Critiquing the EHR Access Report PlanAHIMA's Rode Calls for Study to Determine a Better Approach
AHIMA has asked federal authorities to conduct pilot projects to more precisely determine how much it would cost to generate these access reports and whether many patients would be likely to request them, Rode says in an interview with HealthcareInfoSecurity.com's Howard Anderson (transcript below). This kind of research, Rode predicts, would find that "the regulations are way too prescriptive for the benefit that they're going to provide."
Many other organizations have expressed similar concerns (see: EHR Access Report Objections Pour In).
Rode stresses that AHIMA "believes the consumer has a right to this information" about who has accessed their records. But the access report provision in the proposed Accounting of Disclosures rule, as outlined by the Department of Health and Human Services' Office for Civil Rights, is impractical, he argues. "There ought to be a better approach," Rode says
In the interview, Rode:
- Points out that one AHIMA member ran an access report in its main clinical information system for a patient's two-week hospital stay that produced 2,000 pages of data, which would be difficult for the patient to decipher.
- Argues that larger hospitals and clinics would find it extremely costly to create access reports because they store patient information in hundreds of information systems, each with different approaches to logging access. Because healthcare organizations lack systems to collect access information from all these applications, they would have to gather this information manually or write their own software to get the job done, he contends.
- Expresses concern about the proposed rule's requirement to list the names of every staff member who has accessed patient information. "We had some reports from our members ... of instances where staff members were stalked by patients," he notes.
Rode is vice president of policy and government relations at AHIMA, a trade association for health information managers at hospitals, clinics and other healthcare organizations. His responsibilities include working with federal agencies, representing AHIMA at meetings with members of Congress and their staff and providing AHIMA members with information on legislative, regulatory and public policy developments.
Access ReportsHOWARD ANDERSON: For starters, could you please briefly explain what the proposed access report provision would require hospitals, clinics and others to do? Also, why does AHIMA believe that this requirement goes beyond the scope of the HIPAA and HITECH Act requirements?
DAN RODE: The access report would require a covered entity or a business associate to report the access to any electronic system that contained information on a patient that is used in working with that patient in giving them treatment, their business records and other pieces that directly pertain to the patient themselves. That could be as small as one or two systems in a physician's office, but could be literally hundreds of systems within a larger teaching hospital or tertiary care facility, depending on how many systems they have associated with their different ancillary services and those kinds of activities.
The report would require responding to requests from individuals, either a request that asks if particular people had access to any of these records or they could ask for a complete report on [all who have] accessed all of these records. And these are issues that, quite frankly, had not been previously discussed, certainly not included in the HITECH update for HIPAA, and not anticipated in these various systems that had been purchased both before and after Jan. 1 of 2009, which was the trigger date set up by the HITECH Act to then trigger compliance dates.
We actually have several concerns, and we're in a quandary with these concerns because we believe that consumers do have the right to know who has been looking at their records and to request an access report. Our members have been receiving these kinds of requests in the past, so these aren't new. But to spell out the kind of reports that would have to come out of the electronic systems becomes an issue because many of the systems, while they do have a log, aren't necessarily producing the kinds of data that would meet the requirements as posted in the proposed rule.
Then there's the issue of the manpower it will take to go into each of those systems, determine if access occur ... and then consolidating that request into a document that meets the requirements. ... There's just a lot of work involved in the proposal as it stands. While we agree with the right of the individual, we are very concerned that this would just be a very expensive process for what, so far as we know it, is a very small number of people asking for the access.
Technical ChallengesANDERSON: Why would it be technically difficult for many healthcare organizations to produce the access reports?
RODE: As I just mentioned, because for any size hospital or any good-sized clinic you're dealing with multiple systems. You have laboratory systems, radiology systems and pharmacy systems. You may have specialty systems for labs. You have order-entry systems. You've got registration systems, patient accounting systems. I can go on and on. All of these have the kind of protected health information that comes under this rule, without an overall system that can collect this information and have the interoperability among the information because each of these systems' logs access differently. There has never been a standard adopted that would allow each of these systems to report very simply, to some kind of a dump and then produce a report. All this would have to be either handwritten software across these pieces or it would be done manually by the privacy officer and HIM director, or whoever the institution would choose. Now, if you're only running an EHR system and that's the only system you have in your private practice, this may not be an issue. On the other hand, you probably only have 10 to 12 people that even can access the electronic health record in that system. So it's a different kind of issue.
