Skip to Content

Privacy & Data

CDT Files Comments On Proposed ‘Accounting Of Disclosures’ Rule

Yesterday CDT and other consumer groups filed comments on regulations proposed by the Dept. of Health and Human Services Office of Civil Rights (OCR) that would require health care entities to provide each patient – upon request – with a report detailing who accessed the patient’s medical records. While enhancing patients’ right to obtain a list of who has accessed and received their medical records would enhance transparency of the health care system, a goal CDT supports, the technology in use at most health care facilities likely cannot achieve the requirements of the proposed regulation without considerable burden and expense. CDT’s comments urged OCR to focus on what current technology can accomplish and to build a long-term transparency strategy.

Proposed Rule Would Provide Greater Transparency

The proposed rule sprung from a requirement under the HITECH Act of 2009 that “covered entities” – such as hospitals and physicians’ offices – account for disclosures of a patient’s electronic protected health information (PHI) for treatment, payment and health care operations purposes that occur through an electronic health record (EHR). HIPAA regulations currently do not require health care entities to reveal to patients when their PHI was disclosed for treatment, payment and operations purposes, many of which are performed by a covered entity’s employees or contractors. Under current regulations, covered entities do have to give patients – upon request – an accounting that includes disclosures for public health, to law enforcement or other government agencies, and disclosures that are impermissible under the law.

The most significant and controversial aspect of OCR’s proposed rule entails giving patients a new right to request an “access report.” As envisioned in the proposed rule, the access report would encompass any access to electronic PHI held in a “designated record set” over a period of three years. The proposed rule would require the access report to contain several elements, including the date and time of access, the name of the person who accessed the information, a description of the information that was accessed, and a description of the action taken by the accessing user, if available. Under the proposed rule, patients would be able to request the access report in electronic format (i.e., .pdf), and covered entities would be forbidden from charging patients for the first request in a year period.

OCR would require that covered entities and their business associates to comply with the proposed rule beginning in 2013 for electronic designated record sets acquired before 2009, and beginning in 2014 for electronic designated record sets acquired during or after 2009.

Is The Proposed Rule Too Optimistic?

The HIPAA Security Rule currently requires covered entities to monitor access to electronic PHI. Covered entities and business associates frequently fulfill this requirement through audit logs, although this is not explicitly required by the Security Rule. EHRs certified for participation in the meaningful use incentive program are also required to have audit logs that contain the elements described in the proposed access report. In the proposed rule, OCR reasoned that the access report would be a manageable burden for covered entities already complying with the existing Security Rule and EHR certification requirements.

Although CDT supports OCR’s underlying goals of providing patients with transparency regarding the uses and disclosures of their data, CDT believes the proposed rule overestimates the ease with which covered entities and business associates can comply with the access report requirement. For example, although the Security Rule does require covered entities to log access to electronic PHI, the Security Rule does not require covered entities to merge the access logs from many highly specialized systems (i.e., every system containing electronic PHI in a designated record set), standardize the data and format the results into a single report that patients will understand. Likewise, EHRs certified for the meaningful use program use audit logs, but not all of these logs are configured to provide an access report to patients, nor does the proposed rule apply to certified EHRs alone.

The technological capability to fulfill the proposed rule certainly exists, but the technology deployed by most covered entities may not meet the proposed standards. The cost of retrofitting current systems to comply with the proposed rule could be prohibitive. These concerns are echoed in the comment letters of industry organizations as well.

Require What Is Achievable Now And Prepare An Upgrade

In our comments, CDT urged OCR to focus its proposed rule on what can be achieved in the short term, and to start building an achievable long term solution that benefits patients without overburdening health care organizations. We are optimistic that most of the technical barriers and policy issues raised by the proposed rule could be overcome in time. CDT suggested that OCR alter the proposed rule to require covered entities to provide patients with the access logs they generate currently. If the covered entity does not have a means to combine the access logs from multiple systems into one report, then the covered entity should still turn over multiple access logs. This is not an ideal solution, especially given that raw access logs will not be readily understandable to many patients, but such a requirement would ease the bulk of the burden on covered entities and provide patients with at least some measure of transparency while OCR crafts a better solution.

CDT also urged OCR to work closely with the Office of the National Coordinator (ONC) over the long-term, ideally by the third and final stage of the meaningful use incentive program, to leverage technological innovation to establish better ways to provide patients with greater transparency regarding the sharing of their health information.

CDT is fully committed to a health privacy framework that incorporates openness and transparency about personal information access, use and disclosure. Transparency is a fundamental tenet of fair information practices that supports accountability, consumer choice and trust while providing a deterrent to unauthorized access. The advent of health information technology (health IT) and automated tracking makes transparency throughout the data lifecycle more possible. We appreciate the bold OCR steps took in this proposed rule to establish the transparency and accountability patients want and that technology makes possible. Over the next six months, OCR should focus on what current technology can accomplish and implement a long-term plan to establish a comprehensive system of transparency and accountability that matches consumer and business needs.