EHR Access Report Objections Pour InRegulators Weighing Whether to Alter Proposed Requirements
Now that the comment period is over, the Department of Health and Human Services' Office for Civil Rights will review the comments and determine whether to alter the proposal. "It will take some time to fully assess the comments, as it is OCR's understanding that many raise complex and technical issues with regard to the new requirement for an access report," says Susan McAndrew, OCR's deputy director for health information privacy. "Once the public comment is analyzed, the next steps include making determinations on whether and how to change any of the rulemaking followed by preparing the final rulemaking for clearance and publication."
McAndrew declined to offer an estimate of how long it would take OCR to complete the review of the comments on the Disclosure Rule, which would modify HIPAA.
Responses to the proposed rule can be viewed on a government website.
High Costs, Low Demand?As reported in a recent blog, the American Health Information Management Association, the Medical Group Management Association and the College of Healthcare Information Management Executives all expressed strong concerns about the access report provision, particularly citing the high cost of preparing to generate the reports that they say relatively few patients are likely to request (see: Proposed Access Report Rule Blasted).
In an interview, Dan Rode of AHIMA said federal authorities should conduct pilot projects to more precisely determine how much it would cost to generate these access reports and whether many patients would be likely to request them. This kind of research, Rode, predicted, would find that "the regulations are way too prescriptive for the benefit that they're going to provide."
In responses to OCR, a number of consumers, however, expressed strong support for the access reports. For example, Nancy Degnan, who described herself as a patient who is an employee of the healthcare system where she's being treated, wrote: "As a patient in this situation, it would be useful to know who has accessed my record so I am assured that only the caregivers that I am being treated by are using the record information. It is a safeguard that I would appreciate. I realize this could be difficult from a systems perspective, but I think it is worth figuring out how this can be done for patient peace of mind. It would also serve as a deterrent to staff who take the risk that they won't get found out in an audit for accessing a person's record that they should not be accessing."
But dozens of healthcare organizations expressed concerns about the burden of the reports. Here is a sampling:
Johns Hopkins Medicine"There are no other business environments, including the financial industry, where an individual has the right to know the name of every individual who has legitimately or illegitimately accessed his or her information. If the privacy interest that is intended to be served by this new right is that individuals have a right to know whether their information has been inappropriately accessed, permitting individuals to have the right to see the names of hundreds, if not thousands, of individuals who have legitimately accessed their records, most of whom would not be recognizable to the patient, seems overly broad and overly burdensome, in light of the already existing rights and requirements associated with protecting an individual's protected health information."
American Hospital AssociationThe AHA asked OCR to withdraw the access report proposal to allow time for studies on the issues involved.
"The AHA believes that the proposal to create a new individual right to an access report is misguided and does not appropriately balance the relevant privacy interests of individuals with the burdens that will be imposed on covered entities, including hospitals. The proposal is based on a fundamental misunderstanding of the value to individuals of receiving the particular information that the access report would capture, as well as a misunderstanding about the capabilities of technologies available to and used by covered entities. We believe that HHS should significantly alter its approach to ensure that any final regulatory requirements appropriately fulfill the needs of patients who seek to understand how their PHI [protected health information] is disclosed, while simultaneously ensuring that covered entities are technically capable of providing such information without incurring unreasonable burdens to do so."
The American Medical Informatics Association"... We believe that the proposed new right to an access report ... reflects both an inaccurate and unreasonable interpretation of the HIPAA Security Rule and a dramatic misjudgment of the capabilities of the applicable technology in the healthcare industry. We believe that this report will provide little reasonable benefit to individuals, that the primary interests identified for individuals can be served in much narrower ways, and that the rule - if applied as proposed - would require significant new technology efforts and expenditures from virtually all companies in the healthcare industry, with substantial ongoing burden."
North Carolina Healthcare Information and Communications AllianceThe alliance asked OCR to reconsider the access report provisions based on many concerns, including the "tremendous technical burden" to produce the detailed reports and a cost that could hit "millions of dollars" for some organizations.
"These burdens include the generation of millions of log records to be stored, associated storage space, personnel to manage this system, query capability in multiple systems for a large volume of data to extract requested data for the reports and ultimately having the ability to correlate the data to the audit logs in a meaningful, accurate and manageable way."
(Note: In a recent interview, former OCR official Adam Greene, the primary author of the proposed Disclosures Rule, explained its provisions, including the access report requirement.)