Covered entities and business associates finally have an idea what the accounting of disclosures provision in HITECH is all about. The Department of Health & Human Services publically released a proposed rule governing privacy disclosures related to electronic health records May 27 and published it in the Federal Register May 31. Comments must be submitted on or before August 1, 2011. See also: 6 Things to Know About the HIPAA Disclosures Proposed Rule.
What: The HITECH-required proposed rule is formally known as "HIPAA Privacy Rule Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act." The HITECH Act requires CEs and BAs to provide an accounting of disclosures of personal health information (PHI) through an EHR, for treatment, payment, and healthcare operations (TPO) dating back three years from such a request.
The proposed rule implements this requirement through the right to an "access report," which includes an accounting of who accessed electronic health information in a designated record set (DRS), for any reason. This includes both uses and disclosures, regardless of the purpose.
Why accounting of disclosures: "The intent of the accounting of disclosures is to provide more detailed information (a 'full accounting') for certain disclosures that are most likely to impact the individual," according to the proposed rule.
Why access reports: "The intent of the access report is to allow individuals to learn if specific persons have accessed their electronic DRS information (it will not provide information about the purposes of the person's access)," according to the proposed rule.
Compliance dates: For new accounting of disclosures requirements, if the rule becomes final in its current form, compliance would be mandatory 180 days after the effective date of the final regulation (i.e., 240 days after publication). For the access reports provision, compliance would be effective January 1, 2013, for electronic DRS systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic DRS systems acquired prior to 2009.
DRS definition: According to the HIPAA Privacy Rule, a DRS is a group of records maintained by or for a CE which:
- Consists of medical records and billing records about individuals maintained by or for a CE
- Contains enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Is used, in whole or in part, by or for the CE to make decisions about individuals
Comment period: Comments on this proposed rule must be submitted on or before August 1, 2011.
New rule a burden for providers and BAs? Yes, according to HHS itself in the proposed rule. Adam H. Greene, JD, MPH, of Davis Wright Tremaine LLP, based in Seattle, adds that healthcare providers who do not maintain comprehensive audit logs will be required to do so and the proposed rule may represent a significant burden. "For health plans, this proposed rule most likely represents an unwelcome surprise since it encompasses their systems, rather than only 'electronic health records,' " said Greene, a 12-year health law veteran and key regulator for HHS who left the government agency last month, but not before helping author this proposed rule published this week.
Is this accounting completely new? No. The HIPAA Security Rule already requires audit tracking: Rule 45 CFR 164.312, technical safeguards, requires CEs (and now BAs, per HITECH) to "implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI."
Chris Apgar, CISSP, president, Apgar & Associates, LLC, in Portland, OR, points out that 45 CFR 164.308 includes two periodic audits (user login monitoring and information systems activity review) that rely or should rely on generated audit logs. Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, in Des Moines, IA, says she doubts if more than 40% of CEs and BAs combined actually have such logging in place.
"Even though Sec. 13405 (c) within HITECH indicates this type of accounting would be a requirement, it's likely this section was overlooked by most CEs and BAs who instead focused on the breach notice section. The Accounting of Disclosures NPRM is a wake-up call for CEs and BAs alike to get this portion of the Security Rule implemented," Herold says. "Once it is implemented, then creating easy-to-understand reports to show these accesses will be a matter of creating or updating existing applications that access ePHI."
EHRs should have tracking capability, but don't. Apgar says one of the key aspects which providers should take note of is making the audit logs "human-readable" for the patient. "This should be a reporting function of the EHR application," Apgar says. "Tracking data elements that are required per the draft rule that are not generated by the EHR (such as with legacy applications) will be very difficult for the covered entity," he said.
Phyllis A. Patrick, MBA, FACHE, CHC, of Phyllis A. Patrick & Associates LLC, in Purchase, NY, says it's clear that the technology "does not exist or is not yet available to most, if not all, providers to be able to respond to these requirements." Any process today is probably more manual than technical and requires personnel time to locate and report the information, and work with the patient to explain what the information includes, Patrick added. "How can providers and business associates align these requirements with patient requests when EHR capability is not there yet?" she asked.
Some relief? Greene, of Davis Wright Tremaine LLP, says one aspect of the proposed rule is a "welcome relief to covered entities." HHS in the rule limits the types of disclosures that are subject to a "full accounting." The preamble states that the full accounting of disclosures will be limited to the types of disclosures that are likely to be of most interest to individuals (such as law enforcement and court proceedings), Greene says, and exempts large categories of disclosures such as those required by law or for research.
Are "access reports" a good thing? "I think it makes good sense to add the new right to an access report," says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
"Many healthcare organizations already provide this voluntarily, and this report, which includes insider access (use, rather than disclosure), is commonly used to identify snoopers."
Concerns over limits to DRSs. Limiting the accounting and access reports to PHI in DRS raise concerns, Borten adds. In the proposed rule, HHS cites the breach notification interim final rule that applies to all PHI in any form regardless of where such information exists. In other words, if there is unauthorized access outside of a DRS, CEs and BAs would theoretically have to report it as a breach.
"There is uncertainty about what qualifies as a breach since it's left up to the individual organization. That's a big loophole," Borten says. "The NPRM example of PHI outside a DRS (hence, not subject to this reporting) is PHI in a peer review report. But how confident are we that a covered entity would know of unauthorized use or disclosure of a peer review report and would deem it a breach?"
A shorter reporting period? The proposed rule would have providers account for disclosures going back three years, instead of the current six. Herold says it's probably an attempt on the part of the lawmakers to help save storage space, about which many organizations have expressed concerns. The three-year timeframe was also established within Sec. 13405 (c) of HITECH, so it is not a new idea. Borten calls it "a bit puzzling."
Organizations already keep accounting information for six years, and since the statute of limitations for civil action is six years, Borten says, "I don't see a good reason to reduce the reporting period to only the past three years. Some hospitals with user access logs already keep them for at least six years and even longer. The hard part of meeting the current requirement is setting up and following the process, not data storage, and the process as stipulated in the privacy rule should already be in place."
See Also:
6 Things to Know About the HIPAA Disclosures Proposed Rule
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.