Testing Accounting of Disclosures
Federal Advisers Consider Pilots to Assess Tech CapabilitiesFederal advisers are hammering out recommendations, including potential technology pilot projects, for how to best implement a HITECH Act mandate to update requirements for an accounting of disclosures of protected health information.
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
Among the preliminary recommendations discussed at a Nov. 5 meeting of the Privacy and Security Tiger Team, which advises the HIT Policy Committee, are pilots that could test whether electronic health record technology can support implementing proposals for accounting of disclosures as well as creation of access reports that would useful to patients.
The pilots would also help regulators determine whether technical capabilities supporting accounting of disclosures should be part of requirements for future stages of the HITECH Act's EHR software certification program. To earn HITECH incentive payments, hospitals and physicians must make "meaningful use" of certified EHRs.
Pilots could "help to see what's useful to patients," says Tiger Team co-chair Paul Egerman, a technology entrepreneur. Additionally, the tests could provide valuable insights to regulators before finalizing proposals. "We are trying to do something on a national scale, but we have no data on what will work," he says.
Work in Progress
The Tiger Team hopes to wrap up work on its recommendations at its next meeting on Nov. 18 and present final recommendations to the HIT Policy Committee in early December.
Those recommendations would then be considered by the Office of the National Coordinator for Health IT, which administers the HITECH Act's incentive program for EHRs, and the Department of Health and Human Services' Office for Civil Rights. Both are units of the Department of Health and Human Services, and HHS would have final say on any new regulations.
OCR in May 2011 issued a notice of proposed rulemaking for updating accounting of disclosures requirements under HIPAA. The proposal generated hundreds of complaints from healthcare providers and others. Many of the complaints were aimed at a controversial new "access report" provision (see EHR Access Report Objections Pour In).
As proposed, the access report would need to contain the date and time of access, name of the person or entity accessing protected health information, and a description of the information and user action, such as whether information was created, modified or deleted. The proposal would also provide patients with the right for an accounting of disclosures of electronic PHI made up to three years prior to the request.
That access report would include electronic health record disclosures for treatment, operations and payment, which are categories of disclosures exempt from the current HIPAA accounting of disclosures rule. Under current regulations, covered entities need to account for certain disclosures of records to third parties for certain purposes, such as for litigation, court actions and public health.
Many of the comments that HHS received on the access report proposal claimed that it would prove to be technically unfeasible, complex and expensive to implement.
The sentiment of those comments was reinforced in testimony from a number of healthcare industry representatives who spoke at a Sept. 30 virtual hearing hosted by the Tiger Team to discuss accounting of disclosures (see: Concerns Voiced About Disclosure Rule).
"No testimony supported that the proposed access report was do-able, at least with today's current technologies," says Deven McGraw, chair of the Tiger Team and director of the Health Privacy Project of the Center for Technology and Democracy, an advocacy group.
Additionally, while audit trail technologies are frequently mentioned as a tool for offering greater transparency to individuals, audit logs, when they are deployed, are designed to track security-relevant system events, not user activity, and do not easily produce reports designed to be understandable to individuals, points out Tiger Team member Dixie Baker, senior partner at the consulting firm Martin, Blanck & Associates.
An access report that, for instance, lists a nurse accessing a patient EHR 20 times in a short amount of time during a patient hospitalization doesn't necessarily provide valuable information to a patient, and could instead be confusing, Egerman adds.
Some Tiger Team members suggested that an accounting of disclosures or access report could summarize disclosures or access, rather than itemize every event.
'Less is More'
Although the team's recommendations should reinforce the importance of high-level transparency to patients about data use and disclosures, the recommendations should support a philosophy that "less is more," Egerman suggests.
For example, disclosures to be reported to patients could be narrower and perhaps provide fewer details, focusing on what is most pertinent, Egerman says. The aim it to not overwhelm patients with confusing details and not pose a potential safety risk to EHR users by naming them in access reports, Egerman says.
The Tiger Team's discussions seem to indicate it will likely recommend narrowing required disclosures to refer only to disclosures of patient information to parties external to the healthcare enterprise that releases the information. In addition, "access" would refer to access to patient information by an internal user who has an account on the system of the healthcare enterprise.
Baker suggests that an audit of systems might be used internally by healthcare organizations to create a report on access to individual records by individual users. However, rather than provide patients with all the access details in an access report, the details could be collected and held by organizations for investigations into improper access to records.
For instance, for the safety of healthcare workers, names of individuals accessing patient records could be filtered from the access reports provided to patients, but available to the institution when investigating allegations or suspicion of improper access. Providing the names of every individual who accessed a patient's record could possibly result in workers being stalked, harassed or threatened, some healthcare organization officials testified at the Sept. 30 hearing. In that hearing, Jutta Williams chief privacy officer of Intermountain Healthcare said in her written testimony that Intermountain had made a "risk-based" decision not to include workers' last names on badges, for similar reasons.
"The EHR would need to be constructed to capture that [access information]," Egerman says. A goal of the Tiger Team recommendations, and possible pilots, is to "match policy with what technology currently does," he adds.