AHIMA: Proposed HIPAA Access Requirement a 'Significant Burden'
A proposal that would require hospitals to give patients, on request, information about anyone who accessed their health records would be costly, time-consuming, and could potentially put healthcare workers in danger from "stalkers" armed with the names of hospital employees, the American Health Information Management Association (AHIMA) says.
Chicago-based AHIMA, the non-profit association for HIM professionals, released public comments Wednesday that it submitted to the Office for Civil Rights (OCR) regarding the "HIPAA Privacy Rule Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act" proposed rule.
The disclosure rule, required by HITECH and published in the Federal Register May 31, updates the HIPAA Privacy Rule accounting of disclosures provision and creates an "access report" requirement. The new provision includes an accounting of who accessed electronic health information in a designated record set, for any reason. It covers both uses and disclosures, regardless of the purpose.
All such DRS systems should be capable of logging access, according to the proposed rule. OCR expects covered entities and business associates to generate access reports for each electronic DRS and aggregate it into a single electronic access report.
However, that would "cause a significant burden for covered entities and their EHR vendors" because current systems do not support such a requirement. The association suggests CEs and BAs respond to these patient requests on an ad hoc basis "rather than require significant systems and process changes that will raise the cost of healthcare for what appears to be a very limited number of requests."