EHR Access Report Objections Pour In

Regulators Weighing Whether to Alter Proposed Requirements
EHR Access Report Objections Pour In
Federal authorities have received more than 400 comments on a proposed Accounting of Disclosures Rule, including many complaints that its patient record access report provision is impractical. The provision would require healthcare organizations to provide patients, upon request, with a complete list of everyone who has electronically viewed their information.

Now that the comment period is over, the Department of Health and Human Services' Office for Civil Rights will review the comments and determine whether to alter the proposal. "It will take some time to fully assess the comments, as it is OCR's understanding that many raise complex and technical issues with regard to the new requirement for an access report," says Susan McAndrew, OCR's deputy director for health information privacy. "Once the public comment is analyzed, the next steps include making determinations on whether and how to change any of the rulemaking followed by preparing the final rulemaking for clearance and publication."

McAndrew declined to offer an estimate of how long it would take OCR to complete the review of the comments on the Disclosure Rule, which would modify HIPAA.

Responses to the proposed rule can be viewed on a government website.

High Costs, Low Demand?

As reported in a recent blog, the American Health Information Management Association, the Medical Group Management Association and the College of Healthcare Information Management Executives all expressed strong concerns about the access report provision, particularly citing the high cost of preparing to generate the reports that they say relatively few patients are likely to request (see: Proposed Access Report Rule Blasted).

In an interview, Dan Rode of AHIMA said federal authorities should conduct pilot projects to more precisely determine how much it would cost to generate these access reports and whether many patients would be likely to request them. This kind of research, Rode, predicted, would find that "the regulations are way too prescriptive for the benefit that they're going to provide."

In responses to OCR, a number of consumers, however, expressed strong support for the access reports. For example, Nancy Degnan, who described herself as a patient who is an employee of the healthcare system where she's being treated, wrote: "As a patient in this situation, it would be useful to know who has accessed my record so I am assured that only the caregivers that I am being treated by are using the record information. It is a safeguard that I would appreciate. I realize this could be difficult from a systems perspective, but I think it is worth figuring out how this can be done for patient peace of mind. It would also serve as a deterrent to staff who take the risk that they won't get found out in an audit for accessing a person's record that they should not be accessing."

But dozens of healthcare organizations expressed concerns about the burden of the reports. Here is a sampling:

Johns Hopkins Medicine

"There are no other business environments, including the financial industry, where an individual has the right to know the name of every individual who has legitimately or illegitimately accessed his or her information. If the privacy interest that is intended to be served by this new right is that individuals have a right to know whether their information has been inappropriately accessed, permitting individuals to have the right to see the names of hundreds, if not thousands, of individuals who have legitimately accessed their records, most of whom would not be recognizable to the patient, seems overly broad and overly burdensome, in light of the already existing rights and requirements associated with protecting an individual's protected health information."

American Hospital Association

The AHA asked OCR to withdraw the access report proposal to allow time for studies on the issues involved.

"The AHA believes that the proposal to create a new individual right to an access report is misguided and does not appropriately balance the relevant privacy interests of individuals with the burdens that will be imposed on covered entities, including hospitals. The proposal is based on a fundamental misunderstanding of the value to individuals of receiving the particular information that the access report would capture, as well as a misunderstanding about the capabilities of technologies available to and used by covered entities. We believe that HHS should significantly alter its approach to ensure that any final regulatory requirements appropriately fulfill the needs of patients who seek to understand how their PHI [protected health information] is disclosed, while simultaneously ensuring that covered entities are technically capable of providing such information without incurring unreasonable burdens to do so."

The American Medical Informatics Association

"... We believe that the proposed new right to an access report ... reflects both an inaccurate and unreasonable interpretation of the HIPAA Security Rule and a dramatic misjudgment of the capabilities of the applicable technology in the healthcare industry. We believe that this report will provide little reasonable benefit to individuals, that the primary interests identified for individuals can be served in much narrower ways, and that the rule - if applied as proposed - would require significant new technology efforts and expenditures from virtually all companies in the healthcare industry, with substantial ongoing burden."

North Carolina Healthcare Information and Communications Alliance

The alliance asked OCR to reconsider the access report provisions based on many concerns, including the "tremendous technical burden" to produce the detailed reports and a cost that could hit "millions of dollars" for some organizations.

"These burdens include the generation of millions of log records to be stored, associated storage space, personnel to manage this system, query capability in multiple systems for a large volume of data to extract requested data for the reports and ultimately having the ability to correlate the data to the audit logs in a meaningful, accurate and manageable way."

(Note: In a recent interview, former OCR official Adam Greene, the primary author of the proposed Disclosures Rule, explained its provisions, including the access report requirement.)

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.