"Don't panic," Greene says in an interview with Howard Anderson of HealthInfoSecurity.com (transcript below). "It's a proposed rule. We don't know what the final rule would look like, so I would caution against spending huge resources to come into compliance with the content of the proposed rule."
Nevertheless, Greene stresses that "there's an expectation that you should already have audit logs in place and turned on" for all information systems to monitor who's accessing patient information.
"If, despite the HIPAA security rule [requirements], you have not been maintaining audit logs and you have not been logging all access to the electronic health record and to other designated record sets, then coming into compliance with this proposed rule, if it becomes finalized as is, could be a significant burden and may take a lot of resources," he adds.
The Department of Health and Human Services' Office for Civil Rights, in its proposed rule, takes a two-pronged approach, explains Greene, who recently left the office to join a Washington law firm.
First, the proposed rule spells out revised, streamlined HIPAA requirements to provide patients with an accounting of disclosures of protected health information to outside parties for certain purposes, such as law enforcement and public health, Greene says.
Second, the proposal requires providing patients, upon request, with "access reports" that summarize who has electronically accessed their information, Greene explains. He says the rule attempts to address "What's the best way to get the information that individuals are most interested in, which is, who has seen their records?" He points out that under the proposed rule, a patient could simply ask whether a specific individual has electronically accessed their records, or they could ask for a complete list of everyone who has accessed the records.
In the interview, Greene also:
- Describes how both provisions apply to designated record sets as defined by HIPAA. These record sets include medical records, billing records and "other information that may have been used to make decisions about treatment or payment."
- Contends that if an organization already has system activity logs in place "it won't necessarily be a huge lift to comply with this rule." He acknowledges, however, that if larger organizations have many information systems that contain designated records sets, "There will be some burden on them to go through and create an aggregate report based on access reports from all these different systems."
- Advises healthcare organizations to document all of the information systems that contain designated record sets.
Greene, until recently, was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing HIPAA privacy and security rules as well as the breach notification rule. He was responsible for determining how HIPAA rules apply to new and emerging health information technologies and was instrumental in the development of the current enforcement process. In his new role as partner at Davis Wright Tremaine LLP in Washington, he specializes in HIPAA and HITECH Act issues.
HOWARD ANDERSON: You recently left the staff of the HHS Office for Civil Rights, which prepared the new disclosures rule. Briefly describe what your role was at the office before you left, whether you were involved in the preparation of this rule, and tell us a little bit about your new role.
ADAM GREENE: While I was at OCR, I was the senior adviser on health IT and privacy. What that meant was I was responsible for applying HIPAA to health information technology, whether it be electronic health records, personal health records, health information exchange, or even areas like cloud computing or texting. And as for the accounting rule, I was the primary author of the proposed rule ... so that was definitely a big area of work for me the past year.
Now I'm over at Davis Wright Tremaine as a partner in their HIPAA health IT practice. Davis Wright has historically had a very deep bench in HIPAA and privacy, and so I'm very excited to be joining it.
Two-pronged ApproachANDERSON: The notice of proposed rulemaking contains a two-pronged approach, offering patients an access report, as well as a separate accounting of disclosures. Can you tell us why this two-pronged approach was taken, or at least describe it?
GREENE: I'll do my best on this. I can't provide any non-public information, but I can certainly talk about the intent that OCR expressed in the preamble. Accounting of disclosures has always been a tough challenge for healthcare providers and other covered entities, such as health plans. I think OCR recognized that it's always been a very burdensome process. It's generally a very manual process. Anecdotally, OCR had received reports that there were fairly few requests coming in for patients to actually receive an accounting of disclosures. Nevertheless, HITECH doubled down a little bit on the accounting of disclosures requirement by expanding it, taking out the exception for treatment, payment and healthcare operations to the extent that the exception was through an electronic health record.
And so, OCR was in the position of needing to fulfill the mandate of the HITECH Act and ensure that there is expanded accounting access for treatment, payment and healthcare operations to the extent it's through an electronic health record, but also fully recognize some of the problems that have traditionally occurred with respect to accounting.
