Access Reports: An In-Depth Analysis

Adam Greene and Dan Rode Pinpoint Concerns
Access Reports: An In-Depth Analysis
A federal proposal that would require healthcare organizations to provide patients with a report listing everyone who has electronically accessed their records needs revamping, two regulatory experts agree.

Adam Greene, who helped draft the proposal in his former role at the Department of Health and Human Services' Office for Civil Rights, says the benefits of providing consumers with an all-encompassing list of everyone who has accessed their records may be outweighed by the substantial burden involved in providing such lists. The access report provision is included in a proposed Accounting of Disclosures Rule, required under the HITECH Act, which would modify HIPAA.

Greene made his comments in an interview with HealthcareInfoSecurity (transcript below) that also included Dan Rode of the American Health Information Management Association. The association contends that hospitals and clinics lack the ability to easily combine and analyze access log information from the dozens of information systems that house patient information. AHIMA has called for pilots to test approaches to consolidating this information and determine whether, in fact, the aggregate reports would provide useful information to consumers. Such tests would enable federal officials to weigh the costs against the benefits, he contends.

Cost Concerns

Greene stresses that OCR needs to take into consideration the hundreds of comments received from organizations, including AHIMA (see: EHR Audit Report Objections Pour In). "For a lot of entities, there will be a significant cost upfront, and the cost with respect to aggregating multiple systems may have been underestimated by OCR," he says. "The comments are well-founded, and I expect that OCR will give them significant weight."

He also calls AHIMA's suggestion for pilot projects "a great idea," although he notes regulators face a 2013 deadline under the HITECH Act to enact certain guidelines.

AHIMA has called for regulators to consider greatly narrowing the access report mandate, focusing on providing patients with reports on whether specific individuals have accessed their records. And Greene also suggests OCR consider this option, especially in light of the costs involved in creating the all-encompassing lists.

Review of Key Issues

In the interview:
  • Rode expresses concern that providing patients with a list of hospital or clinic employees' names could pose a security risk. "The concern was that individual workforce members have in the past been stalked by patients," he notes.
  • Greene acknowledges this safety issue is a legitimate concern that could be eliminated if providers only needed to respond to patients' requests for an accounting of records access by specific individuals, rather than providing an all-encompassing list.
  • Rode notes that OCR in the past has taken into consideration comments on its proposed rules and altered them as a result. And Greene says "there's a good chance" that OCR will re-evaluate the access report proposal because it underestimated the costs involved in creating the reports.

Greene until recently was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing HIPAA privacy and security rules as well as the breach notification rule. In his new role as partner at Davis Wright Tremaine LLP in Washington, he specializes in HIPAA and HITECH Act issues.

Rode is vice president of policy and government relations at AHIMA, a trade association for health information managers at hospitals, clinics and other healthcare organizations.

Access Report Provision

HOWARD ANDERSON: Adam, could you start by briefly describing what the access report provision would require?

ADAM GREENE: The access report is really focused on answering a very specific question that sometimes patients have, which is: Exactly who has seen my information? It's not looking at the more general question of why have people seen my information or why has my information been shared. The access report would include the exact date and time of access and the name of any person accessing the record. There may be certain circumstances, such as when an outside organization has access, where a full name is not available, but the preamble suggests an expectation that for internal access, you would have the full name of an employee.

You would also include a description of the information accessed, such as medications or diagnoses, if that is available. If a particular system is not able to log that, there is no expectation that systems would need to be changed or upgraded to have this capability. And similarly, if the system is able to record the user action, such as viewing, modifying, deleting or printing then that should be included, but once again, only if that is available.

ANDERSON: Dan, what do you think of the basic concept of an access report?

RODE: We have no problem with the basic concept. We agree with Adam and the Office for Civil Rights that ... individual patients are interested in who saw their record, so we believe that the individual has a right to know who has accessed their record or to have their questions answered related to access.

Cost Concerns

ANDERSON: Dan, AHIMA has expressed concerns about the cost and difficulty in preparing the reports that lists everyone who has electronically accessed the patient's information, and you've called for a pilot to determine the actual cost involved. Please briefly explain those concerns.

RODE: The concern is that we're looking at access to the designated records set. First of all, outside of a small private practice that may only have one electronic record system, when you get to hospitals and large clinics, you can have many different systems, each of which is logging as required by HIPAA but not necessarily recording the information in the same way, and in many cases not ... identifying the accessors in the same way. If a request is made for all access, it means pulling together the log information right now, the very basic log information from these disparate sets, and then someone has to sit down and identify or cross-identify the individuals involved and then pull all that information together; and that's a manual system.

... HIPAA did not require that we put a composite together that handles all those systems. At this point in time, it's an issue of both coming up with common language or common data that would be used in each of the disparate systems as well as a means to then gather that data, analyze it and put it into a report that the individual could read. The ability to do this just isn't there in any kind of a mid-sized to larger facility to take into account that kind of a request. We can do a much better job on a specific request because generally, through role identification, we automatically know whether a particular individual or individuals have access to what systems and we can easily do an audit on those; this is already being done.

