Seeking Your Input: Transparency and Implementation of HITECH Accounting of Disclosures

The HIT Policy Committee’s Privacy and Security Tiger Team will be holding a virtual, public hearing to explore realistic ways to provide patients with greater transparency about the uses and disclosures of their digital, identifiable health information next Monday.

Such exploration should also help facilitate implementation of the HITECH requirement that a patient’s right under the HIPAA Privacy Rule to an “accounting” of disclosures include disclosures for “treatment, payment and operations” when such disclosures are made through “an electronic health record.” The Privacy Committee of the National Committee on Vital and Health Statistics’ Subcommittee on Privacy, Confidentiality and Security and the HIT Standards Committee’s Privacy and Security Work Group will also participate in the question and answer periods. This hearing will be held on September 30 from 11:45 a.m. to 5:00 p.m. Instructions on how to listen to this meeting here.

At the hearing, the Tiger Team will hear testimony from stakeholders–including providers, payers, vendors and business associates, and patient advocates–on key questions, organized by four goals for the hearing. These questions are shown below. In addition, the Tiger Team invites you – members of the public – to provide written answers to the questions we are posing below. The Tiger Team will consider these answers as it continues to deliberate and make recommendations on these issues.

 

Goal 1: Gain a greater understanding of what patients would like to know about uses, accesses, and disclosures of their electronic protected health information (PHI). 

  1. What are the reasons patients may want to learn who/what entities have used, accessed or received their PHI as a disclosure?  What are the reasons they might want to know about internal uses or accesses?
  2. What information would patients want to know about such use, access, or disclosure?  For example, is it important to know the purpose of each, or the name or role of the individual involved?
  3. What are acceptable options for making this information available to patients?  (report, investigation, etc.)
  4. If there are limitations to the information about uses, accesses or disclosures that can be automatically collected given today’s technologies, what are the top priorities for patients?
  5. If patients have a concern about possible inappropriate access to or disclosure of their health information, what options currently are available to address this concern?  What options should be developed for addressing or alleviating that concern?

 

Goal 2: Gain a greater understanding of the capabilities of currently available, affordable technology that could be leveraged to provide patients with greater transparency re: use, access, or disclosure of PHI.

  1. What capabilities are currently used to enable transparency regarding (or to track or monitor) each use, access, or disclosure of PHI?   To whom (and for what purpose) is this information communicated?
  2. If you currently do not track each user that accesses a record internally along with the purpose of that access, what would it take to add that capability from a technical, operational/workflow, and cost perspective?  What would it take to add that capability for external disclosures?
  3. Is there is any “user role” or other vehicle that can be utilized to distinguish an access by in internal user from an external disclosure?  Can it be determined, for example, that the user is a community physician  who is not an employee of the healthcare organization (IDN or OHCA)?  If not, what  are the obstacles to adding this capability?
  4. Does the technology have the capability to track access, use, or disclosure by vendor employees, like systems’ administrators, (for example, who may need to occasionally access data in native mode to perform maintenance functions)?  Do you currently deploy this capability and if so, how?
  5. Are there certain uses, access, or disclosures within a healthcare entity that do not raise privacy concerns with patients? What are these uses and disclosures? Can the technology distinguish between these others that might require transparency to patients?
  6. Do you have the capability to generate reports of access to, uses of, and disclosures from, a medical record?
  • How frequently are the reports generated, and what do they look like?
  • How granular are these reports?  Are they detailed by aggregate data categories, individual type of data, or individual data element, or in some other way?
  • Can they be generated automatically, or do you use manual processes?
  • Do you integrate reports across multiple systems?
  • What is the look-back period?

 

Goal 3: Gain a greater understanding of how record access transparency technologies are currently being deployed by health care providers, health plans, and their business associates (for example, HIEs).

  1. How do you respond today to patients who have questions or concerns about record use/access/disclosure?  What types of tools/processes would help you improve your ability to meet patient needs for transparency regarding record use/access/disclosure? Have you ever received a request from a patient (or subscriber) that requested a list of every employee who had access to PHI?
  2. What types of record use/access/disclosure transparency or tracking technologies are you deploying now and how are you using them?
  3. For transparency, what do you currently provide to patients regarding use/access and disclosure, and do you see any need to change your current approach?
  4. Do you have any mechanisms by which patients can request limits on access?  For example, if a patient had concerns about the possibility that a neighbor employed by the facility might access his/her record, is there a way for this to be flagged?

