A proposed HIPAA privacy disclosures rule would be an administrative and financial burden for providers. Furthermore, the rules go beyond the scope of HIPAA, and they could intrude on the privacy of healthcare providers.
Those were the predominant themes among more than 140 public comments received as the comment period drew to a close Monday.
The usual suspects of tech interest groups such as CHIME and AHIMA filed comments as did a mix of hospitals, government offices, individual physicians, and vendors. Although many comments are generally supportive of the concept of transparency in regard to personal health records, implementation is another matter.
In one of the few complete endorsements of the proposed rule, Sheryl Nicklaus offered her comments from a consumer's perspective. "I want to know who is accessing my electronic health record...I want to know if my EHR record needs to be accessed for legal purposes, or for audit purposes, that facts in the record are NOT changed by medical staff in any way in the days before I receive the document (which is possible with the paper charts now.) This assures accountability and ethical truthfulness of the medical staff."
But the prevailing tone of the comments was negative.
Dr. Glen LaBine, a dentist, said simply, "due to the economy, this would put a hardship on my business. The burden of financial costs would cause me to close my practice."
Dr. Christina Morris, commenting as a family physician, said "I am strongly opposed to this rule…as it will serve only to increase tedious workloads by requiring redundant documentation of the need to view critical patient information to perform clinical duties" She expressed concern that the "issue of necessary practitioner access to medical records will only serve as fodder for the already encumbered medical liability system until appropriate tort reform measures are addressed."
Here is a sampling of the other comments posted on regulations.gov:
American Health Information Management Association represents 61,000 health information management professionals. Dan Rode, vice president of policy and government relations, wrote "Although we strongly support the right of individuals to ask questions regarding access to their PHI, we are troubled because such rules go outside of the current scope of HIPAA, even with the HITECH amendments… the transition to electronic health record systems did not contemplate the necessity of tracking this level of access or take into consideration the potential administrative costs, and thus, will cause significant burden for covered entities and their EHR vendors."
"AHIMA queried our HIM professionals on how they currently handle individuals' concerns about who has accessed their electronic health records. The HIM professionals indicated that they have been able to respond to the queries and satisfy the individuals without providing the details proposed in the access report...AHIMA suggests it would make more sense to require covered entities and business associates to respond to these requests on an ad hoc basis rather than require significant systems and process changes that will raise the cost of healthcare for what appears to be a very limited number of requests."
Medical Group Management Association's more than 21,000 members are professional administrators and leaders of medical group practices. Like AHIMA, the MGMA provided information gleaned from a survey of its membership that included a very low demand for the access records. MGMA reported that 65% of the respondents reported they had received less than 1 patient request per FTE physician for disclosure reports in the past 12 months.
"Considering how infrequently physician practices receive these requests from patients, the proposed rule fails to meet the statutory requirement to balance the needs of patients with the burden on providers," wrote William F. Jessee, MGMA president and CEO. "These reports, which would be required to show all electronic access to a patient's health information for up to three years, could be hundreds or even thousands of pages long, making them extremely challenging for physician practices to produce and of little practical value to the patient receiving them."
College of Healthcare Information Management Executives (CHIME) represents more than 1,400 CIO members, healthcare IT vendors and professional services firms. In its comments CHIME notes that the access reports would not differentiate between uses of the information for care delivery and disclosures of the information. "Many legitimate access events could occur across clinical systems that fall outside certified EHRs, complicating any requirement to deliver a consolidated report or allowing for customized views."
The comment letter takes issue with the release of the names of staff members who have accessed a patient's information saying the disclosures has the potential to "expose employees to unnecessary scrutiny or other negative consequences. This could be viewed as a violation of employee rights."
The University of California has five medical centers that receive more than 3.9 million patient visits annually. The university echoed other comments that challenged the expansion of the right conferred under HITECH to an access report from the electronic designated record set. John Stobo, senior vice president for health sciences and services at UC, said in a letter that "Covered entities should not be required to provide an access report for anything other than access that would constitute a disclosure of PHI for treatment, payment and operations. If the right to an access report is retained in the regulation then such a right should be limited to the EHR and not expanded to the much broader electronic designated record set. The expansion of the requirement to provide access logs from the electronic designated record set is a much broader requirement than is mandated under the HITECH Act, will impose a significant administrative burden on health care facilities and providers at a time when they are focused on implementation of EHRs to promote the nation's health, and provides little patient benefit."
Stobo also cited some special circumstances in recommending that employee names not be included in access reports. He noted that with UC's public mission its hospitals serve a variety of patient, including prisoners and other criminals. "With these unique patient populations in mind, the disclosure of employee names in an access report presents a significant and real employee safety concern."
The New York Department of Health made a plea to exclude computer programmers from the access rules. Jason Helgerson, the Medicaid director wrote "…the department's Medicaid data warehouse will be accessed by scores of individuals on an hourly basis as they write computer programs. All of these queries will be accessing thousands and in many cases millions of claims records. While keeping track of these inquiries can be done technologically, we question whether an access report listing the names of anyone who wrote a program that used claims data to create a report will provide any useful information."
Page, Wolfberg & Wirth is a law firm that represents more than 1,000 ambulance services and emergency medical services agencies. "HHS believes that covered entities are already tracking every instance when electronic PHI is accessed under the HIPAA security rule. The rule does not mandate constant access tracking not does it provide specific details on the technology or methods that must be used to monitor access to ePHIs. Current systems are geared to track only a limited number of disclosures to comply with the current accounting standard. The proposed rule would require upgrading and/or reconfiguration of most current software systems."
IMS Health provides information services for the healthcare industry. In its comment letter IMS expressed concerns about the access report concept. "While the access report may satisfy patient curiosity regarding who might have touched his or her medical records, it's certainly not the best means for a patient to determine if someone inappropriately accessed his or her records. Many covered entities put alerts on patient files when there is some suspicion of inappropriate access, and this would seem to satisfy any requisite investigational needs and remediation efforts. Further, regulations that specifically address the particular issue of suspected inappropriate access would be more appropriate than what is proposed."
Brigham and Women's Hospital in Boston is a major medical research facility. In its comment letter the hospital voiced support for excluding research from the required access disclosures citing the difficulty of collecting that information because "unlike other types of institutional records, research records often are not maintained in a central, electronic system. Typically they are maintained by individual investigators in a manner specific to the nature and requirements of the protocol."
Margaret Dick Tocknell is a reporter/editor with HealthLeaders Media.
