November 01 2011
The patient right to an access report: What will happen?
Back in June, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (DHHS) published the proposed rule for implementing perhaps the most challenging of the requirements of ARRA HITECH related to updating the HIPAA Security and Privacy rules. The proposed rule addressed the requirements found in Section 13405(c) of ARRA HITECH for a patient to have the right to an accounting of disclosures for disclosures made from the electronic health record of the patient's electronic personal health information (ePHI).
The OCR put out a request for information to the industry in May of 2010 asking providers, vendors, payers and other interested parties what they thought the challenges were in complying with the ARRA HITECH provision. Industry feedback indicated that many felt the requirement, as written in the statute, would prove problematic for how HIPAA defines a disclosure. Under the original HIPAA Privacy rule, disclosures include disclosures related to treatment, payment or health care operations to business associates.
Disclosures can include electronic accesses to a patient's ePHI by business associates. For business associates who are physicians, advance practice nurses, therapists and other clinicians providing care to patients, other than their status as contractors, an access by a business associate using an electronic health record system is indistinguishable from an access by an employed staff member or physician. A provider would have to have used usernames, IDs or security roles unique to business associate contractors for employees to be able to tell them apart, and that is certainly not true for every hospital or clinic in their user security set-up. Also problematic is that the purpose of the disclosure (if an online access) might not always be clear and could often only be implied from the user action logged by the system.
In response in the proposed rule OCR did several interesting things:
- First, they stepped back and looked at the statutory language of ARRA HITECH, and also of HIPAA, and assessed what authority they did have for rule making.
- Second, they determined to revisit the original accounting of disclosures requirement under the HIPAA Privacy rule, and take the opportunity to clearly state it with regard to ePHI.
- Third, they proposed to create a new patient right to receive an “access report” of all accesses to a patient's ePHI whether by a employed staff member or a business associate.
The access report also was proposed to include accesses that represented one system making an electronic request for ePHI from another system. For both the accounting of disclosures and for the access report, OCR applied the original HIPAA Privacy rule concept of the “designated record set” to define the scope of applicability for the proposed rule rather than the ARRA HITECH concept of the electronic health record (EHR). In so doing, OCR argued they were using a more appropriate concept already defined in HIPAA regulation that covered entities as providers were familiar with.
A designated record set in terms of ePHI includes any systems used to support a purpose related to a treatment or payment related use or disclosure of the patient's data. OCR felt the term EHR was too vague to be able to be cleanly applied by covered entities. In the proposed rule, one could argue the accounting of disclosures was largely left with the same scope as the original HIPAA Privacy rule patient right, but explicitly applied to ePHI held in the designated record set. It included the same types of disclosures as the original HIPAA Privacy right, but OCR defined a specific list of what types were to be included in the accounting and what types were not to be included.
For the access report, OCR addressed both accesses by a natural person (e.g. human) user as well as by systems acting on behalf of entities to access ePHI through the process of exchange of information system to system within the covered entity. The access report was proposed to be a consolidated report of accesses that would be compiled and given to the patient upon request within 30 days of the request. The report was to include the plain language name of the user (if a natural person) accessing the patient's ePHI, and include accesses both by employees and business associates.
So what are the industry's concerns with the OCR approach? Most public comments we have heard* raise three issues – almost all with the proposed access report:
- The overwhelming volume of access events possible that might be presented to the patient
- The questionable value of including accesses that represent system to system exchanges of ePHI within the covered entity – especially for things like medical device interfaces, telemetry interfaces and normal interfacing that occurs for communicating admissions, orders, diagnostic test results and other similar clinical transactions system to system
- The administrative burden of compiling the access report into a consolidated report
*For a comment letter representative of the concerns of providers that echoes much of the above – see the Access Report section of the detailed commentary in the comment letter of the American Hospital Association.
OCR encouraged providers in the proposed rule to provide patient education as to options for reducing the volume that might be presented to something that would be most directly useful to the patient's interest. This could include options to obtain a report of accesses by an individual user, for a date and time range or of a particular kind of access.
What will come to pass in the final rule? That will not be known until such time as it is published by the OCR. Privacy advocates were nearly equal in their public comment that the right to an access report fills a significant hole present in the original HIPAA Privacy rule, and provides an important tool for the patient to hold covered entities more accountable for their use or disclosure of a patient's ePHI. Suffice it to say that OCR has a delicate balancing act that they will look to strike in the final rule making.
John Travis is Senior Director and Solution Strategist for Compliance for Cerner Corporation. He oversees solution management for responding to the regulatory requirements of Medicare payment rules, CMS quality measurement programs, HIPAA Security and Privacy, ARRA HITECH Meaningful Use incentive programs, Joint Commission accreditation, certification with the Certification Commission on Healthcare Information Technology (CCHIT) and other federal rule making. Travis provides analysis, consulting and knowledge transfer to Cerner associates and clients on federal laws, regulations and industry wide accrediting requirements, and the role of software in enabling compliance by our clients. He has been with Cerner since 1986. Travis has a Bachelor's degree in Business Administration from Kansas State University, and a Master's Degree in Administration with a Health Services concentration from Central Michigan University. Travis is a licensed CPA in the State of Missouri, and he is a Fellow with the Healthcare Financial Management Association (HFMA), and Past President of the Heart of America Chapter of HFMA.