 

Goal 4: Gain a greater understanding of other issues raised as part of the initial proposed rule to implement HITECH changes.

  1. Regarding access reports, what information do you collect besides the basic information collected in an audit log?
  2. What would be involved in obtaining access information from business associates? Do current business associate agreements provide for timely reporting of accesses to you or would these agreements need to be renegotiated?
  3. What issues, if any, are raised by the NPRM requirement to disclose the names of individuals who have accessed/received copies of a patient’s PHI (either as part of a report of access/disclosures or in response to a question about whether a specific person has accessed)? What are the pros and cons of this approach?
  4. How do you think current mechanisms to allow patients to file a complaint and request an investigation regarding possible inappropriate uses or disclosures are working?  Could they be enhanced and be used in lieu of, or in addition to receiving a report?
  • Should entities be required to do such an investigation – if so, what should be the scope?
  • Should entities still be required to produce a report if the patient wants one?
  • What recourse does the patient have if he/she is not satisfied with the response?
  • What options do entities have if patient’s transparency requests cannot be honored?

24 Comments

  1. The American Hospital Association’s (AHA) comments on the previously proposed, but never finalized, rulemaking from the HHS Office for Civil Rights related to accounting of disclosures addresses the key discussions questions the Tiger Team has recently invited members of the public to answer in writing through an increasingly routine use of an ONC blog post. The AHA’s official comments remain as relevant to the Tiger Team’s purpose as they were when the AHA submitted them as part of the APA-compliant OCR public notice and comment process. This call from the Tiger Team, coming less than one week prior to the date of a virtual – but highly prescribed – hearing, asks for input from the members of the public outside of the very limited pool of witnesses the Tiger Team formally invited to testify at its virtual hearing about 19 questions, virtually all of which contain multiple parts requiring detailed and frequently technical explanation. The virtual hearing itself provides for only 15 minutes at the end of the day for comments from the public beyond the formal witness pool.

    The AHA’s official comments are accessible at http://www.regulations.gov/#!documentDetail;D=HHS-OCR-2011-0011-0234. They also are avialable for download from the AHA website at http://www.aha.org/advocacy-issues/letter/2011/110801-cl-hipaaprivruleacctdiscl.pdf. However, below for the convenient immediate use of the Tiger Team, we reprint the text of the cover letter to those comments to provide a summary of the more detailed explanation that our comment letter provides.

    August 1, 2011

    SUBMITTED VIA E-FILE

    The Honorable Kathleen Sebelius
    Secretary
    U.S. Department of Health and Human Services
    Office for Civil Rights
    Hubert H. Humphrey Building, Room 509F
    200 Independence Avenue, S.W.
    Washington, DC 20201

    Attention: HIPAA Privacy Rule Accounting of Disclosures (RIN 0991-AB62); Notice of
    Proposed Rulemaking, 76 Fed. Reg. 31426 (May 31, 2011).

    Dear Secretary Sebelius:

    On behalf of our more than 5,000 member hospitals, health systems and other health care
    organizations, and our 42,000 individual members, the American Hospital Association (AHA)
    appreciates the opportunity to comment on the Department of Health and Human Services
    (HHS) Office for Civil Rights’ (OCR) May 31 proposed rule on the HIPAA Privacy Rule
    Accounting of Disclosures under the Health Information Technology for Economic and Clinical
    Health Act (HITECH). This rule proposes changes to the HIPAA Privacy Rule for hospitals and
    other HIPAA-covered entities, and their business associates, affecting the individual right to an
    accounting of disclosures. Unfortunately, the AHA believes that the centerpiece of the proposed
    rule is misguided because it does not appropriately balance the relevant privacy interests of
    individuals with the substantial burdens on covered entities, including hospitals. As such, it is
    out of step with President Barack Obama’s call in the January 18, 2011, Executive Order 13563,
    “Improving Regulation and Regulatory Review,” for “cutting down on the paperwork that saddles
    businesses with huge administrative costs.”
    America’s hospitals are dedicated to safeguarding the privacy of their patients’ medical
    information, and the AHA and its members support HHS’s efforts to implement HITECH’s
    change to HIPAA. We generally endorse the proposed revisions to the accounting of disclosures
    requirements, although we urge additional changes to ensure that patients continue to receive
    information they value for understanding how their protected health information (PHI) is used
    and disclosed without placing undue burdens on covered entities to provide that information.
    However, the proposed rule’s requirement for providing individuals with an access report detailing all internal access to electronic designated record sets is misguided, as explained above;
    and we urge HHS to withdraw its proposal to create a new individual right to an access report.
    Summarized below are additional recommendations, which we discuss in greater detail in the
    attached pages:
     While the AHA generally supports HHS’s efforts to implement changes to the existing
    accounting of disclosures requirements, we request that HHS clarify the discussion of
    designated record sets, adopt its proposed exclusions to the accounting requirement and
    maintain existing exclusions. We urge HHS to maintain a 60-day response requirement
    and limit an accounting to three years.

