA related activities.
Susan McAndrew, OCR's deputy director for health information privacy, told the committee that the agency is:
- Finalizing a proposed HIPAA Privacy Rule requirement for certain medical labs to make available directly to consumers their test results (see: Regulators to Tackle Privacy Issues). The affected laboratories would need to ensure that their notices of privacy practices inform individuals of this new right.
- Working with the Department of Justice and the White House to consider if HIPAA is a barrier preventing some states from reporting individuals disqualified from having a gun, for mental health reasons, to the National Instant Criminal Background Check System (see: Amending HIPAA for Background Checks).
- Working on evaluations of its 2012 HIPAA compliance audit pilot program in preparation for the launch of a permanent audit program next year, which will include business associates as well as covered entities.
Improving risk assessments by healthcare organizations will prove vital to preventing breaches and other HIPAA violations, McAndrew stresses.