Fine-Tuning the HIPAA Disclosure RuleTiger Team Backs an Incremental Approach
A federal advisory panel will recommend that the Department of Health and Human Services take an incremental approach to implementing a revised HIPAA accounting of disclosures rule.
At its Nov. 18 meeting, the Privacy and Security Tiger Team fine-tuned recommendations it plans to make on Dec. 4 to the HIT Policy Committee, which advises the Office of the National Coordinator for Health IT.
In September, the team held a virtual meeting with healthcare industry stakeholders to explore ways to provide patients with greater transparency about the uses and disclosures of their digital, identifiable health information (see: Concerns Voiced About Disclosure Rule). The team considered feedback from the meeting, as well as a public comments solicited by team chair Deven McGraw in a blog, in formulating its recommendations.
One Step at a Time
The team plans to recommend that HHS take a "step wise" approach to pursue an implementation pathway that is workable from a technology and policy perspective, says McGraw, who is director of the Health Privacy Project of the Center for Democracy & Technology, an advocacy group.
As part of that recommendation, the team will suggest that HHS initially focus its attention on regulating disclosures made to those outside of a covered entity or an "organized healthcare arrangement," also known as an OHCA.
A "disclosure" of information would be when "data leaves a trusted environment where a provider is no longer in control of the data," such as when records goes to a health information exchange, McGraw says.
In contrast, an OHCA relationship might include, for instance, a community physician who is not employed by a hospital, but who has credentials to access the hospital's electronic health record system. Under the tiger team's proposed recommendations, that community physician would be considered an internal user, and his access would not be considered a "disclosure."
The tiger team will also recommend that an accounting of disclosures should focus on providing patients with "quality not quantity" of information about the data disclosed. For instance, if a healthcare organization discloses patient information through a networked e-prescription service, such as Surescripts, the tiger team suggests that patients be informed in an accounting of disclosures that, in general, their data is sent to Surescripts as part of e-prescribing processes, but that patients not be provided with a list of each e-prescription transaction.
Back in May 2011, the HHS Office for Civil Rights issued a notice of proposed rulemaking soliciting comments on its preliminary concepts for revising HIPAA's accounting of disclosures provisions. It received more than 400 comments, many of them critical of one proposal to provide patients with the right to request an "access report" with a complete list of everyone, including internal users, who has electronically viewed their information. The report would have to contain date and time of access, description of information accessed, and user action, such as creation, modification, or deletion of information.
Some patients and consumer advocates were supportive of the access proposal. But dozens of healthcare organizations and health industry groups expressed concerns that the record access report provision is impractical.
The virtual hearing hosted by the tiger team on Sept. 30 delved into some of the concerns of healthcare industry stakeholders, as well as consumer groups, about the OCR proposals.
As a result of the public feedback, the tiger team is recommending that aspects of the access report proposal be scaled back. For example, the team plans to recommend enabling patients to demand a specific investigation of suspected inappropriate access.
At the virtual hearing in September, several attendees indicated that a focus on investigation of inappropriate access, rather than an accounting of all records access, may satisfy many patients' concerns when they suspect their data privacy was violated, for instance, by a nosy neighbor who works at a hospital.
To improve the ability of covered entities to conduct investigations of inappropriate access, the tiger team will recommend that HHS clarify the audit controls standard of the HIPAA Security Rule. Currently, that audit controls provision states: "Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."
The tiger team will recommend that implementation specifications for this auditing provision be clarified and that the HIPAA Security Rule require that information collected in the audit trail be sufficient to support the detection and investigation of potential inappropriate accesses or uses of PHI.
Also, the tiger team will recommend that the revised accounting of disclosures rule should require listing only an entity name, rather than the specific individual who viewed the information.
That's because several testifiers at the virtual hearing stated that listing individuals who accessed records could subject healthcare employees to privacy intrusions and create safety concerns.
Finally, the tiger team will recommend that ONC launch pilots to test how technology can be implemented to support its recommendations before implementing any final requirements (see Testing Accounting of Disclosures).
The team will suggest that ONC focus its first pilots on healthcare provider's EHRs. After those pilots and initial implementation of new requirements, the team says HHS could then determine how to expand the requirements to other covered entities, such a pharmacies or payers.
Also, the tiger team says that the pilots should initially focus on the technical feasibility of accounting for external disclosures as well as on the feasibility and usability of disclosure reports for patients and the implementation burden on providers.
The pilots would enable ONC to assess whether EHR certification standards for the HITECH Act incentive program for EHRs should be modified to include technical specifications for meeting the accounting of disclosure requirements, once they are finalized.
The tiger team plans to further polish its recommendations at a meeting on Dec. 2 before formally presenting them on Dec. 4 to the HIT Policy Committee.