CHIME Asks for Adjustment to Requirements in Proposed Rule on Disclosures Accounting
Proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) establish standards that will make it difficult for providers to meet and should be scaled back, according to comments filed by The College of Healthcare Information Management Executives (CHIME).
The Ann Arbor, Mich.-based professional organization of healthcare CIOs said the rules rely too much on technical capabilities that are not widely available and fail to acknowledge the amount of human intervention needed to achieve compliance.
In particular, a provision of the 2002 HIPAA Privacy Rule says that covered entities are responsible for protected health information (PHI) contained within a designated record set, (DRS), and the current proposed rule would extend that requirement to include a new right to a consolidated access report.
“CHIME believes the concept of DRS remains too broadly defined and too variable in today’s health IT environment,” the comment letter noted. “Moreover, the ability to aggregate hundreds or even thousands of access events in any automated fashion is not realistic for most covered entities.”
For these and other reasons, CHIME urged rule-makers not to include access report requirements in the final rule. If rule-makers include access reports in the new rules, CHIME believes that only data gathered through certified EHRs, not the full array of designated record sets, should be expected to populate such reports.
“CHIME is concerned about the entire concept of access reports,” said Pam McNutt, senior vice president and CIO at Dallas-based Methodist Health System and chair of CHIME’s Policy Steering Committee. “We believe the access logs, report filters, and other technical specifications needed to generate an access report would be inconsistent or nonexistent across many clinical data sources that might be considered part of a DRS.”
The Office for Civil Rights in the U.S. Department of Health and Human Services published the notice for proposed rulemaking (NPRM) for Accounting of Disclosures and Access Reports on May 31 and plans to publish the final rule later this year. For accounting of disclosures, the NPRM addressed a statutory requirement under the Health Information Technology for Economic and Clinical Health (HITECH) Act to extend requirements to electronic health records.
CHIME supports a number of changes in the proposed accounting of disclosures rule, especially where the rule clarifies and simplifies compliance requirements. For instance, the NPRM would limit the types of disclosures subject to the accounting requirement, rather than the current practice of listing exemptions to the requirement. But the organization states that rule-makers need to extend implementation and production timelines.
“Generating an accounting of disclosures is today largely a manual process for most covered entities, and we believe it will remain so for some time to come,” the comment letter notes. “Producing limited or customized reports of the kind described in this NPRM could be difficult and time-consuming.”
CHIME also suggests that the current 60-day timeline for responding to accounting of disclosure requests be retained, not shortened to 30 days as suggested by the proposed rule.
Access reports would detail who has accessed individual’s protected health information to enable individuals to learn if specific persons have accessed information from their records. Because these access reports would not differentiate between uses of that information for care delivery and disclosures of the information, many legitimate access events could occur across clinical systems that fall outside certified EHRs, complicating any requirement to deliver a consolidate report or allowing for customized views.
“The proposed rule seems to overestimate the technical capabilities currently available for producing a consolidated access report,” said George Hickman FCHIME, executive vice president and CIO at Albany Medical Center. “To aggregate information for an access report, both across the covered entity and incorporating information from business associates, would require the purchase of new and expensive software tools, additional data storage and multiple FTEs dedicated to pulling and consolidating logs from disparate systems.”
In addition to CHIME’s overall concerns with access reports, the letter also expressed concern about releasing the names of staff members who have accessed a patient’s information. “With access reports, disclosing every name has the potential to expose employees to unnecessary scrutiny or other negative consequences. This could be viewed as a violation of employee rights.”
As an alternative, CHIME recommends patients seeking information about past access to their protected information provide a covered entity with specific names of those who may have inappropriately accessed their information.
From → Uncategorized