Battle Lines Drawn
By Elizabeth S. Goar
For The Record
Vol. 30 No. 8 P. 24
An advance notice of proposed rulemaking on weightier access reports has the industry on notice.
It's been more than seven years since Health and Human Services (HHS) proposed providing patients with access reports in addition to the accounting of disclosures of their protected health information (PHI) already required under HIPAA. The proposed change, mandated under the HITECH Act, was met with enough resistance from multiple stakeholder groups that HHS ultimately tabled plans.
Currently, covered entities and their business associates are required to provide patients only with information describing any disclosure of PHI. The exception is information released for treatment, payment, and health care operations, disclosures made with proper authorization, and certain other limited disclosures.
In July, HHS announced plans to issue an advanced notice of proposed rulemaking in November, soliciting feedback on attempting yet again to modify HIPAA to comply with the HITECH mandate.
If HHS is successful in implementing change, it will bring to fruition something that "has been a priority for the OCR [Office for Civil Rights] since the HITECH Act was implemented," says Linda Kloss, MA, RHIA, founder and principal of Kloss Strategic Advisors and a consultant to Verisma Systems.
From the outset of the HITECH Act's proposal, efforts to find a way to provide patients with PHI access reports have been stymied by industry stakeholders who were adamant that compliance would cause significant financial and administrative hardships. Hundreds of overwhelmingly negative comments were lodged against the proposed rule during the public comment period, the majority coming from provider organizations, technology companies, and associations representing the interests of both.
In her strong opposition, one family physician stated that the rule required redundant documentation of the need to view PHI to perform clinical duties and would further burden the medical liability system. A dentist stated bluntly that the financial hardship of compliance would force him to close his practice.
AHIMA wrote that the proposed rules exceeded the scope of HIPAA and that EHR systems were not equipped to track the level of access that compliance would require and would significantly increase administrative costs. The College of Healthcare Information Management Executives noted that, as proposed, the access reports would not differentiate between uses of the information for care delivery and nonclinical disclosures. Furthermore, legitimate access could take place in systems other than EHRs, which would complicate the requirement to provide a consolidated report or customized views. Also called out was the requirement to name staff members who accessed the PHI, which could be a violation of their rights and open them to unnecessary scrutiny.
"It has been a challenging process due, in large part, to technical constraints within electronic health record systems," says Kloss, a former AHIMA CEO and a member of the Privacy and Security Tiger Team that, in 2013, was charged with making recommendations on the access report requirement to the Office of the National Coordinator for Health Information Technology's advisory committee. "There have been no standards put into place to govern audit logs and, even within the best EHRs, functionality was designed to enable privacy and security managers to monitor access. The systems, however, did not take into account patient needs or their desire for the information."
The technical challenges were significant. According to Rita Bowen, vice president of privacy, compliance, and HIM policy for MRO, access logs would have to form a single report, something that would be hard to do because of the multiple systems involved in the patient care process. Furthermore, providing the patient with what was tantamount to a data dump may be difficult for them to understand.
"Many [patients] don't have any idea how many people have the right to access their record," Bowen says. "Perhaps not all that information should be [in the access report]. Perhaps it should be more targeted based off what the patient was requesting, or it would be too much information for the patient to go through."
While seven years is a lifetime in technology, concerns remain about whether today's health care organizations have the capacity to ensure compliance, particularly with the single-report requirement. Bowen points out that while a hospital may have an EHR, there are still multiple source systems (eg, laboratory, pharmacy) collecting PHI.
"If you were running an access report from the EHR, it would only show those who looked at [the medical record] there. It wouldn't show those who looked at that record from the source system," she says. "An organization would have to have already identified and addressed this in their governance program to know where those source systems are—[although] they should have done that [so] they should know how to connect these systems to at least generate a report."
Kloss points to recommendations by the Tiger Team that a distinction be made between accounting for disclosures to third parties and accounting for access to medical records within the health care organization. "Regarding the latter," she says, "the recommendations called for focusing on producing useful information for patients about access rather than handing them an indecipherable data dump."
