The right to request an "access report" as outlined in the Office for Civil Rights' proposed HIPAA accounting of disclosures rule could be an asset to attorneys in HIPAA civil suits and malpractice cases, privacy experts say.
Under the proposed accounting of disclosures rule, "patients could request an accounting of who accessed their electronic health information in a designated record set, for any reason. It covers both uses and disclosures.
The proposed rule could help the case of a malpractice and other lawyers , says Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP and author of HIPAA Blog.
"And it doesn't even have to be a HIPAA or data breach or confidentiality case," Drummond says. "In a medical malpractice case, the plaintiff's lawyer can say, 'X looked at the file and didn't say anything.' "
Through the new provision, patients would be able to obtain access reports for the purpose of sharing the report with their malpractice attorneys.
"In practice, I think that these reports will be useful to malpractice attorneys, but not necessarily serve as a smoking gun," said Adam Greene, JD, MPH, a lawyer in the Washington, DC, office of Davis Wright Tremaine LLP. Greene is a former OCR senior health information technology and privacy specialist. "This is because the access report will not provide the purpose of the access; so much of the access that a malpractice attorney suspects to be impermissible may prove to be for a valid purpose, such as for a valid administrative or quality improvement purpose."
Dr. Smith only accessed Jane Doe's record once prior to her damaging surgery. That is not enough time spent researching the patient's condition before operation.
"I suppose that it's possible," Greene says. "It may depend on whether the access log tracks the user action."
Dr. Smith only accessed the record once, but what the access report does not reflect is that he downloaded the file to his encrypted portable device and then spent a substantial amount of time reviewing it.
Covered entities should reasonably limit access to electronic PHI, Greene says, and would be well served to maintain documentation of why particular persons and positions have access.
John Doe accessed your record, but he is permitted to do so because his position requires him to access patient records to ensure that patients are receiving high quality services.
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA College in Casa Grande, AZ, says the access reports could detect patterns of inappropriate access.
The proposed provision does not include a requirement to show how long a person viewed a medical record. However, the date and time must be noted, which can be problematic, according to Ruelas. "If [a staff member] works from 8 to 5, and there are access report entries before 8 or after 5, this might be worth more investigation."
Ruelas says this could boost a lawyer's argument because if the CE does not have an adequate monitoring or auditing process, "a lawyer seeing that [the staff member] is repeatedly looking at records before 8 a.m. can invite some very interesting questions."
"If someone is listed on the report as 'viewed' under 'action' over and over again, and this has gone undetected, this can also be a problem," Ruelas adds.
The new requirement not only provides easier access for patients concerning who accessed their record, but also, according to Ruelas:
- What systems were queried to get the data
- Whether the organization is fulfilling its commitment to safeguarding user access to ePHI (e.g., access IDs, unique IDs, etc.)
- Whether the CE reviews reports indicating unusual access patterns
Ruelas calls the process of finding culprits who access records inappropriately a "very laborious task with an element of luck."
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.