In 2011, HHS issued a proposed rule for implementing HITECH requiring covered entities and business associates to provide patients, upon request, with a report of all individuals who had accessed their health information. They reasoned that EHR tracking technologies—audit trails—can track all patient record activity, including TPO disclosures. Consequently, providing patients an “access report” would leverage existing technology and provide the transparency that HITECH intended.
Industry stakeholders widely decried the unworkability and potential expense of the proposed access report, while privacy advocates applauded efforts to improve transparency of record access. HHS asked the Health IT Policy Committee for recommendations. The committee (through its Privacy and Security Tiger Team) held a public online hearing on Sept. 30 featuring testimony from patient advocates, healthcare providers and health plans, business associates and technology vendors. The committee also received public comment on its blog.
Based on this feedback, the committee made these observations:
- The industry lacks a cost-effective, readily available technical mechanism for implementing HITECH. Today's audit trail technologies cannot distinguish between internal access and external disclosure. Audit trails are designed to track security-related events and do not easily produce reports designed for use by patients.
- Transparency to patients is critical, but the proposed access report—frequently a fire hose of information—would do little to meaningfully advance information transparency. Patients rarely ask for the accounting report guaranteed by the privacy rule, but the reasons for this lack of demand are unclear. It makes little sense to mandate new, potentially costly technologies in the face of uncertainty about patient demand and utility.
- Of course patients should be provided with a full investigation of complaints about inappropriate access. Such a targeted response is likely to be more effective at addressing patient concerns, particularly about unauthorized internal access.
In lieu of the proposed access report, the committee recommended HHS pursue a more narrowly focused implementation path:
- Include only EHR disclosures for TPO where the information actually travels outside of the provider entity or “organized healthcare arrangement.” Technology vendors testified that accounting for a more narrow definition of disclosures might be achievable.
- Focus initially on provider EHRs, as well as pilot technologies and operational approaches before finalizing regulations (providing a potential path to an EHR certification requirement).
- Consistent with the Fair Credit Reporting Act, require a TPO disclosure report to include the names of entities receiving disclosed information (not individuals).
- Individuals should have a meaningful right to an investigation of inappropriate access to their health information, and update the HIPAA Security Rule to ensure audit systems have better capabilities to detect inappropriate access.
These recommendations can produce real transparency gains for patients, assuming successful pilot of a workable technology approach. The access report was a “win” for patients only if you were confident the market would develop products to make voluminous access reports understandable to patients—highly speculative in light of historically weak demand (and uncertain future demand) for accounting reports. And given the extremely high degree of collective industry angst about the proposed access report, it is doubtful it would have ever come to fruition. The committee's recommendations will hopefully break the logjam, providing a workable, middle-ground pathway to HITECH implementation.
Deven McGraw is director of the Health Privacy Project at the Center for Democracy and Technology.