A proposed federal privacy rule affording patients access to information about who has accessed or received copies of their medical records may be more trouble than its worth in terms of patient benefits, some industry leaders say.
“We're very concerned about the burden on providers of meeting this new requirement,” says Robert Tennant, senior policy adviser with the Medical Group Management Association. “Our practices very, very rarely get requests for accounting for disclosure. Some practices have never had a request, so the question is: Is it overkill?”
Others see potential future benefits.
“It may take a good bit of work, but once it's set up it will be a lot easier, and this will be more in line with what consumers want,” says Harry Rhodes, director of practice leadership at the American Health Information Management Association, whose members are typically the go-to people when disclosure requests are made.
“This will help indirectly with security of systems,” Rhodes says. “People will think twice before they choose to violate somebody's privacy.”
The proposed rule was published May 31 by the Office for Civil Rights at HHS, which has enforcement authority over the health information privacy and security under the Health Insurance Portability and Accountability Act. In drafting the rule, the Civil Rights Office drew on authority in that 1996 law, as well as more stringent privacy and security language in the American Recovery and Reinvestment Act of 2009.
The 95-page rule affords patients two complementary rights—to an accounting of disclosures of patient records to outside organizations and to a report on which employees or other individuals within an organization have accessed their records.
“We believe that these two rights, in conjunction, would provide individuals with greater transparency regarding the use and disclosure of their information than under the current rule,” the Civil Rights Office said.
The public comment period on the proposed rule is open until Aug. 1, but healthcare association leaders already are expressing skepticism.
The MGMA's Tennant says the rule presents “a challenge to capture all this data, keep it for three years and be able to produce a report within 30 days, which is extremely fast.” Problems for providers multiply when they have patient information, such as clinical and claims data, on separate IT systems, for example, a clinical electronic health-record system and a financial practice management system, Tennant says.
The proposed rule appears to narrow the universe of reportable disclosures compared with the current HIPAA accounting rule. It does that by creating what the rule describes as a “list of the types of disclosures that are subject to the accounting (rather than listing the types of disclosures that are exempt from the accounting.)”
Under present-day HIPAA, the Civil Rights Office explains, an individual has a right “to an accounting of certain disclosures of protected health information about the individual, regardless of where such information is located. We are proposing to limit the accounting provision to protected health information about the individual in a designated record set.”
A designated record set, defined under the HIPAA privacy rule, is a group of records maintained by or for a covered entity that include medical and billing records of a provider, as well as the enrollment, payment, claims and case management records of a payer, “that are used to make decisions about individuals.”
Hospitals, group practices, plans and claims clearinghouses, all defined as “covered entities” must coordinate and be responsible for providing an accounting of disclosures by their business associates. But under the Civil Rights Office's proposed rule, they would not be required to account for disclosures of patient-identifiable information by their business associates that do not involve a designated record set.
Feedback from a Civil Rights Office request for information early in the rulemaking process indicated patients have a real concern whether a neighbor or unauthorized healthcare employee is peeking into their medical records, says Adam Greene, a partner at the Washington law firm Davis Wright Tremaine. The existing HIPAA accounting rule for disclosure provisions “didn't provide that information,” he says, adding that under current HIPAA rules, accounting for disclosures for treatment, payment and other healthcare operations is not required.
On the other hand, the Civil Rights Office recognized accounting for disclosures “constituted a very significant burden” for record holders, says Greene, who previously worked at the Civil Rights Office, where he authored the disclosure rule. “There seemed to be a lack of proportionality between the burden on providers and interests of individuals.”
One significant change proposed by the new rule is in disclosures for research.
Under current privacy law, only some research requires an accounting of disclosure while other research uses are exempt, Greene says. For example, research that is based on an individual's authorization, and research using partially de-identified records in a HIPAA-defined “limited data set” already are exempt from an accounting for disclosure, Greene says. What is left, he says, is research where there was an institutional review board waiver of authorization and another category for access to information preparatory to research.
Meanwhile, the Institute of Medicine and the HHS secretary's Advisory Committee on Human Research Protections issued reports recommending against requiring an accounting for disclosures for research, and the Civil Rights Office's proposed rule followed that recommendation, Greene says. The IOM went so far as to say the current accounting requirements have a “chilling effect” on research, he says.
So, under the proposed rule, “research will be taken out from a full accounting,” Greene says.
Like Tennant, Lawrence Hughes, assistant general counsel for the American Hospital Association, is concerned whether the rule will provide enough patient benefit to warrant the costs and effort required of providers. Regarding the access report requirement, “I think there is an assumption by HHS in the rule that all you're talking about is an audit trail.” In reality, at many hospitals, the access data will be drawn “from a lot of systems and you have to put it in a form that somebody can read, rather than printing out an audit trail,” Hughes says. “That's going to take a lot of work.” And, so far, the technology to do that is unavailable, he says.
Further, if the Civil Rights Office tried to simplify things, it didn't succeed. “I would not by any means say it is a clear, easy-to-understand, straightforward rule,” Hughes says.
Lisa Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society, says she is still gathering opinions about the proposed rule from members of the trade association for the health IT industry.
So far, there's been no screaming from the health IT community about the technical challenges the rule might pose to system developers.
Gallagher says she met last week with Civil Rights Office officials on another matter and the subject of the disclosure rule came up, which gave her cause for optimism that what's in the proposed rule won't be the last word.
“They said they were very interested in listening to the public comment,” Gallagher says. “I feel we have a regulator here that will be working very hard dealing with the statute and coming up with something that's doable. All of which I think is the best we can expect.”
It is likely business processes will have to change to meet patient expectations once the rule is implemented, according to AHIMA's Rhodes. Overall, though, Rhodes says the rule could wind up producing a beneficial change.
“This is something that is very serious, and it is something that is a major concern for people,” Rhodes says. Being more transparent “puts away that fear and anxiety.”