We wanted to see a pilot because we really do need to come up with software and a language to allow for the consolidation of all these log reports into a single report, and we want to see if that system then can answer the general questions of the individuals.

This is an idea that came up during our meetings. We had a number of meetings with a group of HIM [health information management] professionals, and the idea came up to actually test it and see if it worked. Since there is no system out there right now, we thought it would be helpful to have the healthcare industry, working with vendors and working with OCR, put something together that everybody could agree upon. ... We had talked to some of the consumer groups who didn't believe that the rule, as it was proposed, really answered the questions that they thought were important to people. We thought there needed to be a consumer perspective [in a pilot]. We also thought it would provide a little better information than what was involved in the proposed rule as far as the cost because no one has a system right now that can do this.

We ... did not have a good idea of how to respond to the question of what it would cost to put one of these in and how we would look at that cost from the standpoint of demand. To use a simple example that someone raised; if there were only three people that asked for their access report in a single year and we had spent $150,000 to make the system changes, does that mean that it's $50,000 per request? Given all the other costs going on right now, given ICD-10 implementation, [electronic health record] meaningful use implementation and a number of other Medicare and private requirements, folks just felt that a pilot might be a better way to make sure that we move forward on this, get a consensus as to what the rules should be and what kind of system we should be building, as the nation moves on to a standardized electronic health record system and enterprise record systems; and do it in a [uniform] way rather than have 6,000 different hospitals and hundreds of thousands of different providers each trying to come up with their own solution.

ANDERSON: Adam, what's your reaction to the concerns of AHIMA and many others about the cost and difficulties involved in preparing detailed access reports? And would you support pilots to study the issue?

GREENE: I think that the concerns are very well-founded. First off, this is a proposed rule, and the whole point of doing it as a proposed rule and seeking comments is to find out to what extent the rule will work in process. And what we've seen is certainly a large number of comments indicating it would not. I think the rule was premised on the concept that there wouldn't be significant up-front costs; that entities should already be logging access to who is seeing this information and that there wouldn't be much cost up-front, but rather the cost would be related to aggregating reports for multiple systems. There certainly is recognition in the preamble that you could have dozens, or even hundreds of systems, that would have to be aggregated.

What we've been hearing is the idea "there's not cost up-front" was misplaced, that for a lot of entities there will be significant cost up-front and then that the cost with respect to aggregating multiple systems may have been underestimated by OCR. I think the comments are well-founded, and I expect OCR will give them significant weight.

With respect to a pilot program, I think it's a great idea. I think the challenge is actually to the extent that HHS' hands are tied in that they have a date of 2013 with respect to electronic health records, not the entire designated record set ... to have regulations in effect on this point; that's based on the HITECH ACT provision. That may be one of the biggest challenges - how to address the HITECH provision with respect to EHRs in some form by 2013 while still having enough time to both gather information to improve upon the rule and give everyone the time required to come into compliance with the rule.

Accommodating Individual Requests

ANDERSON: Dan, AHIMA has questioned how many patients would actually want to obtain a list of everyone who has electronically viewed their information. Do you think it would be more practical and feasible to instead accommodate only requests to determine if specific individuals have accessed a record?

RODE: Again, talking with the professionals out in the field, no one could come up with a situation where a request was made to determine all of the individuals who accessed a record. Normally, the request was for a specific individual or individuals that were thought to have improperly accessed the records. The concern about a listing of everyone that's accessed the record is, first of all, having to consolidate all of the disparate systems that could potentially fit under the requirement and then secondly just the massive number ...of systems [that may be involved] and [the large number of] individuals that might access the systems ... during a hospital stay. We were aware of a couple of folks that tested this that did have the ability to look at the numbers. They didn't consolidate the reports, but in totaling up just the number of accesses in a week-and-a-half long hospital stay, there were over 2,000 pages of printouts. Again, that can be made electronic, but then you start getting into: Do we also put them in some order? What's the correct order? It just seemed like a lot of work for something that no one had any previous request for that kind of a report.

ANDERSON: Would you like to see the rule modified to only require developing reports about specific individual's access, rather than everyone who has accessed a record?

RODE: I would have to say that certainly is the direction that we are leaning. I'm sure there could be a case made for all access and certainly we have recommended to our members that they internally be looking at their different systems and access on a periodic basis just to ensure their compliance. But at this point in time, I would say yes, we'd like to see the requirement be made to specific individuals, recognizing that there is nothing to prohibit someone asking for a larger access [report], such as under an audit process maybe developed in a court case or something of that sort ... but not just as a day-to-day thing that everybody could just walk in and say, "I want a copy of everyone that has accessed my system." We also believe that we've also got requirements associated with breach notification that also give rights to the patient to find out if there has been an inappropriate access or release of their information.

Providing Complete Lists

ANDERSON: Adam, please describe why you believe providing patients with a complete list of everyone who has viewed their information would be helpful in protecting their privacy.

GREENE: The potential benefit, I think, would be in circumstances where the individual feels that their privacy has been violated but doesn't know by whom - as sort of a self-investigatory tool, where seeking an entire list would potentially give them information that a neighbor saw their information or they were terminated from their job and they now discover that the wife of the human resources director works at the hospital. I think that's the potential benefit.

