Skip to main content

CHIME Weighs in on Proposed HIPAA Disclosure Rules

 |  By Margaret@example.com  
   July 22, 2011

Proposed federal rules requiring providers and payers to let patients know when anyone accesses their electronic medical records would be difficult to meet and should be scaled back, says a comment letter filed by the College of Healthcare Information Management Executives.

Ann Arbor-based CHIME contends that the federal government's rules rely too much on technical capabilities that aren't widely available and fail to acknowledge the amount of human intervention necessary to achieve compliance.

The group's primary concern is a requirement that would extend responsibility for protected health information contained within a designated record set to include a new right to a consolidated access report. CHIME contends that DRSs are "too broadly defined and too variable in today's health IT environment," and that the ability to aggregate hundreds or thousands of access events in any automated fashion "is not realistic for most covered entities."

The reports would identify who has accessed a patient's protected health information so a patient would know if a specific person had looked at it.

CHIME, which represents more than 1,400 CIO members as well as healthcare IT vendors and professional services firms, wants the access report requirement dropped. But if the requirement remains in the rule, then CHIME suggests that only data gathered through certified electronic health records, not the full array of designated record sets, should populate the access reports.

In its comments CHIME notes that the access reports would not differentiate between uses of the information for care delivery and disclosures of the information. "Many legitimate access events could occur across clinical systems that fall outside certified EHRs, complicating any requirement to deliver a consolidated report or allowing for customized views."

In a press statement Pam McNutt, senior vice president and chief information officer at Dallas-based Methodist Health System and chair of CHIME's policy steering committee, expressed concern that "the access logs, report filters, and other technical specifications needed to generate an access report would be inconsistent or nonexistent across many clinical data sources that might be considered part of a DRS."

CHIME is also concerned that developing the reports would require the purchase of new software and additional data storage space and mean that several employees would need to be dedicated to pulling and consolidating the access logs from a variety of systems.

The comment letter takes issue with the release of the names of staff members who have accessed a patient's information saying the disclosures has the potential to "expose employees to unnecessary scrutiny or other negative consequences. This could be viewed as a violation of employee rights."

As an alternative, CHIME recommends that patients provide the hospitals, physicians, or payers with the names of anyone they suspect may have inappropriately accessed their information.

CHIME also suggests that the current 60-day timeline for responding to accounting of disclosure requests be retained, not shortened to 30 days as suggested by the proposed rule.

The rule is a statutory requirement under the Health Information Technology for Economic and Clinical Health Act (HITECH). Comments may be filed here until Aug. 1. If approved, the rule would go into effect in January 2013.

 
See Also:

HHS Proposes EMR Access Disclosure Rule

Proposed HIPAA Disclosure Rule, Explained

6 Things to Know About the HIPAA Disclosures Proposed Rule

 

Margaret Dick Tocknell is a reporter/editor with HealthLeaders Media.
Twitter

Tagged Under:


Get the latest on healthcare leadership in your inbox.