HITPC approves ‘accounting of disclosures’ recommendations
The Health IT Policy Committee unanimously endorsed recommendations presented by the privacy and security tiger team governing the accounting of disclosures of an individual’s protected health information (PHI).
Currently in the HIPAA rule, covered entities are required to make available an accounting of certain disclosures of their identifiable PHI up to six years prior to the request. However, there are a number of exceptions, including for disclosures to carry out treatment, payment or operations, thus it is isn’t commonly required, explained Deven McGraw, chair and director of the health privacy project at the Center for Democracy & Technology.
The HITECH Act amended the rule so the exceptions no longer apply to disclosures made through an EHR and altered the look-back period from six to three years. In addition, the law would require availability of an “access report” to patients, including information on specific individuals who have accessed their PHI and the nature of the disclosure.
The privacy and security tiger team was charged with providing input to assist the Department of Health and Human Services (HHS) in implementing the HITECH provisions.
McGraw, along with Paul Egerman, co-chair, conducted a hearing and requested comments to inform their recommendations. They found that no testimony supported that the proposed access report was doable with current technology, and concerns arose about the potentially significant costs of furnishing such a report.
Also, it’s not clear that patients want, or would find value in, the deluge of information likely to be produced by the access report. Currently, patients rarely ask for the accounting report available under the current law, McGraw said.
“It seemed unwise to impose an access report mandate. There is little evidence that patients ask for it. Also, there is a high cost for implementation and a lot of uncertainty about the demand and value,” she said. However, hearing participants agreed that patients should have the right to a full investigation of complaints about inappropriate access.
To that end, the team recommended and received endorsement for the following recommendations:
- Given the uncertainties in implementing the HITECH requirements, HHS should approach this in a “step-wise fashion,” initially pursuing a path doable from both policy and technology perspectives.
- The tiger team does not believe the proposed access report meets the requirements of HITECH to take into account the interests of the patient and administrative burden on covered entities (CEs).
- The team urges HHS to prioritize quality over quantity, where the scope of disclosures and related details to be reported to patients provide information that is useful to patients, without overwhelming them or placing undue burden on CEs.
- HHS should pursue a “follow the data” approach, meaning: 1. When control of patient data is transferred to another entity, the recipient should be part of an accounting of disclosures report; and 2. Patients should also be able to access the report from such recipients if they are business associates and have further disclosed the data outside of their compliance environments.
- Technologies and policies governing the accounting of disclosures report should first be piloted by the Office of the National Coordinator for Health IT.
- The account of disclosures should require only an entity name, not the name of a specific person.
- The tiger team also reinforces the importance of the right to an investigation of alleged inappropriate access; to that end, the team recommends that the Office for Civil Rights add two implementation specifications to the current audit control standard in the HIPAA rule: 1) Audit controls must record PHI-access activities to the granularity of the individual user; and 2) Information recorded by the audit controls must be sufficient to support an information system activity review and the investigation of potential inappropriate accesses of PHI.