The Security Scrutinizer with Howard Anderson

Proposed Records Access Reports Blasted

CHIME, MGMA, AHIMA, Portray Requirement as Unreasonable

Whether you agree or disagree with this point of view, time is running out to make your views known. Comments are due by Monday, Aug. 1.

The Medical Group Management Association, the College of Healthcare Information Management Executives and the American Health Information Management Association are asking the Department of Health and Human Services' Office for Civil Rights to rethink the access report requirement with input from the stakeholders involved.

Considering how infrequently physician practices receive these requests from patients, the proposed rule fails to meet the statutory requirement to balance the needs of patients with the burden on providers. 

The Accounting of Disclosures Rule, mandated under the HITECH Act, would modify the HIPAA privacy rule.

MGMA notes that an online survey of 1,400 of its members found that more than 90 percent said it would be "very" or "extremely" burdensome to produce an access report that meets the proposed requirements. In addition, 55 percent said that they haven't received even one request in the past 12 months from a patient for information about who has accessed their records.

"Considering how infrequently physician practices receive these requests from patients, the proposed rule fails to meet the statutory requirement to balance the needs of patients with the burden on providers," says William Jessee, M.D., MGMA's president and CEO. "These reports, which would be required to show all electronic access to a patient's health information for up to three years, could be hundreds or even thousands of pages long, making them extremely challenging for physician practices to produce and of little practical value to the patient receiving them."

AHIMA also expresses strong concerns about the costs involved in preparing detailed access reports, contending that "a manual process would be required to collect data from each system, convert it into readable form and then explain it to the individual. Producing a full set of access reports for all designated record sets is unduly burdensome and expensive, especially since large hospitals have dozens to hundreds of ... systems containing PHI [protected health information].

AHIMA also states: "Our concern is that the money to be spent to develop these new systems, divided by the number of requests, will result in a very high cost per request."

More Harm Than Good?

MGMA also contends the access report proposal could do more harm than good.

"Our concern is that if this proposal moves forward, the report requirement could have the unintended consequence of discouraging physician practices from investing in new technology and undermine efforts to enhance patient care and improve efficiency through EHRs," Jessee says. Why? Well, the MGMA survey found that 42 percent of practice administrators would consider the access report requirement for creating an accounting of everyone who has viewed electronic health records either a "strong disincentive" or a "complete disincentive" for adopting an EHR system.

For its part, CHIME urges HHS to drop the access report requirement from the proposed rule. "The ability to aggregate hundreds or even thousands of access events in any automated fashion is not realistic for most covered entities, never mind across covered entities and their numerous business associates," CHIME states in its comment letter.

If regulators want to further pursue the concept, CHIME says, "we would instead recommend that stakeholders be convened to better assess what is technically feasible. ..."

AHIMA suggests that regulators "develop a pilot to test the assumptions" behind the access report concept. "Such a pilot should also test consumer awareness and education. ... the burdens will not be known if we cannot determine how the average consumer will or will not request an access report."

Safety Concerns

One aspect of the access reports that's proving to be worrisome to many is the requirement to list the names of every individual who has viewed a patient's "designated record set," which raises concerns about personal privacy and safety issues. CHIME suggests: "A safer alternative would be to require patients to provide a covered entity with specific names ... to determine whether those individuals have or have not accessed the patient's information."

AHIMA offers a similar point of view. "While we fully support the requirement allowing an individual to have knowledge of access, we also want to protect the workplace staff of the covered entity. AHIMA supports narrowing the requests to specific individuals when possible."

AHIMA notes that in some emergency departments and psychiatric facilities, clinicians use pseudonyms "to avoid patients stalking or contacting them outside the workplace. Access accounting would require facilities to share the legal names of their providers, which defeats the protections that have been in place for long periods of time. Our HIM professionals report several situations where employees have been stalked when full identification has been given."

The HHS Office for Civil Rights, which drafted the rule, will have its hands full reading all the comments it receives on this rule. We'll be watching to see what actions it takes as a result of the comments received.

It would be a shame to totally reject the idea of giving patients the ability to discover who has viewed their electronic records. But it's clear that the access report requirement, as written, still needs a lot of work.



About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.