The Security Scrutinizer with Howard Anderson

EHR Access Reports: Time for Do-Over?

Regulators Need to Consider Suggestions for Changes

We're hoping that the Department of Health and Human Services' Office for Civil Rights takes its time weighing all the comments and then conducts studies leading to a better approach to access reports.

Susan McAndrew, OCR's deputy director for health information privacy, told me in an e-mail this week: "It will take some time to fully assess the comments, as it is OCR's understanding that many raise complex and technical issues with regard to the new requirement for an access report. Once the public comment is analyzed, the next steps include making determinations on whether and how to change any of the rulemaking followed by preparing the final rulemaking for clearance and publication." (See: EHR Access Report Objection Pour In).

We're hoping that the HHS Office for Civil Rights takes its time weighing all the comments and then conducts studies leading to a better approach to access reports. 

All the responses to the proposed rule can be viewed on a government website.

In a recent interview, Dan Rode of the American Health Information Management Association said federal authorities should conduct pilot projects to more precisely determine how much it would cost to generate these access reports and whether many patients would be likely to request them. This kind of research, Rode, predicted, would find that "the regulations are way too prescriptive for the benefit that they're going to provide."

Rode is a strong believer that patients have a right to know who views their records. I share that belief. But there's got to be a better way to do this than just dumping a list of hundreds, if not thousands, of names into patients' laps. Rode, for example, suggests that rather than providing an all-encompassing access list, hospitals or clinics instead check to see whether specific individuals have viewed records.

In its detailed comments on the proposal, Johns Hopkins Medicine summed up its concerns this way:

"There are no other business environments, including the financial industry, where an individual has the right to know the name of every individual who has legitimately or illegitimately accessed his or her information. If the privacy interest that is intended to be served by this new right is that individuals have a right to know whether their information has been inappropriately accessed, permitting individuals to have the right to see the names of hundreds, if not thousands, of individuals who have legitimately accessed their records, most of whom would not be recognizable to the patient, seems overly broad and overly burdensome, in light of the already existing rights and requirements associated with protecting an individual's protected health information."

So do you think the proposal to offer patients reports about everyone who has accessed their records should be scrapped or revised? Or is the proposal a good way to protect against record snooping, as some consumers and patient advocates suggest? We'd like to hear from you.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.