The proposal has this two-pronged approach. One side is better improving the workability of the accounting of disclosures requirement. And OCR really points to the statutory provision that says when enacting this, OCR should look at the benefit to individuals of the information and the burden on covered entities. So OCR really took that to heart and looked at how to adjust the current accounting requirements to better reflect that balance.
Then you also have this other issue of expanding to electronic health records treatment, payment and healthcare operations. And what OCR did there is it looked at what information tends to be of most interest to individuals. And what OCR had been hearing is that individuals oftentimes aren't looking for a general map of how their information is used or disclosed. They're looking at specifics, "Has my neighbor seen my information? Has my ex-husband or ex-wife seen my information?" And they don't care necessarily whether it's a user disclosure, meaning they don't care if it's a nurse who is an employee of the hospital, where it would be a "use," versus whether it's a doctor with physician privileges or someone outside the organization, where it's a "disclosure." They just want to get this basic information, "Who has seen my information?"
That's the second prong of this rule: What's the best way to get the information that individuals are most interested in, which is, who has seen their records? That second prong is what OCR refers to as an "access report," where they provide this report, which could be customized to a single individual. If the patient just wants to know about one person, then that's all that they need to see. Alternatively, it could be a list of hundreds of individuals who have seen their records.
So that's the two-pronged approach that was taken: Answering a very specific question with the access report, and then also streamlining and better improving the general accounting [of disclosures] requirements.
Different requirementsANDERSON: Just to make sure we understand the difference between the two, how do the access report and the accounting of disclosures reports requirements differ? Tell us a little bit more about that.
GREENE: The access report is really just focused on the identity of the individual. The requirements of the proposed rule are just to provide the date, time and name of the individual who accessed an electronic designated record set. Now, there are a few other elements that are listed as required, if available. It could be user action, for example, such as whether the user of the computer systems actually modified the record or deleted the record. It also could be what kind of information was accessed, such as medications. Some software currently - newer electronic health records, for example - may readily have that information available in auto logs, and if that information is readily available, then it needs to be included in the access report. But OCR, in the proposal, makes clear that if a system doesn't currently have that capability, a healthcare provider wouldn't have to change their systems to collect that. That's the access report, just primarily focused on the "who."
The accounting of disclosures refers to what I sometimes call the full accounting, and that's more detailed information, most specifically, "why." Why was a particular disclosure made? It could be something such as the disclosure was made for the purposes of law enforcement or for the purposes of public health. And that's something that's been required for quite some time, dating back to April 2003. The full accounting will include the purpose of the disclosure and certain other information, such as the address of the recipient, if available. Those are the main distinctions.
Designated Record SetsANDERSON: As you've mentioned, the proposal makes reference to telling patients about who has accessed designated record sets. Help us to understand that term, designated record sets, and why that term is used instead of electronic health records. Do designated record sets apply to both the access reports and the accounting of disclosures provisions?
GREENE: The designated record set is a term under HIPAA that's been around since the HIPAA final rule back in December 2000, and it really has three categories to it: the medical record, the billing records and then a sort of "catchall" category of other information that may have been used to make decisions about the patient's treatment or payment. So, certainly the electronic health record, to the extent that that's a medical record, is going to fall within the designated record set. Billing information, which may be in a practice management system, is also going to be part of the designated record set. And then, generally, other information that's used to make payment or treatment decisions.
In contrast, you might have, for example, a morbidity and mortality group that's looking at causes of complications at a hospital, and that's for purposes of quality assurance and quality improvement. So a system like that would be outside of the designated record set. So designated record set is being applied to the access report. You'd only have to look at electronic access to electronic designated record sets. Any information that might be just a random piece of health information outside of a designated record set would not fall under the access report.
Then, in accounting [of disclosures], that's part of the streamlining that's happened with accounting. In the past, all protected health information was subject to the accounting of disclosures rule. You could have a stray piece of paper floating around the hospital or health plan, and you would have to be able to account for any disclosures of that information. The proposed rule would limit information to that within a designated record set, which should be a more reasonable burden on covered entities, because they should have a clear idea of where their designated record sets are, and it should be a bit easier to track that type of information.