Impact on Patients
Patient requests for an accounting of disclosures has been low. On one hand, industry experts say few have made the request because they had no real idea of what was available or how to ask for it. According to the Tiger Team's findings in 2013, most patients who were requesting information had a specific concern that could best be addressed with a tailored response. For example, they were concerned that an ex-spouse was attempting to access PHI.
"These typically were handled on an exception basis rather than trying to broadly review any access made by anyone such as doctors, nurses, technicians, etc. This is a much more limited scenario than is being examined today," Kloss says.
Others, however, believe the limited number of requests can be blamed on a lack of transparency about HIPAA and privacy. "Everyone is deceived that their privacy is protected," says Twila Brase, RN, PHN, president and cofounder of Citizen's Council for Health Freedom, a patient advocacy organization, and author of the newly released book Big Brother in the Exam Room: The Dangerous Truth About Electronic Health Records.
"Patients believe that HIPAA means privacy, but completely the opposite is true," she continues. "[Patients] think that because they signed the HIPAA disclosures the information is kept between [them] and their doctor. But that form just says you received the privacy notice. The deception is so broad and so well implemented across the country that people and their legislators believe their information is private."
The limited demand for disclosure information adds fuel to industry pushback. For example, according to Bowen, the requirement that facilities provide information for the previous six years is a sizable burden for something that is rarely requested by the very people it is designed to help.
"For the time and effort, it may not balance," she says, adding that there is consensus that patients will nonetheless benefit from expanded disclosure, primarily through "trust and transparency provided by access logs. We want that information to be shared for the benefit of the patient and the patient's right to know who is seeing [their information]."
Kloss adds, "Consumer and patient involvement in their own health care is growing at an extraordinary pace, which, we all agree, is a good thing. Greater transparency into how we deliver care and how we share information is a necessary and important byproduct."
Will History Repeat?
Industry agreement about the benefits of broader disclosure and advances in EHRs and other health care technology aside, many remain unconvinced that expanding the disclosure requirements to include access reports will survive another round of industry feedback. Kloss expects that OCR, which was on the receiving end of thousands of comments on earlier drafts, is again anticipating broad input, "spanning from how well current technology supports requests to concerns about what patients might do once they have disclosure information.
"The OCR," she adds, "will no doubt invest time and resources to consider the broad range of concerns that will be raised and ultimately propose reasonable middle ground to achieve 'productive transparency.'"
The major sticking points are likely to be familiar: requiring that the complete access log be provided in a single report from one system and identifying every individual who accessed the patient's PHI. According to Bowen, the first aspect is cumbersome and the second could result in overwhelming the patient with information.
"We're looking at the fact that employees who are looking at and accessing the record for true business needs will need to know" it will be revealed, she says. "It gets down to limiting access to just what is necessary. Most do that now, but it really does mean that an employee who has access to an EMR should have access only to the category they need."
Concerns aside, most agree that patients have the right to know who is accessing their PHI. Bowen notes that when requesting an accounting of disclosures, most patients just want to know that anyone who is accessing their PHI has a reason for doing so that will not cause harm.
"They are really looking for individuals who didn't need to be there," she says. "It all boils down to trust and transparency. ... No one should be in your information unless they have a reason to be there."
Brase suggests the proposed rule should go even further than previous efforts to include a breakdown of why the PHI was accessed. Such a stipulation would not only protect patients from harm but also shine a light on the problems related to HIPAA and PHI protection. Even without that level of detail, however, providing patients with access reports will "start bringing up questions" about just how often PHI is tapped. This will, in turn, "help move the dial back to patients realizing they have no privacy and move it toward helping to protect them from HIPAA."
Kloss believes that accounting of disclosures is an important patient right because it allows the industry to communicate with patients and makes organizations accountable by requiring them to reveal who is viewing PHI, why they need access to that information, and how they intend to use it.
"In addition," she concludes, "we must be able to demonstrate that we are managing the request and response processes in a sensitive and deliberate manner, that we are securing their personal information across the entire health system, and that we have implemented quality control measures to ensure no unauthorized disclosures are made."
— Elizabeth S. Goar is a freelance writer based in Tampa, Florida.