This is a tale that begins in 2009 and has yet to have a successful ending. The government must have determined that with the adoption of EHRs the health care industry no longer needed an exemption for treatment, payment, and health care operations when providing the HIPAA required accounting for disclosures of patient information. In 2009 the HITECH Act introduced the new requirement that technologies as part of a qualified EHR are to provide an accounting for disclosures to include those for the purposes of treatment, payment and health care operations. HITECH listed two things to keep in mind in relation to this change, which are:
1. The interests of the patients and
2. The administrative burden for such an accounting.
The tale continues as the OCR published a proposed rule in May 2011 to modify the HIPAA accounting for disclosures of PHI. Here we saw the first effort at perfection which actually halted the process. OCR proposed to not only include an accounting of disclosures for treatment, payment, and health care operations but added an access report. And OCR did not stop there. They proposed that the access report would be applicable to PHI not only in an EHR but also to electronic PHI held in a designated record set. The OCR took what appeared to be a narrowly defined new accounting due to having an EHR and created a stalemate for the industry.
In an effort to break the impasse between privacy advocates and the health care providers and vendors, the ONC Policy Committee’s Privacy and Security Tiger Team held a Virtual Hearing on September 30, 2013 to have input from the leaders in the industry on the matter of accounting for disclosures. Discussions of the access report dominated the session as it should yet the privacy advocates and the rest of the industry continue to have very different opinions on the purpose and implementation of such a report.
The attempt to reach perfection seemed evident as the privacy advocates asked for every access to PHI including non-human or machine access for queries be a part of the access report. While it was acknowledged that this reporting would create voluminous amount of data, the advocates also want the report to be easy for an individual to understand. The expectation was that someone will develop an app for that. I’ve yet to see the government write a regulation without assigning responsibility and requiring the solution to be in place. We’ll have to see how this one plays out.
The Vendors and Providers seemed in alignment with one another that the volume of data being stored could create an administrative burden and that their experience has shown that very few patients request an accounting for disclosures. The vendors discussed that patients typically know what they are looking for and a report specific to a request would be a better alternative to the access report. It was offered that a technician could run a report for a patient suspecting an inappropriate access. Additionally, the vast number of systems running in large institutions could create various reports from many vendors, also creating a hardship to put logged data into one coordinated report. A different type of concern addressed the requirement for providing the names of the individuals accessing the record and what patients might do with such information. The next step is for the Tiger Team to digest the information provided and make a recommendation to the ONC.
In search of the perfect access report the industry seems to be stalling the efforts to better define the accounting for disclosure requirements associated with EHRs. Couldn’t the Tiger Team start with second best option and simply define the accounting for disclosure requirement as HITECH defined? The debate on the access report could continue on. I’ll keep my fingers crossed that this seemingly never ending tale has a happy ending for all concerned and that the patients’ interests and the administrative burden associated with the change are not forgotten.
Camille Cohen is the Compliance Officer with 3M Health Information Systems.