     Instead of moving forward to establish the new individual right to an access report, HHS
    should reissue a request for information aimed at better reflecting the statutory
    requirements, the technological realities, and better alignment of the regulation’s
    effectiveness with the compliance burdens.
     The AHA is concerned about the assumptions HHS makes regarding the HIPAA Security
    Rule in its preamble commentary and asks HHS to retract the preamble discussion in
    order to reflect longstanding department guidance.
     In the event HHS declines our request to abandon the access report, we urge HHS to
    adopt a number of changes, including extending the compliance date and removing the
    requirement to name employees. We also request that HHS reflect the statutory
    requirement that covered entities be permitted to direct individuals to a business
    associate. In addition, we ask that HHS make clear that a covered entity is not liable for
    unsecure transmissions requested by a patient. Finally, we request that HHS provide at
    least 60 days for the provision of an access report.

    We believe that HHS can further improve the value of the rule for both patients and providers by
    withdrawing the proposed access report requirement and making the additional improvements
    we recommend. If you have any questions about our recommendations, please contact Lawrence
    Hughes, assistant general counsel, at lhughes@aha.org or (202) 626-2346.

    Sincerely,

    /s/

    Rick Pollack
    Executive Vice President

  2. Lydia says:

    what time zone is this hearing on September 30 from 11:45 a.m. to 5:00 p.m?

  3. Steve Bernstetter says:

    Is there an agenda or timeline available for this event? Any help would be greatly appreciated.

    Thanks,
    SB

  4. Deven McGraw says:

    I am submitting the story of Karen Santoro, a patient whose records were inappropriately viewed internally by her co-workers. She is unable to join us at the virtual hearing on Monday.

    Health Privacy Violation Haunts VA Worker, She Says
    By Brian Bowling

    Published: Monday, Feb. 14, 2011,

    The Pittsburgh Veterans Affairs Healthcare System is trying to use a technical violation of its leave policy to punish an employee who reported a violation of the federal health record privacy law, a union official said. “That’s about it in a nutshell,” said Keith Watson, president of American Federation of Government Employees Local 2028.

    Air Force veteran Karen Santoro, 44, worked in the University Drive Division’s Surgical Services until August when she discovered the violation. She started working for the Pittsburgh VA in 2007.
    Diagnosed as having depression in 2008, she used up her sick days and Family Medical Leave Act time and took unpaid leave while she was being treated. The Pittsburgh VA, “in its own miraculous molasses way,” never got around to approving that unpaid leave, a situation that usually doesn’t cause a problem, Watson said.

    Loss of trust

    After Santoro learned that two co-workers had accessed her medical records, she filed a complaint. Since then, the VA claims that she was absent without leave and tried to suspend her for 10 days, a step in the process toward firing her, Watson said. “You can only look at that as some type of retaliation,” he said. David Cowgill, spokesman for the Pittsburgh VA Healthcare System, said the agency doesn’t comment on personnel matters.

    Santoro said the situation has shaken her confidence in the VA. She said she originally switched from being treated at the VA to being treated at the University of Pittsburgh Medical Center, but she decided she didn’t want to let the bureaucracy drive her away from the facility. “I’ve received outstanding care there. I really have,” she said.

