Who Accessed My Health Records? Recommendation for Quality over Quantity in Access Reports

By Kathie McDonald-McClure, Ann F. Triebsch and Margaret Young Levi

Group of Healthcare Professionals
Accounting for Disclosures Would Include Disclosures of PHI to All Staff

The Office of National Coordinator (ONC) Health IT Policy Committee voted in December 2013 to recommend that the United States Department of Health & Human Services (HHS) scale back its 2011 proposed rules requiring covered entities to provide patients with reports showing the name of every staff member who accessed their information in an electronic health record (EHR). As reported by Government Health IT, the committee’s Privacy and Security Tiger Team opposes a requirement that entities covered by the Health Insurance Portability & Accountability Act of 1996 (HIPAA) give such broad “accounting of disclosure” reports to patients.

The current HIPAA regulations do not require covered entities to include in an “accounting of disclosures” each time a staff member of the covered entity accesses the EHR for certain uses permitted by HIPAA.  In fact, the HIPAA regulations provide an exception for access to protected health information (PHI) that is necessary for treatment, payment and health care operations (TPO):

(a)  Standard: Right to an accounting of disclosures of protected health information.

(1) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures:

(i) To carry out treatment, payment and health care operations [TPO] as provided in §164.506; . . . .

45 C.F.R. § 164.528.

Sec. 13405(c) of the Health Information Technology for Clinical and Economic Health Act (HITECH), however, essentially gutted the above exception that had relieved providers from having to account for disclosures of PHI for TPO purposes by carving out any “disclosures [made] through an electronic health record” in the “three years prior to the date on which the accounting is requested.”  As a result, the provider would have to include a significantly large amount of data that would include every point in time that a staff member, including a physician, nurse, ancillary provider or business office employee, accessed the EHR for TPO purposes.  Even though HITECH may require such an accounting be made, this HITECH requirement must be implemented through rule-making which has been stalled by HHS’ focus on other requirements of HITECH like the ones dealing with business associates of covered entities and reporting data breaches that were finally implemented through release of the HIPAA Omnibus Rule in January 2013.

Comments on the proposed accounting rule from many organizations, including the American Hospital Association (AHA) and the College of Health Information Management Executives, suggest that technology does not yet exist to facilitate the proposed access report requirements and, thus, they are impractical and administratively burdensome.  In 2011, the AHA submitted comments characterizing this proposed rule as “misguided because it does not appropriately balance the relevant privacy interests of individuals with the substantial burdens on covered entities.”

At an October hearing hosted by the ONC HealthIT, it was reported that the HIPAA proposed rule on “accounting of disclosures” would cost physician practices more than the cost of preparing for ICD-10! The Tiger Team urged HHS to take a more considered approach that focuses on the quality of the “accounting of disclosures” report provided to patients rather than the quantiy of data in the report.  The Tiger Team indicated that the proposed rule should be amended to ensure that it does not place an undue burden on providers by requiring them to produce a report that overwhelms patients with huge amounts of data that is not particularly useful.

So keep your fingers crossed that reasonable voices prevail.

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.