Borten: Access Reports Deserve SupportWhy the Proposed Accounting of Disclosures Rule is Reasonable
The HIPAA Security Rule's information system activity review specification [164.308(a)(1)] requires organizations to "implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports." The rule's audit controls standard [164.312(b)] requires organizations to "implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."
Not unreasonably, HHS's Office for Civil Rights, in its accounting of disclosures proposed rule, assumes that processes are in place at covered entities to meet these requirements. After all, the HIPAA Security Rule has been in force since 2005, and this type of access report, showing who accessed a particular record and when, has been used in healthcare, by the IRS, and in other industries since at least the early 1990s.
Value of Access LogsAccess logs and reports are the primary, if not only, way for organizations and individuals to identify inappropriate electronic snooping by otherwise authorized users - a serious problem wherever many users have access to large electronic databases of personal information. This issue was recognized by the National Research Council in its report, "For the Record," that formed the basis of much of the HIPAA Security Rule. The 1997 report recommends "for immediate implementation" that organizations should "maintain in retrievable and usable form audit trails that log all accesses to clinical information. The logs should include the date and time of access, the information or record accessed, and the user ID under which access occurred."
Access logs and reports are the primary, if not only, way for organizations and individuals to identify inappropriate electronic snooping by otherwise authorized users.
The report adds that organizations "should establish procedures for reviewing audit logs to detect inappropriate accesses." While the National Research Council report is hospital-centric, subsequent HIPAA regulations clearly define protected health information and extend privacy protections to PHI across all covered entities and their business associates.
In a recent HealthcareInfoSecurity article, Reacting to Disclosures Rule Proposal, some argue that OCR's assumption that robust audit capabilities should already be in place at healthcare organizations is faulty. In fact, OCR's assumption is fair, based on the regulations. The lack of access logs and reports is an unfortunate indication of noncompliance. Others deny that this type of access or audit log is required by the rule because the rule writers declined to specify technology or methods. But this is not a particular technology, such as an operating system, database or technical protocol. Access logs and reports are system functions or features, and every vendor implements them through different technologies.
In spite of the importance of the access report (both to help organizations monitor their own users and to help individuals uncover privacy violations), complying with the proposed disclosures rule would not be trivial. Hospitals and others using systems with the access log and reporting capability would have the easiest time, because they're accustomed to maintaining the logs, producing reports and researching their contents, although not necessarily providing patients with the reports. Other covered entities and affected business associates - as well as their IT vendors - may be unfamiliar with the capability and would have to play catch-up.
Designing the functionality shouldn't be difficult for vendors. But the time and money spent by covered entities and business associates in upgrading or replacing systems will have an impact.
The notice of proposed rulemaking suggests that the audit capability should be in every electronic system containing designated record set PHI. This is a laudable goal, but it may not be practical for the first iteration of the rule and is unlikely to be achieved in a limited time frame. For example, the capability may already be in an electronic records system, but not in separate departmental feeder systems, such as a lab system. However, privacy snooping risks are lower in a hospital lab system because only dozens, rather than hundreds or thousands, of users have access to the system, and because the data is limited to labs, a subset of the full electronic health record. More important is to finally implement access logs and reports in major systems across all affected organizations - as was intended by the HIPAA Security Rule.
Weakening PrivacyThe OCR proposal brings both good and bad news about the accounting requirements. For covered entities, it clarifies what disclosures must be included, instead of listing exclusions. And many organizations may be pleased that the scope is limited to PHI in designated record sets and limited to the prior three, not six, years.
However, OCR may be going too far in intending to reduce the burden on organizations while sacrificing privacy rights. Because HIPAA-compliant organizations are already retaining records of reportable disclosures for six years, why should this time period be shortened, especially considering the statute of limitations for civil action is six years? The argument that few individuals seek this accounting is no reason to dilute the right; it is more likely attributable to lack of understanding of how widely PHI is shared and how a disclosure can lead to privacy issues.
OCR proposes limiting the accounting to disclosures of PHI from designated record sets. While the proposal writers acknowledge that PHI privacy can be violated outside a designated record set, they rely on the HITECH Act breach notification rule to inform affected individuals. However, the current breach notification rule gives covered entities discretion in deeming a violation a breach, allowing for gaps in disclosure information that an individual can obtain.
A better approach would be to drop this designated record set limitation. The proposed rule already specifies what types of disclosures must be included in the accounting, making the location of the PHI moot.
Kate Borten is president of The Marblehead Group, a Marblehead, Mass.-based health information privacy and security consulting firm. She formerly was a chief information security officer.
For a different point of view on the federal proposal for access reports, see: Do Americans Need an Access Report?