    It was a shock when she overheard a conversation last summer that made her suspect her co-workers had peeked at her medical records, Santoro said. The VA’s information security officer verified that three of her colleagues had accessed her record, and a subsequent investigation by the hospital’s privacy officer in August determined two of them had no legitimate reason to look at it, she said.
    She filed a retaliation claim on Aug. 18 with the Department of Health and Human Services’ Office for Civil Rights because VA management refused to transfer her to a different area. The office started its own investigation in September after she contacted Sen. Robert Casey’s office to find out what was going on, Santoro said. Informally, she’s been told the office will issue its findings soon.

    A Health and Human Services spokeswoman couldn’t be reached for comment. Casey spokesman Larry Smar confirmed the office has been talking with Santoro but declined to comment on the case because of privacy issues.

    Work environment

    Santoro said that because she was forced to work with the people who had invaded her privacy, she had an anxiety attack that sent her to the emergency room. With the union and her doctor agreeing that she couldn’t keep working in Surgical Services, she took another four months of unpaid leave while trying to get the VA to reassign her.

    Watson said the VA first tried to effectively demote her while keeping her in Surgical Services, and then claimed it couldn’t transfer her even though she was qualified for several openings.
    While the VA management says that her reporting the HIPAA violation has nothing to do with its actions, Watson said “to us, it just seems like it’s too convenient and that’s exactly what they’re doing,” he said.

    Santoro returned to work in December when the VA agreed to transfer her temporarily to Primary Care. She starts a permanent assignment today in Medical Specialty Services, but said the episode has left her shaky and waiting for the official investigation report from Health and Human Services.
    “It’s kind of difficult to imagine me having a future there because I’m not sure how I can trust them,” she said.

    Link to article: http://triblive.com/x/pittsburghtrib/news/s_722737.html#axzz2esOSmnaq

  5. Tina Grande says:

    Confidentiality Coalition Testimony on HITECH Accounting of Disclosures

    September 30, 2013

    Privacy & Security Tiger Team Virtual Hearing
    Health IT Policy Federal Advisory Committee
    Office of the National Coordinator for Health IT

    The Confidentiality Coalition appreciates the opportunity to provide this written testimony in connection with the HHS Office of National Coordinator Health IT Policy Committee Privacy and Security Tiger Team public hearing to evaluate of the use of “accounting of disclosures” principles in connection with electronic medical records.

    The principle of accounting of disclosures was created by the original HIPAA accounting rule. As a HIPAA issue, this principle is in the course of significant re-evaluation. As the Privacy and Security Tiger Team may be aware, the Confidentiality Coalition submitted comments in August 2011 on the original HHS Office for Civil Rights proposal concerning this rule. (Our original comment letter is attached in its entirety).

    In this testimony, we focus our comments on how this issue should best be addressed in the HIPAA context, to inform the Tiger Team’s evaluation of this issue for electronic medical records. Our suggestion is that any potential changes to the HIPAA accounting rule, consistent with congressional intent as expressed in the HITECH Act (the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009, Pub. Law No. 111-5), should be limited to the requirements of the statute and include appropriate and specifically defined patient interests, and also be consistent with the statutory mandate to “take into account the administrative burden.” A proposal that is unworkable or imposes costs and burdens that far outweigh any reasonable benefits to patients serves no one’s interest and should be rejected.

    In general, we believe that:
    • patient interests in the kind of information covered by the accounting proposal can be addressed through a variety of more focused and less burdensome means, including through privacy notices and appropriate complaint investigations;
    • there is substantial risk to individual employees of healthcare companies from the approach suggested for the “access report,” as well as a significant variety of mis-uses for this report; and
    • implementation of the congressional mandate should be limited to the requirements imposed by Congress (without any expansion) as much as possible.
    Accordingly, we believe that:
    • any new changes to the accounting rule should be limited to “disclosures of PHI” for treatment, payment and healthcare operations purposes that are made “through” an “electronic health record;”
    • “electronic health records” should be limited to those electronic health records that incorporate “meaningful use” standards; and
    • any compliance period for this new requirement should be delayed until the meaningful use standards incorporate a corresponding requirement connected to this accounting rule change (to ensure that these obligations can be met through appropriate technology) and the implementation date for this new meaningful use standard is in place (with accounting obligations applying only to disclosures from that point in time forward).
    To the extent that any expansion of this concept occurs, beyond the specific dictates of Congress in the HITECH Act, it is imperative that any expansion be closely linked to specific patient interests and be technologically feasible. In addition, it is critical that the burdens imposed by this regulation on covered entities and others not exceed the potential benefits to individuals.