One of our members who was on our task force reported that they ran a copy in their main system at their institution and for a two-week hospital stay they had over 2,000 pages of access. There is a lot entailed with this. ... Right now the software and process of access [doesn't go] through one gate; it goes through many gates.
Safety IssuesANDERSON: In your comment letter, you also questioned the proposed requirement that the access reports include the names of staff members who have accessed records. Why do you believe that raises safety issues?
RODE: We had some reports ... from members in our task force of instances where staff members of the institution were stalked by patients. And ... if a patient were to say, "I think my neighbor, my cousin ... may have accessed my records and I want to know if they have," we don't have a problem with identifying the people that the request identified. But the idea that, "I want anyone that has accessed my records over the last six months," having everyone in the institution identified that may have seen that record just raises many, many different kinds of questions, and we don't see a practical use for that. But we do see certainly identity issues and we think it can actually get people probably more concerned about access, than just providing only the identification of those people that they're concerned with.
For instance, maybe you don't know a member of your church congregation worked in the institution and maybe they are a quality assurance nurse. Most people don't even know what a quality assurance nurse is, but now you've seen their name on there and now you're concerned. Why did this person that goes to church with me look at my record?" That just creates many additional questions that we don't think people really are concerned about but could become concerned as they see this. It's probably not a problem in Chicago where you are, or Washington, D.C., where I am. We're in very large cities and not a lot of people know a lot of people. But if you're in a smaller town you might be amazed who ... legitimately saw your record for the function they performed within the institution. We just think it creates a lot of questions and concerns that really don't need to be there.
Pilot and StudyANDERSON: Also in your comment letter you called for a pilot test of the access report concept as well as a study to measure patients' awareness of the issues involved. Why do you believe both steps are necessary?
RODE: There were a lot of questions about what this is going to cost. ... I'm not sure anyone knows exactly what this will cost from the standpoint of the programming and the software that would be needed to connect all the systems and resolve all the problems I talked about. And we don't know what the demand is for this. If it cost you $150,000 to fix this system and you only had five people ask for an access report, are you prepared to have that cost per access report? Is that too far out? We think to answer that question you've really got to test it. We also don't know, as I said, the demand of individuals, and this gets a little tricky. We think it would be interesting to see that in a community that knew this opportunity exists, would people actually use it?
Our other concern that came up we've seen happen on a rare occasion. If Dr. Phil were to have this as a key story one afternoon on his program, would there be a rush to get access reports? What would that do to an organization? We thought there were a number of questions that OCR raised that we couldn't address real well and that perhaps it ought to be tested a little better. Again there may be some other ways to do this. We didn't get real descriptive in the pilot but we did think that there needed to be more answers to this. And then the question, of course, that raises throughout the proposal is the cost of doing all of this. The cost that will be added to the various covered entities, is that outweighed by the concerns of the individual? Taking a standpoint that we've been able to, our members in covered entities have been able to respond to these requests in the past without all the specific requirements. We think that if it was studied, we'd find that as it currently stands in this proposed rulemaking, the regulations are way too prescriptive for the benefit that they're going to provide.
Reworked Version SoughtANDERSON: Finally can you clarify a bit whether the association believes a reworked version of the access report requirement is achievable or if the concept should just be entirely scrapped?
RODE: We think it's achievable. We've been in conversations with other groups, including consumer groups, and we think there is a way to do this. We certainly, as I said at the front, believe that the consumer has a right to this information and should have an ability to inquire about this information. We think that organizations owe it to the individual to respond to their concerns and their requests. We just don't think that, as currently prescribed, it's the best approach; and there ought to be a better approach.