Compliance ChallengesANDERSON: In your new role as an attorney advising folks about HIPAA, what do you see as the major challenges involved in complying with this rule, if any?
GREENE: It's going to differ a lot by organization. If your organization has a really solid audit program in place already, under the HIPAA security rule, there should be system activity logs. If you're already doing that, if you have audit logs and you have them turned on, there won't necessarily be a huge lift for complying with this rule, if it becomes finalized as proposed. Because it's really just taking those audit logs and taking some information from them, specifically, the name of the user who accessed the information, the date and time, and just pulling that together into a report. Now, recognizing hospitals oftentimes, and other large providers, may have dozens of systems that have designated record set information, there will be some burden on hospitals or other healthcare entities to go through and create an aggregate report based on access reports from all these different systems.
But what at least is beneficial here is the burden should be proportionate to the interests of individuals. And what I mean by that is if you only receive one request a year for an access report, then your burden should only be pulling together an access report once a year. This is a significant change from the accounting rule where even if you don't receive any accounting requests, it could be very burdensome to go through and track all these types of disclosures. If you've got a good audit system in place, it may not be a big lift, and, in fact, the net effect of this proposed rule may be easing up on your burden quite a bit because of the streamlining of the accounting [of disclosures] requirements.
In contrast, if, despite the security rule, you have not been maintaining audit logs and you have not been logging all access to the electronic health record and to other designated record sets, then coming into compliance with this proposed rule, if it becomes finalized as is, could be a significant burden and may take a lot of resources to get to that level.
Regulatory ProcessANDERSON: This is a notice of proposed rulemaking. Educate us on the remaining steps in the rulemaking process before this rule goes into effect. And what's the likely effective date if things go according to plan?
GREENE: The process would be that it's open for comment, so there's a 60-day comment period, which will end on August 1. So any covered entities, any privacy advocates or any interested parties are free to comment, and all those comments do get reviewed by OCR and do have some impact on the final rule.
As for when a final rule would go into effect, I'm always cautious about throwing out dates. I'll tell you that it's going to take some time. I would expect that there's going to be a large number of comments, and it will take a number of months to go through those comments. After that, it'll take months to write the final rule, put it through internal agency clearance, and then interdepartmental clearance through OMB [Office of Management and Budget]. So certainly no less than six months would I expect a final rule to be out, and it certainly could be closer to a year before we see a final rule.
And then once a final rule comes out, there will be a compliance period, which, if the proposed rule becomes finalized in this particular respect, then there would be about 240 days from publication for covered entities to change their accounting of disclosures requirements - that's the full accounting. That shouldn't be problematic, because that's really a streamlining of systems, so it'll actually be less burdensome.
Regarding the timeframe for complying with the access report requirement, the "who" requirement, the proposed rule proposes a date of Jan. 1, 2013, for entities to come into compliance for newer systems - designated record set systems that are from Jan. 1, 2009 on. If you have an older legacy system that predates 2009, under the proposed rule, you'll even have longer, Jan. 1, 2014, before you have to start providing people with compliance reports. There will be a matter of years before compliance is required, at least under the timeframe set forth in the proposed rule.
How to PrepareANDERSON: Finally, in the time that folks have to get prepared, what advice would you give them on the kinds of steps they should be taking in order to be fully compliant by the deadlines?
GREENE: As to what I would advise for today, don't panic. It's a proposed rule. We don't know what the final rule would look like, so I would caution against spending huge resources to come into compliance with the content of the proposed rule. That being said, it's a good time to look at your audit systems and make sure that they're turned on. There's an expectation that you should already have audit logs in place, turned on, and you should start keeping those indefinitely, because it could be that as of the compliance date for the access report, you have to go back three years and provide an audit log for that three-year period. It's good to make sure that your audit systems are in place right now, turned on and being stored.
It's a good time to assess your designated record sets. Every covered entity should know which systems are [generating] designated record sets. They should know that for purposes of providing patients access to a copy of their information. Under HIPAA, they're currently required to provide a copy of any information in a designated record set. Now is a good time to just check that you have documentation as to which systems are [generating] designated record sets and to reassess that in light of this new potential responsibility.