CHIME Weighs in on Proposed HIPAA Disclosure Rules

Proposed federal rules requiring providers and payers to let patients know when anyone accesses their electronic medical records would be difficult to meet and should be scaled back, says a comment letter filed by the College of Healthcare Information Management Executives.

Ann Arbor-based CHIME contends that the federal government's rules rely too much on technical capabilities that aren't widely available and fail to acknowledge the amount of human intervention necessary to achieve compliance.

The group's primary concern is a requirement that would extend responsibility for protected health information contained within a designated record set to include a new right to a consolidated access report. CHIME contends that DRSs are "too broadly defined and too variable in today's health IT environment," and that the ability to aggregate hundreds or thousands of access events in any automated fashion "is not realistic for most covered entities."

The reports would identify who has accessed a patient's protected health information so a patient would know if a specific person had looked at it.

CHIME, which represents more than 1,400 CIO members as well as healthcare IT vendors and professional services firms, wants the access report requirement dropped. But if the requirement remains in the rule, then CHIME suggests that only data gathered through certified electronic health records, not the full array of designated record sets, should populate the access reports.