    Coalition Background

    The Confidentiality Coalition is composed of a broad group of hospitals, medical teaching colleges, health plans, pharmaceutical companies, medical device manufacturers, vendors of electronic health records, biotech firms, employers, health product distributors, pharmacies, pharmacy benefit managers, health information and research organizations, patient groups, and others founded to advance effective patient confidentiality protections.
    The Coalition’s mission is to advocate for policies and practices that safeguard the privacy of patients and healthcare consumers while, at the same time, enabling the essential flow of patient information that is critical to the timely and effective delivery of healthcare, improvements in quality and safety, and the development of new lifesaving and life-enhancing medical interventions. The Confidentiality Coalition is committed to ensuring that consumers and thought leaders are aware of the privacy protections that are currently in place. Coalition members believe that, as healthcare providers make the transition to a nationwide, interoperable system of electronic health information, it is essential to replace the current mosaic of sometimes conflicting state healthcare privacy laws, rules, and guidelines with a strong, comprehensive national confidentiality standard for healthcare information.

    Background – The Accounting of Disclosures Rule

    The HITECH mandate on this issue provided that “in the case that a covered entity uses or maintains an electronic health record with respect to protected health information– (A) the exception under paragraph (a)(1)(i) of such section shall not apply to disclosures through an electronic health record made by such entity of such information.” As Congress directed, any implementing regulations “shall only require such information to be collected through an electronic health record in a manner that takes into account the interests of the individuals in learning the circumstances under which their protected health information is being disclosed and takes into account the administrative burden of accounting for such disclosures.”

    The collective experience of our members is consistent with the general view identified by HHS – to date, the accounting rule has been of very limited interest to individuals. Most of our member organizations have received few if any accounting of disclosures requests. In addition, while the requests have been limited, the requests that are made typically require a significant investment of time and effort to respond appropriately, by gathering and analyzing the relevant information from multiple sources and creating an appropriate report. There also is no simple vehicle for a covered entity to obtain accounting of disclosures information from business associates, most (if not all) of whom will, in fact, have no responsive accounting of disclosures information (meaning that hundreds or even thousands of business associates need to be contacted, with the almost universal response being “we have no relevant disclosures to report.”)

    Our Analysis

    In general, we see little appropriate patient privacy interest in the details of these disclosures beyond information that already is received by patients or that can be accomplished through other existing means. This HITECH language relates to disclosures for treatment, payment and healthcare operations. Each of these categories of disclosures is routine, in connection with disclosures for which individual patient consent is presumed and which are all described in full in a privacy notice provided to every patient. And, particularly for treatment and payment disclosures, this information is exactly the core of what a patient knows and expects about disclosures of their information. We see little benefit to a patient, from a privacy perspective, to be provided detail on which particular employee was involved in sending a claim to a patient’s insurer, or who received that claim at the insurer and then processed it.

    Moreover, to the extent that the primary patient interest described by HHS in the proposed rule relates to the desire to know about inappropriate access to information, we believe that these interests can be served by substantially narrower requirements that are more significant to the patient and impose little administrative burden. These kinds of issues are handled today, to the extent they arise at all, by a complaint and investigation process that is described in the HIPAA rules and followed by all HIPAA covered entities. By contrast, the proposed access report would provide voluminous detail of little value about all individuals whose use and disclosure of information was appropriate and consistent with specific job functions. Moreover, compiling this information would require enormous new technology efforts and expenditures from virtually all entities in the healthcare industry (as well as their business partners). Confidentiality Coalition members have reported that the proposed mandate to create an access report will force them to shift substantial resources away from patient care and quality improvement and redirect it to compliance with the proposed requirements for the creation of the access report.

    We also believe that this access report could create realistic risks for healthcare company employees who are identified in these reports, and that the reports could be used for many inappropriate purposes that are unconnected to any incidental privacy interests. This significant risk should not be dismissed or discounted, and it is a vital factor that must be taken into account in striking an appropriate policy balance.

    1. HHS should not apply this HITECH principle beyond the mandate of the HITECH Statute
    We believe that HHS should limit its modifications of the accounting rule to these changes mandated by Congress. Additional obligations will not provide meaningful additional benefits to patients and would impose significant burdens on covered entities and the healthcare industry in general.

