HIT Policy Committee: Substitute Investigation Requests for Unworkable EHR Access Report Proposal

Dec. 4, 2013
The Privacy & Security Tiger Team recommended that ONC work on pilot projects that would allow patients to request a report about external disclosures from an EHR. But the recommendation stresses that any potential solutions must make it technically feasible for this type of report generation to be automated, so it is not a huge time and cost burden on providers.

The Dec. 4 Health IT Policy Committee meeting featured two significant presentations with privacy and security implications. Most significantly, the committee approved the recommendations of its Privacy and Security Tiger Team that ONC should pilot technologies and policies related to accounting of disclosures before CMS actually does any further rulemaking on the issue.

First, some background: A proposed rule published in 2011 stated that besides having a right to an accounting of disclosures of their information outside the areas of treatment, payment and health care operations, patients also have the right to an “access report” detailing every single access of their health information, for instance by hospital employees. This access report proposal has been widely criticized as unworkable.

Deven McGraw, a co-chair of the Tiger Team, summarized an ONC hearing it held earlier this fall:

• No testimony supported that the proposed access report was doable, at least with current technologies. Audit trail technologies are frequently mentioned as a tool for offering greater transparency to individuals, but audit logs, when they are deployed, are designed to track security-relevant system events, not user activity, and do not easily produce reports designed to be understandable to individuals.

• No one at the hearing offered a specific technical path forward toward accomplishing the scope of what was proposed in the Notice of Proposed Rulemaking (NPRM) access report.

• Questions were raised about the potentially significant costs of the NPRM access report.

• It's not clear that patients want, or would find value in, the deluge of information likely to be produced by the NPRM access report. Today, patients rarely ask for these, she noted.

The Tiger Team recommends that ONC work on pilot projects that would allow patients to request a report about external disclosures from an EHR, with some examples of how to define external disclosures. But the recommendation stresses that any potential solutions must make it technically feasible for this type of report generation to be automated, so it is not a huge time and cost burden on providers, McGraw said.

Additionally, McGraw and co-chair Paul Egerman described an alternative to the concept of an access report listing every employee who has accessed data. The Tiger Team suggested bolstering the right of an individual to an investigation of alleged inappropriate access. The hearing indicated that an investigation, rather than an accounting, might satisfy many patient concerns, they said. Such an investigation should enable patients to ask whether a particular individual inappropriately accessed their records or find out what happened to their records in a particular circumstance. The full Policy Committee endorsed their recommendations, which likely means that there will be further research before any rulemaking is undertaken.

In a separate presentation, Susan McAndrew, senior policy specialist in the HHS Office for Civil Rights, gave an update about progress on compliance and enforcement. First, she said that HHS is in the final stages of rulemaking about changes to CLIA (Clinical Laboratory Improvement Amendments) regulations that will allow lab vendors to send results directly to patients at their request.

McAndrew also updated the committee on OCR’s audit program. It is currently evaluating the audit program and preparing for permanent integration of the audit function in its work portfolio. “I do think that for security rule compliance, audit is a significant tool, and more valuable than the complaint-driven processes,” she said. “While we can follow up on breaches, that comes far too late in the process.”

She shared some details from the audit pilot, including the fact that 58 of 59 providers had at least one security finding or observation.

There was no complete and accurate risk assessment in two-thirds of entities audited. The most common cause identified was that the entity was unaware of the requirement, which is cause for even greater outreach and education, she said.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?