Disclosures Rule: Challenges, BenefitsSecurity Expert Pinpoints Potential Trouble Spots
I believe that the Accounting of Disclosures proposal generally falls closely in line with the HITECH Act requirements. But I want to discuss a couple of the areas that I believe will bring specific challenges when preparing to comply with this proposed rule.
Revealing Workers' NamesSome of the covered entities I work with were immediately concerned with documenting the names of the workers who have accessed protected health information and providing this information to all individuals who request an "access report" as described in the proposed rule. This will be problematic in a few significant ways.
For many CEs, revealing workers who have accessed records will violate their human resources policies that prohibit the release of worker names to those outside of the organization. Many CEs fear this would not only violate their workers' privacy and negatively impact their caregiving activities, but they also believe providing specific names could create safety issues for workers as well. Additionally, providing worker names in this way could possibly violate some local and state laws.
Preparing access reports listing employees who have viewed records should help to reduce the number of inappropriate access incidents.
These concerns aside, access reports will likely help to stem the tide of what seems to be rampant snooping and criminal activities committed by insiders.
For example, last year, a nurse contacted me after reading one of my blog posts and told me how one of her co-workers had accessed her patient files inappropriately, and then subsequently spread misinformation about her various medical procedures around her small community, resulting in not only emotional distress for her, but also all her family members. Her children became the targets of bullying at school, instigated by the children of those co-workers, who started spreading her medical information along with accompanying rumors. Would this hostile worker have snooped if she had known her actions would be documented in an access report? Possibly not.
Preparing access reports listing employees who have viewed records should help to reduce the number of inappropriate access incidents. After all, if a worker knows that their co-worker can see an access report that reveals his or her snooping, they will be less likely to snoop.
There needs to be a way to balance the potential benefits with the potential risks of providing worker names within access reports. The proposed accounting of disclosures rule indicates that the access report must contain the "name of the natural person, if available, otherwise name of entity." Thus, it would seem reasonable that an entity could be indicated instead of an individual in an access report under specific circumstances when it would create risks to the workers to name them. It would be beneficial for HHS to clarify how this could be done in appropriate situations to address the concerns related to revealing worker identities.
Business Associate IssuesThe proposed rule's access report provision also would require business associates to account for access to electronic protected health information in designated record sets and provide that information to CEs.
The requirement to log access to ePHI is not new; it's a long-time requirement for covered entities under HIPAA Security Rule, Â§ 164.312 Technical safeguards section (b). It's likely that many CEs have not actually taken steps to comply yet, but the fact remains that they've had years to address implementation of logging activities. The proposed rule details how to use this information and brings to light this long-time requirement.
Also, logging access and other activities is not a new IT concept. When I was a systems analyst in the late 1980s, I created and maintained an online version control system for a large multi-national healthcare and financial organization. My system logged about every type of activity you could imagine, as did all the other applications and systems in the organization. Today, applications and systems are already capable of extensively logging a wide range of activities in even more ways.
Until the HITECH Act, however, most business associates did not know anything about HIPAA Security Rule and Privacy Rule requirements; in fact, most business associates are still trying to understand.
Over the past several years, I've done more than 200 HIPAA reviews for business associates, and most of them had little knowledge of what HIPAA actually was all about. Most didn't even have a good grasp of what they had agreed to do for safeguards under the terms of their business associate agreements. I spent as much time teaching them about HIPAA during those reviews as I did doing the reviews themselves.
More specifically, most business associates do not know what a designated record set is. (For a discussion, see my blog post, Designated Record Sets: Know What They Are!) This will be one more requirement to add to their already overwhelming to-do list.
Business associates that are still struggling to understand and get into compliance with HIPAA may fall victim to opportunistic software vendors with so-called "all-in-one solutions" who try to take advantage of this lack of understanding in order to make a sale.
Need for GuidelinesWith the growing cases of insiders snooping into patient files or even taking patient information and committing significant crimes, there certainly are benefits to being able to determine who has accessed protected health information in all forms. Growing numbers of medical identity theft incidents not only can impact finances and bring embarrassment; they can also have a devastating impact on the health of those whose records have been compromised.
The public is simply tired of having incidents occur because of inappropriate access to their medical records, and they want to be able to know who is looking at their medical information. Such information is also useful when investigating information security events and break-ins from outside the entities. The Accounting of Disclosure proposed requirements help to provide a way to give them that capability.
Individuals should have a right to receive a report about who has accessed their protected health information. However, the challenges just described, plus others, need to be considered when refining the proposal's requirements in a final version of the rule.
Rebecca Herold offers information security, privacy and compliance consulting, as well as training, through her company, Rebecca Herold & Associates.