    2. Privacy investigations can address many of the patient interests that have been identified

    We have seen virtually no identification of significant privacy interests for individuals from the accounting of disclosures and access report materials. In the NPRM proposal, HHS focused on the idea that some patients (an acknowledged small minority) would have an interest in identifying inappropriate users of their information. While we understand and support that interest, there are specific means under the existing rules for these interests to be accommodated that do not require new or expanded obligations for covered entities.

    In particular, the existing HIPAA complaint and investigation process focuses on exactly these kinds of privacy issues. Companies have an obligation to receive complaints from individuals and others, and to conduct appropriate investigations, whether based on complaints or not. There are additional requirements for appropriate monitoring and internal reviews to ensure that HIPAA rules are being followed by a covered entity’s work force, independent of any complaints that are received. We believe strongly that the appropriate means of identifying and investigating potential wrongdoing is to rely on these existing processes – and the obligation to conduct effective investigations – rather than create a new administrative burden that primarily will identify appropriate activities and will lead to inevitable follow-up workload and substantial new cost. If an individual has a concern, there are existing means to address these concerns.

    3. Privacy notices provide much of the information that patients can use in this area

    We understand that patients have an appropriate interest in understanding how their health information is used and disclosed. This interest has been accommodated in HIPAA from its inception through the detailed requirements for development of and distribution of appropriate privacy notices. These privacy notices describe how information is used and disclosed by every covered entity. These notices provide the information on a broad basis to all patients about their information – without requiring detailed tracking, collection of new data and putting individual employees at risk. Moreover, these privacy notice provisions are passed down to business associates and their subcontractors through a business associate agreement. These privacy notices should provide the primary means of communicating to patients how their health information is used and disclosed.

    4. There is significant risk to healthcare company employees from the access report

    As discussed in our original comment letter, the NPRM, by expanding the HITECH mandate to cover all uses of PHI, would create realistic risks to healthcare employees who are simply doing their jobs. Because the NPRM encompasses all uses of PHI, the proposal would expose the identities of individuals who are acting in perfectly appropriate ways – doing exactly what they are supposed to be doing – in the performance of their duties. We are concerned that some (and perhaps many) of the individuals who make this request may have a hidden agenda or other non-privacy interest in what is happening. We believe that this proposed rule puts healthcare workers potentially in jeopardy, and creates a new risk that does not exist today. HHS should not go beyond the statutory mandate in a way that creates potentially threatening conditions for healthcare workers.

    5. Unintended consequences

    We also have substantial concerns about other unintended consequences of the approach proposed by HHS, including a variety of situations where these reports may be misused in inappropriate ways. For example, it is easy to see how these reports could be misused in connection with frivolous litigation, We do not see any reasonable basis for the creation of these access reports under a privacy justification where it is clear that misuses of the information are likely and troubling.

    Accordingly, we see little “positive” and significant “negatives” from applying the broader “access” principles created in the proposed rule. We suggest that HHS focus instead on developing an appropriate regulation that is limited to addressing the mandate of the statute.

    Our Proposal

    With this background, our proposal is as follows. We believe that the approach should focus on three specific issues from the statutory language.

    1. Disclosures Only
    Any new accounting rule proposal should be focused exclusively on “disclosures,” as the statute dictates. Uses and disclosures by a hospital or other healthcare providers, for example, will be exactly the type of information use that already is spelled out in the privacy notice. There is little additional privacy interest in identifying specific employees who were involved in using a patient’s healthcare information in the settings where these activities are routine and consistent with the overall approach of HIPAA. We understand that one rationale for including “uses” as well as disclosures is that some companies or information technology systems cannot distinguish between the two. Many of our members do not have this problem. To the extent that a particular entity is unable to distinguish between uses and disclosures in any particular situation, it obviously can include uses, as well, in its discretion. But, the inability of some companies to draw this distinction should not result in a broadened mandate for everyone beyond the statutory requirements.