That being said, I think that benefit may be greatly outweighed in practice from what I'm hearing when you look at the entire burden associated with trying to aggregate or put together a list such as that and the potential consequences of providing such a list, consequences both with respect to the amount of confusion it might cause to the patient when they see a list of thousands of names ... and then also the issues around employee safety and other areas. While I think there may be some benefit, I don't know that the benefit necessarily outweighs the substantial burden that covered entities are finding would be the case to provide such a list.

ANDERSON: What do you think of this notion Dan just mentioned about changing the rule to accommodate only patients' request to determine if a specific individual has accessed their record? Is that more practical and feasible?

GREENE: I think in light of what the industry has been saying that the potential burden would be, I think it's something that the government should certainly consider as a more viable option, a better balance and benefit. It's something that probably OCR has heard a lot of at this point and may give some thought to.

Protecting Staff Members

ANDERSON: Dan, I understand some members of your association have expressed concern about sharing the names of staff members with patients. What's the concern, and how could the access reports be altered to address that concern?

RODE: The concern was that individual workforce members have, in the past, been stalked by patients ... But part of this concern also comes out of the idea that you would produce a massive list of every workforce member who has seen the document ... If a person has requested that we look at whether a particular individual had access to her record, we would certainly identify that individual in a report. That's a little different situation. But we just didn't believe that having a long list of every person in the workforce would be beneficial. We presumed a lot of questions, and, quite frankly, most of the healthcare staff that works with an individual patient's care are not identified to the individual. You usually get to know the doctor, you get to know the nurses but you don't know all the other folks that are in the back of the hospital, working on your care that may have their name identified. We just think it's protection for the individual employees. We don't think it gives them any more reason to be looking at records that they shouldn't be looking at, but if a blanket report were produced, we feel that identifying staff by an identifier number or something would be more appropriate, except again for the [specific] individuals that the patient may have been concerned with.

ANDERSON: Adam, what's your reaction to these safety concerns about revealing the names of staff members?

GREENE: I share the concern. I have to admit that in a request for information that initially sought information back in May of 2010, a few commenters pointed to safety concerns. And I admit, having been involved in the rule making, that the rule really doesn't address [those concerns], which have been voiced much louder now. ... I think it is a valid concern that could be eliminated by the suggestion of AHIMA to limit this to a request for specific person's access versus providing an overall risk.

I've also heard the concern - I don't necessarily put it up there with employee safety but I think it's a valid concern - of what's called social engineering, which is the idea that people can breach information security through trickery ... And having the names of individuals who have authorized access and knowing when they accessed the information can actually be a valuable tool and a potential vulnerability with respect to information security. In other words, someone calls up and says, "My name is John Doe," who happens to be an administrator or who is someone who has authorized access [to records]. "I've gotten locked out I need you to provide me with access." There may be some information security vulnerability there.

I think the employee safety issue is a very valid one. It's tough to put in place employee safety versus patient privacy. But I think it's something that needs to be addressed and I think it can be mitigated through a more limited access report.

Access Report Revisions

ANDERSON: To wrap up, Adam, do you think the Office for Civil Rights might alter the access report provision in light of the hundreds of comments received? And if so, how do you think they'll alter it?

GREENE: I think to the extent that the comments indicate that the access report was based on some premises that were not really accurate, there's a good chance that OCR will re-evaluate this. I've heard of organizations who previously were proponents of the idea of an access report and in essence requested the idea of an access report, and then, having learned more about the practical realities of the current state of the industry, have gone to OCR and said, "We were not entirely correct here and this whole approach may need to be rethought." I think organizations like that ... really may make OCR proceed with caution in this area and re-evaluate things. I've certainly heard a lot of talk about the idea of it being limited to an EHR or even more specifically a certified EHR [rather than a complete designated record set]. It will be interesting to see if they respond to that.

It's a tough area because, frankly, defining what constitutes an EHR is a challenge unless you point to certification, and I don't think anyone necessarily wants to [discourage] people from adopting certified EHR technologies. It's a tough policy challenge. ... Certainly, a more limited access report, something such as what has been suggested, is something that OCR may consider.

ANDERSON: And, Dan, why don't you summarize what you hope will happen now?

RODE: First of all, I want to mention something that Adam mentioned early on, and that is OCR especially has worked very closely with the community on many of the items, and so we expect that they will be definitely giving good consideration to the recommendations that have come in.

As I stated early on, we do believe that a patient has a right to this information. ... The community of vendors, consumers and healthcare providers and others covered by HIPAA need to sit down with OCR and come up with the best way that we can look at meeting this right and need of the consumer, and doing so in such a way that we can blend it into the other things that are happening with electronic health records, and ... looking at the what we would call enterprise record of an organization so that the individual does have knowledge of all the information on them and not just the segment of that.

Adam has also noted the legislative constraints that are out there, but if this can be done, we believe that it's a much better way of working this through and I suspect we might even be able to partner with consumer organizations to look to Congress if additional time is needed.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.