Policy & Value-Based Care

One Big Issue the HIPAA Omnibus Rule Doesn’t Address

Sept. 24, 2013

A proposed rule published in 2011 stated that patients have the right to an “access report,” detailing every single access of their health information, for instance by hospital employees. The proposal has been widely criticized as unworkable. The HIT Policy Committee's Privacy and Security Tiger Team will hold a virtual, public hearing on Sept. 30 to address this issue.

David Raths

Since the updated version of the Health Insurance Portability and Accountability Act (HIPAA) went into effect on Sept. 23, providers have been busy prioritizing compliance activities, understanding the breach notification rule and patients’ rights, and following new requirements related to business associates. With so many moving parts, you would be forgiven for thinking that the Department of Health & Human Services has covered all the possible topics related to privacy and security in this Omnibus Rule. But in fact there is one key area still to be addressed and that involves a patient’s right to an "accounting of disclosures” of their health information.

A proposed rule published in 2011 stated that beyond an accounting of disclosures of their information outside the areas of treatment, payment and health care operations, patients have the right to an “access report,” detailing every single access of their health information, for instance by hospital employees. This access report proposal has been widely criticized as unworkable.

At the time, the American Medical Informatics Association wrote that the proposal “reflects both an inaccurate and unreasonable interpretation of the HIPAA Security Rule and a dramatic misjudgment of the capabilities of the applicable technology in the healthcare industry. We believe that this report will provide little reasonable benefit to individuals, that the primary interests identified for individuals can be served in much narrower ways, and that the rule – if applied as proposed – would require significant new technology efforts and expenditures from virtually all companies in the health care industry, with substantial ongoing burden.”

In May 2013, Kirk Nahra, an attorney in Wiley Rein, noted that: “There is little additional privacy interest in identifying specific employees who were involved in using a patient’s health care information in the settings where these activities are routine and consistent with the overall approach of HIPAA.”

The HIT Policy Committee's Privacy and Security Tiger Team will hold a virtual, public hearing on Sept. 30 to address this issue. At the hearing, the Tiger Team will hear testimony from stakeholders including providers, payers, technology developers, business associates, and patient advocates. Instructions on how to listen to this meeting are at the following link: http://www.healthit.gov/facas/calendar/2013/09/30/policy-privacy-security-tiger-team-virtual-hearing

In a recent conference call, Deven McGraw, director of the Health Privacy Project at the Center for Democracy & Technology and chair of the Privacy and Security Tiger Team, said because the response to the 2011 proposed rule was so vehement, HHS could go in a very different direction and create a completely new proposed rule based on the feedback.

There are so many ONC work group meetings that it is difficult for busy health IT execs to keep up with all of them. But this Sept. 30 meeting is one you might want to attend.