The Ann Arbor, Mich.-based professional organization of healthcare IT leaders said the rules rely too much on technical capabilities that are not widely available and fail to acknowledge the amount of human intervention that will be necessary to achieve compliance.
In particular, a provision of the 2002 HIPAA Privacy Rule says that covered entities are responsible for protected health information (PHI) contained within a designated record set, or DRS, and the current proposed rule would extend that requirement to include a new right to a consolidated access report.
“CHIME believes the concept of DRSs remain too broadly defined and too variable in today’s health IT environment,” the comment letter noted. “Moreover, the ability to aggregate hundreds or even thousands of access events in any automated fashion is not realistic for most covered entities.”
For these and other reasons, CHIME is urging rule-makers not to include access report requirements in the final rule. If rule-makers include access reports in the new rules, CHIME believes that only data gathered through certified EHRs, not the full array of designated record sets, should be expected to populate such reports.
“CHIME is extremely concerned about the entire concept of access reports,” said Pam McNutt, Senior vice president and chief information officer at Dallas-based Methodist Health System and chair of CHIME’s Policy Steering Committee. “We believe the access logs, report filters, and other technical specifications needed to generate an access report would be inconsistent or nonexistent across many clinical data sources that might be considered part of a DRS.”
The Office for Civil Rights in the U.S. Department of Health and Human Services published the notice for proposed rulemaking (NPRM) for Accounting of Disclosures and Access Reports on May 31 and plans to publish the final rule later this year. For accounting of disclosures, the NPRM addressed a statutory requirement under the Health Information Technology for Economic and Clinical Health (HITECH) Act to extend requirements to electronic health records.
CHIME supports a number of changes in the proposed accounting of disclosures rule, especially in areas where the rule clarifies and simplifies compliance requirements. For instance, the NPRM would limit the types of disclosures subject to the accounting requirement, rather than the current practice of listing exemptions to the requirement. But the organization states that rule-makers need to extend implementation and production timelines.
“Generating an accounting of disclosures is today largely a manual process for most covered entities, and we believe it will remain so for some time to come,” the comment letter notes. “Producing limited or customized reports of the kind described in this NPRM could be difficult and time-consuming.”
CHIME also suggests that the current 60-day timeline for responding to accounting of disclosure requests be retained, not shortened to 30 days as suggested by the proposed rule.
Access reports would detail who has accessed individual’s protected health information to enable individuals to learn if specific persons have accessed information from their records. Because these access reports would not differentiate between uses of that information for care delivery and disclosures of the information, many legitimate access events could occur across clinical systems that fall outside certified EHRs, complicating any requirement to deliver a consolidate report or allowing for customized views.
“The proposed rule seems to overestimate the technical capabilities currently available for producing a consolidated access report,” said George “Buddy” Hickman FCHIME, executive vice president and chief information officer at Albany (N.Y.)
In addition to CHIME’s overall concerns with access reports, the letter also voiced concern about releasing the names of staff members who have accessed a patient’s information. “With access reports, disclosing every name has the potential to expose employees to unnecessary scrutiny or other negative consequences. This could be viewed as a violation of employee rights.”
As an alternative, CHIME recommends that patients seeking information about past access to their protected information provide a covered entity with specific names of those who may have inappropriately accessed their information.
A copy of CHIME’s comments on the proposed rule for HIPAA Privacy Rule Accounting of Disclosures can be accessed here: http://www.cio-chime.org/advocacy/resources/download/CHIME_Comments_OCR_NRPM_for_HIPAA_Changes.pdf
About CHIME
The College of Healthcare Information Management Executives (CHIME) is an executive organization dedicated to serving chief information officers and other senior healthcare IT leaders. With more than 1,400 CIO members and over 70 healthcare IT vendors and professional services firms, CHIME provides a highly interactive, trusted environment enabling senior professional and industry leaders to collaborate; exchange best practices; address professional development needs; and advocate the effective use of information management to improve the health and healthcare in the communities they serve. For more information, please visit www.cio-chime.org.
