Last week the Office of the National Coordinator’s Health IT Policy Committee approved recommendations from its Privacy and Security Tiger Team workgroup to scale back HHS’s proposed accounting of disclosures regulations. The Tiger Team developed its recommendations after months of work, including a September 30 virtual hearing in which the Tiger Team heard testimony from providers, payers, business associates, patient advocates, and other stakeholders.
The HIPAA Privacy Rule gives patients the right to request an accounting of certain disclosures of their protected health information. The Tiger Team recommendations address the implementation of the HITECH statutory requirement to account for disclosures for treatment, payment, or healthcare operations (TPO) made through an electronic health record (EHR). Under the current accounting regulations, TPO disclosures are exempt from the accounting requirement. In 2011, HHS issued a proposed rule to implement the HITECH accounting of disclosure statutory changes. The proposed rule was widely unpopular, in large part because it established a new obligation to provide individuals with an “access report” with a complete list of the individuals who accessed their information (including internal users such as hospital employees). Thus, in addition to an accounting of external disclosures, covered entities and business associates would have been required under the proposed rule to furnish reports on access to and use of patient information within the organization. The proposed access report requirement was criticized as being unworkable and unsupported by the HITECH statute.
Although some patient advocates supported the access report proposal, the Tiger Team found that it did not meet the requirements of HITECH to take into account both the interests of the patient and the administrative burden on covered entities. The Tiger Team therefore rejected the proposed access report requirement and instead urged HHS to “pursue a more focused approach that prioritizes quality over quantity.” The Team also suggested that in light of the uncertainties and complexities involved in implementing the HITECH requirements, HHS should approach this issue in a “step-wise fashion,” initially pursuing an implementation pathway that is workable from both a policy and technology perspective.
The Tiger Team’s specific recommendations include:
- Quality over quantity: In responding to the HITECH requirement to account for disclosures for TPO, HHS should focus, at least initially, on EHR disclosures outside the covered entity or organized health care arrangement (OHCA).
HHS should pursue a “Follow the Data” approach: When control of patient data is transferred to another entity, the recipient of the data should be part of an Accounting of Disclosures report.
- For example, when data moves from its “compliance environment” to another environment where it can be further accessed or disclosed, or is moved to an environment where it can be accessed by individuals not known to the originating EHR, then the transfer should be included in an accounting.
- Technologies and policies to implement the new accounting requirements should first be piloted by ONC: HHS should focus first on provider EHRs per HITECH; after pilots and initial implementation, HHS could then determine how to expand (such as to additional HIPAA covered entities or to electronic data systems that are not EHRs).
- The accounting of disclosures should require only an entity name rather than the specific individual as proposed. The content of the report should be tested in the pilot; such testing should include the possibility to group similar disclosures together (vs. reporting individually).
- The Tiger Team reinforced the importance of the right of an individual to an investigation of alleged inappropriate access (which should enable patients to ask whether a particular individual inappropriately accessed their records or find out what happened to their records in a particular circumstance). This type of investigation would include inappropriate access by employees of an organization, but would be more limited than the “access report” proposed in the proposed rule.
To improve the ability of covered entities to do investigations of inappropriate access, the Tiger Team recommended that HHS add two addressable implementation specifications to the current audit control standard in the HIPAA Security Rule (164.312(b)):
- Audit controls must record PHI-access activities to the granularity of the individual user (i.e., human) and the individual whose PHI is accessed.
- Information recorded by the audit controls must be sufficient to support the information system activity review required by 164.308(a)(1)(ii)(D) and the investigation of potential inappropriate accesses of PHI.
The National Coordinator for Health Information Technology will consider the recommendations in the development of a final rule on accounting of disclosures being developed by HHS. It is not known when a final rule will be issued.