The Expert's View with Kate Borten

Borten: Access Reports Deserve Support

Why the Proposed Accounting of Disclosures Rule is Reasonable

It's natural to resist change, and especially a change that requires work to implement. But the Department of Health and Human Services' Office for Civil Rights' recent notice of proposed rulemaking on accounting of disclosures introduces a valuable privacy tool for individuals, the access report, that deserves industry support.

The HIPAA Security Rule's information system activity review specification [164.308(a)(1)] requires organizations to "implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports." The rule's audit controls standard [164.312(b)] requires organizations to "implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."

Not unreasonably, HHS's Office for Civil Rights, in its accounting of disclosures proposed rule, assumes that processes are in place at covered entities to meet these requirements. After all, the HIPAA Security Rule has been in force since 2005, and this type of access report, showing who accessed a particular record and when, has been used in healthcare, by the IRS, and in other industries since at least the early 1990s.

Value of Access Logs

Access logs and reports are the primary, if not only, way for organizations and individuals to identify inappropriate electronic snooping by otherwise authorized users - a serious problem wherever many users have access to large electronic databases of personal information. This issue was recognized by the National Research Council in its report, "For the Record," that formed the basis of much of the HIPAA Security Rule. The 1997 report recommends "for immediate implementation" that organizations should "maintain in retrievable and usable form audit trails that log all accesses to clinical information. The logs should include the date and time of access, the information or record accessed, and the user ID under which access occurred."

The report adds that organizations "should establish procedures for reviewing audit logs to detect inappropriate accesses." While the National Research Council report is hospital-centric, subsequent HIPAA regulations clearly define protected health information and extend privacy protections to PHI across all covered entities and their business associates.

In a recent HealthcareInfoSecurity article, Reacting to Disclosures Rule Proposal, some argue that OCR's assumption that robust audit capabilities should already be in place at healthcare organizations is faulty. In fact, OCR's assumption is fair, based on the regulations. The lack of access logs and reports is an unfortunate indication of noncompliance. Others deny that this type of access or audit log is required by the rule because the rule writers declined to specify technology or methods. But this is not a particular technology, such as an operating system, database or technical protocol. Access logs and reports are system functions or features, and every vendor implements them through different technologies.

In spite of the importance of the access report (both to help organizations monitor their own users and to help individuals uncover privacy violations), complying with the proposed disclosures rule would not be trivial. Hospitals and others using systems with the access log and reporting capability would have the easiest time, because they're accustomed to maintaining the logs, producing reports and researching their contents, although not necessarily providing patients with the reports. Other covered entities and affected business associates - as well as their IT vendors - may be unfamiliar with the capability and would have to play catch-up.

Designing the functionality shouldn't be difficult for vendors. But the time and money spent by covered entities and business associates in upgrading or replacing systems will have an impact.

The notice of proposed rulemaking suggests that the audit capability should be in every electronic system containing designated record set PHI. This is a laudable goal, but it may not be practical for the first iteration of the rule and is unlikely to be achieved in a limited time frame. For example, the capability may already be in an electronic records system, but not in separate departmental feeder systems, such as a lab system. However, privacy snooping risks are lower in a hospital lab system because only dozens, rather than hundreds or thousands, of users have access to the system, and because the data is limited to labs, a subset of the full electronic health record. More important is to finally implement access logs and reports in major systems across all affected organizations - as was intended by the HIPAA Security Rule.

Weakening Privacy

The OCR proposal brings both good and bad news about the accounting requirements. For covered entities, it clarifies what disclosures must be included, instead of listing exclusions. And many organizations may be pleased that the scope is limited to PHI in designated record sets and limited to the prior three, not six, years.

However, OCR may be going too far in intending to reduce the burden on organizations while sacrificing privacy rights. Because HIPAA-compliant organizations are already retaining records of reportable disclosures for six years, why should this time period be shortened, especially considering the statute of limitations for civil action is six years? The argument that few individuals seek this accounting is no reason to dilute the right; it is more likely attributable to lack of understanding of how widely PHI is shared and how a disclosure can lead to privacy issues.

OCR proposes limiting the accounting to disclosures of PHI from designated record sets. While the proposal writers acknowledge that PHI privacy can be violated outside a designated record set, they rely on the HITECH Act breach notification rule to inform affected individuals. However, the current breach notification rule gives covered entities discretion in deeming a violation a breach, allowing for gaps in disclosure information that an individual can obtain.

A better approach would be to drop this designated record set limitation. The proposed rule already specifies what types of disclosures must be included in the accounting, making the location of the PHI moot.

Kate Borten is president of The Marblehead Group, a Marblehead, Mass.-based health information privacy and security consulting firm. She formerly was a chief information security officer.

For a different point of view on the federal proposal for access reports, see: Do Americans Need an Access Report?

About the Author

Kate Borten

Kate Borten

President, The Marblehead Group

Borten, founder of The Marblehead Group, provides her clients with expertise in security, privacy, and health IT from over 20 years inside the healthcare industry. In the 1990s she led the enterprise-wide security program at Massachusetts General Hospital; and as Chief Information Security Officer, she established the first information security program at Beth Israel Deaconess Medical Center and CareGroup in Boston. Borten is a nationally-recognized expert on HIPAA and health information privacy and security, a frequent speaker on these topics, and author of tools and books including HIPAA Security Made Simple (HCPro 2013). The Marblehead Group, founded in 1999, provides HIPAA privacy and security risk assessments, compliance auditing, training, and solutions to the healthcare industry. Clients include the full range of providers, health plans, and business associates.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.