November 01 2011
The patient right to an access report: What will happen?
Back in June, the Office of Civil Rights (OCR) of the U.S.
Department of Health and Human Services (DHHS) published the proposed
rule for implementing perhaps the most challenging of the requirements of
ARRA HITECH related to updating the HIPAA Security and Privacy rules. The
proposed rule addressed the requirements found in Section 13405(c) of ARRA
HITECH for a patient to have the right to an accounting of disclosures for
disclosures made from the electronic health record of the patient’s electronic
personal health information (ePHI).
The OCR put out a request for information to the industry in
May of 2010 asking providers, vendors, payers and other interested parties what
they thought the challenges were in complying with the ARRA HITECH provision. Industry
feedback indicated that many felt the requirement, as written in the statute,
would prove problematic for how HIPAA defines a disclosure. Under the original HIPAA
Privacy rule, disclosures include disclosures related to treatment, payment
or health care operations to business associates.
Disclosures can include electronic accesses to a patient’s
ePHI by business associates. For business associates who are physicians,
advance practice nurses, therapists and other clinicians providing care to
patients, other than their status as contractors, an access by a business
associate using an electronic health record system is indistinguishable from an
access by an employed staff member or physician. A provider would have to have
used usernames, IDs or security roles unique to business associate contractors
for employees to be able to tell them apart, and that is certainly not true for
every hospital or clinic in their user security set-up. Also problematic is that the purpose of the
disclosure (if an online access) might not always be clear and could often only
be implied from the user action logged by the system.
In response in the proposed rule OCR did several interesting
- First, they stepped back and looked at the
statutory language of ARRA HITECH, and also of HIPAA, and assessed what
authority they did have for rule making.
- Second, they determined to revisit the original
accounting of disclosures requirement under the HIPAA Privacy rule, and take
the opportunity to clearly state it with regard to ePHI.
- Third, they proposed to create a new patient
right to receive an “access report” of all accesses to a patient’s ePHI whether
by a employed staff member or a business associate.
The access report also was proposed to include accesses that
represented one system making an electronic request for ePHI from another
system. For both the accounting of disclosures and for the access report, OCR
applied the original HIPAA Privacy rule concept of the “designated record set”
to define the scope of applicability for the proposed rule rather than the ARRA
HITECH concept of the electronic health record (EHR). In so doing, OCR argued
they were using a more appropriate concept already defined in HIPAA regulation
that covered entities as providers were familiar with.
A designated record set in terms of ePHI includes any
systems used to support a purpose related to a treatment or payment related use
or disclosure of the patient’s data. OCR felt the term EHR was too vague to be
able to be cleanly applied by covered entities. In the proposed rule, one could argue the accounting of disclosures was
largely left with the same scope as the original HIPAA Privacy rule patient
right, but explicitly applied to ePHI held in the designated record set. It
included the same types of disclosures as the original HIPAA Privacy right, but
OCR defined a specific list of what types were to be included in the accounting
and what types were not to be included.
For the access report, OCR addressed both accesses by a
natural person (e.g. human) user as well as by systems acting on behalf of
entities to access ePHI through the process of exchange of information system
to system within the covered entity. The access report was proposed to be a
consolidated report of accesses that would be compiled and given to the patient
upon request within 30 days of the request. The report was to include the plain
language name of the user (if a natural person) accessing the patient’s ePHI,
and include accesses both by employees and business associates.
So what are the industry’s concerns with the OCR approach?
Most public comments we have heard* raise three issues – almost all with the
proposed access report:
- The overwhelming volume of access events
possible that might be presented to the patient
- The questionable value of including accesses
that represent system to system exchanges of ePHI within the covered entity –
especially for things like medical device interfaces, telemetry interfaces and
normal interfacing that occurs for communicating admissions, orders, diagnostic
test results and other similar clinical transactions system to system
- The administrative burden of compiling the
access report into a consolidated report
*For a comment letter representative of the concerns of
providers that echoes much of the above – see the Access Report section of the
detailed commentary in the comment
letter of the American Hospital Association.
OCR encouraged providers in the proposed rule to provide
patient education as to options for reducing the volume that might be presented
to something that would be most directly useful to the patient’s interest. This
could include options to obtain a report of accesses by an individual user, for
a date and time range or of a particular kind of access.
What will come to pass in the final rule? That will not be
known until such time as it is published by the OCR. Privacy advocates were
nearly equal in their public comment that the right to an access report fills a
significant hole present in the original HIPAA Privacy rule, and provides an
important tool for the patient to hold covered entities more accountable for
their use or disclosure of a patient’s ePHI. Suffice it to say that OCR has a
delicate balancing act that they will look to strike in the final rule making.
John Travis is Senior Director and Solution Strategist for Compliance for Cerner Corporation. He oversees solution management for responding to the regulatory requirements of Medicare payment rules, CMS quality measurement programs, HIPAA Security and Privacy, ARRA HITECH Meaningful Use incentive programs, Joint Commission accreditation, certification with the Certification Commission on Healthcare Information Technology (CCHIT) and other federal rule making. Travis provides analysis, consulting and knowledge transfer to Cerner associates and clients on federal laws, regulations and industry wide accrediting requirements, and the role of software in enabling compliance by our clients. He has been with Cerner since 1986. Travis has a Bachelor’s degree in Business Administration from Kansas State University, and a Master’s Degree in Administration with a Health Services concentration from Central Michigan University. Travis is a licensed CPA in the State of Missouri, and he is a Fellow with the Healthcare Financial Management Association (HFMA), and Past President of the Heart of America Chapter of HFMA.