So it was no surprise that the notice of proposed rulemaking on disclosures, unveiled May 27, was one of the last HITECH rules to be issued. And if you take the time to read through the lengthy document, you'll see the complexities involved.
The overarching goal of the proposal, which would revise the HIPAA Privacy Rule, is to give patients the right to find out who electronically accesses their records. That way, they can help spot records snoops and guard against invasions of privacy.
Whether you think the rule would be a compliance nightmare or you believe it's an essential step in protecting patient privacy, it's important to make sure your opinion is heard.
But the proposal already is sparking debate on whether its many provisions will prove practical, achievable and useful (see: Reacting to Disclosures Rule Proposal). So you can bet that the Department of Health and Human Services' Office for Civil Rights, which crafted the proposal, will receive plenty of feedback during the 60-day comment period, which ends August 1.
Access Report DetailsOne section of the proposed rule that's attracting a great deal of attention calls for giving patients "access reports" listing everyone who's electronically accessed their records. Some observers were surprised that the rule requires an accounting of all direct access to "designated record sets." That ranges from nurses looking up records while treating patients at a hospital to business associates using patient information for billing. But others say they expected the broad scope.
Adam Greene, a former OCR official who was primary author of the proposal, argues that organizations that have implemented audit logs to help comply with the HIPAA Security Rule shouldn't find it difficult to create the access reports (see: Author Describes Disclosures Rule). Likewise, security consultant Kate Borten of The Marblehead Group says hospitals and others should have implemented sophisticated audit logs a long time ago. And she's pleased that the proposed rule would require access reports, enabling patients to help identify records snoops.
But some others say preparing the reports could prove extraordinarily difficult for many. Most healthcare organizations do not track every access by every user, they argue. And many older information systems, which generate a portion of the information that must be tracked, lack the capability to create logs, says attorney Kathryn Roe of the Health Law Consultancy.
Roe and others argue that providing patients with a lengthy list of the names of those accessing their information won't do much to help protect their privacy. But Greene stresses that patients would be able to request a report on whether a specific individual has accessed their records. And that, indeed, could be a powerful weapon against snooping, such as by an ex-spouse who works at a doctor's office.
Roe joined Kirk Nahra, a partner at the law firm Wiley Rein, in urging security professionals to educate regulators on the difficulty of complying with the proposal by commenting on the rule.
But whether you think the rule would be a compliance nightmare or you believe it's an essential step in protecting patient privacy, it's important to make sure your opinion is heard.
For information on how to comment, see the notice of proposed rulemaking.
Look for expert commentary on the proposal in upcoming guest blogs.