"Even though Sec. 13405 (c) within HITECH indicates this type of accounting would be a requirement, it's likely this section was overlooked by most CEs and BAs who instead focused on the breach notice section. The Accounting of Disclosures NPRM is a wake-up call for CEs and BAs alike to get this portion of the Security Rule implemented," Herold says. "Once it is implemented, then creating easy-to-understand reports to show these accesses will be a matter of creating or updating existing applications that access ePHI."
EHRs should have tracking capability, but don't. Apgar says one of the key aspects which providers should take note of is making the audit logs "human-readable" for the patient. "This should be a reporting function of the EHR application," Apgar says. "Tracking data elements that are required per the draft rule that are not generated by the EHR (such as with legacy applications) will be very difficult for the covered entity," he said.
Phyllis A. Patrick, MBA, FACHE, CHC, of Phyllis A. Patrick & Associates LLC, in Purchase, NY, says it's clear that the technology "does not exist or is not yet available to most, if not all, providers to be able to respond to these requirements." Any process today is probably more manual than technical and requires personnel time to locate and report the information, and work with the patient to explain what the information includes, Patrick added. "How can providers and business associates align these requirements with patient requests when EHR capability is not there yet?" she asked.
Some relief? Greene, of Davis Wright Tremaine LLP, says one aspect of the proposed rule is a "welcome relief to covered entities." HHS in the rule limits the types of disclosures that are subject to a "full accounting." The preamble states that the full accounting of disclosures will be limited to the types of disclosures that are likely to be of most interest to individuals (such as law enforcement and court proceedings), Greene says, and exempts large categories of disclosures such as those required by law or for research.
Are "access reports" a good thing? "I think it makes good sense to add the new right to an access report," says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
"Many healthcare organizations already provide this voluntarily, and this report, which includes insider access (use, rather than disclosure), is commonly used to identify snoopers."
Concerns over limits to DRSs. Limiting the accounting and access reports to PHI in DRS raise concerns, Borten adds. In the proposed rule, HHS cites the breach notification interim final rule that applies to all PHI in any form regardless of where such information exists. In other words, if there is unauthorized access outside of a DRS, CEs and BAs would theoretically have to report it as a breach.