    2. Only those disclosures “through” an electronic health record
    The requirement should only be applied to disclosures that are “through” an electronic health record. The statutory language focused explicitly on disclosures that are made “through” an electronic health record. This appears to incorporate the idea that it is these electronic health records where the appropriate technology can exist, and where some kind of centralized control can be made involving these kind of “accounting” issues. This technology and this centralization simply do not exist in all places in all covered entities (and, as we know now, do not exist today even in many electronic health records). Information is used and disclosed across healthcare companies in the normal, routine course of operations. We encourage a proposal that is limited to disclosures that are made “through” this core electronic health record, not to all disclosures across a covered entity or business associate outside of this core electronic health record.

    3. Only applied to “meaningful use” electronic health records
    HHS should ensure that the definition of “electronic health record” is applied in a way that is consistent with the overall approach of the HITECH law, to incorporate the “meaningful use” electronic health records that are at the core of that law. Congress imposed this requirement on covered entities that use these “meaningful use” electronic health records. This obligation should be imposed on those that use these “meaningful use” electronic health records, as well as the limited number of business associates who use these specific electronic health records in a way that they make disclosures “through” these records. All other disclosures of information – made outside of this specific electronic health record context – should be excluded from this expanded requirement.

    Additional elements

    Beyond these core elements of our proposal, there are two additional items for consideration based on HHS’ evaluation of the NPRM.

    1. The original HHS proposal included various changes to the current accounting rule for non-routine disclosures. As discussed in our original comment letter, we support many of these changes as appropriate reductions on administrative burden that will not have any meaningful impact on patient privacy interests.
    Our only concern with the proposal on the accounting rule relates to the reduction in timeframe for responses. Each accounting of disclosures request, even those used today, requires a significant workload to ascertain the appropriate disclosures, particularly where business associates may be involved. We cannot support the proposal to reduce the time frame for producing these reports, as there is no reasonable basis to conclude that a shorter time period is necessary or appropriate. Moreover, as these reports still will cover three years, it is hard to see the urgency of accelerating the response period for providing these reports.

    2. We believe that HHS’s interpretation of the HIPAA Security Rule does not conform to the language of that rule and that this discussion in the context of the accounting rule should be withdrawn.

    As discussed in our original comment letter (particularly our Appendix on the Security Rule), we believe strongly that HHS’ discussion of the Security Rule in connection with this accounting rule proposal is inconsistent with virtually everything HHS has said historically about the HIPAA Security Rule and is inconsistent with current technological capabilities. Therefore, while we encourage HHS to revisit from the start its creation of this right to an access report, we also encourage HHS to revamp or retract its revised approach to the Security Rule, to return to an interpretation that it has utilized through the existence of the Security Rule. This new interpretation is set forth essentially as an assumption without any acknowledgment of a complete change in interpretation. HHS should withdraw this discussion of the Security Rule in the context of its overall re-examination of these accounting rule issues and return to its longstanding approach of interpreting that rule to permit covered entities reasonable discretion to implement appropriate security controls consistent with the risk assessment for that business.

    Conclusions

    In applying this Congressional mandate, HHS should strive for an approach that addresses the statutory mandate as necessary, but that does not create unnecessary burdens and costs (as well as potential harm to healthcare company employees or other HIPAA entities) in order to promote generalized patient interests that are better addressed in other ways. We believe strongly that the limited patient interests that HHS has identified can be addressed in a better and more cost effective way through other means. The proposal for an access report is unlikely to satisfy patients’ expectations. At the same time, this proposal creates enormous cost and compliance burdens, for any covered entities or business associates encompassed within this requirement. These burdens involve not only enormous front-end technology changes to implement these requirements, but also substantial ongoing costs and burdens to compile this information and collect it (if required) from large numbers of business associates, potentially in the thousands for any particular request. The required Congressional balance between patient interests and administrative burden simply does not exist in this proposal. This access report proposal should be withdrawn in its entirety, and HHS should focus its attention on a much more limited proposal (as required by Congress) that focuses on disclosures of PHI through a certified electronic health record.

    The Confidentiality Coalition appreciates this opportunity to provide suggestions on the future direction of the HIPAA Accounting of Disclosures rule. Please contact Tina Olson Grande, Senior Vice President for Policy, at (202) 452-8700, if there are any comments or questions about the comments in this testimony.

    Aetna
    Amerinet
    AmerisourceBergen
    American Clinical Laboratory Association
    American Hospital Association
    American Pharmacists Association
    America’s Health Insurance Plans
    Ascension Health
    Association of American Medical Colleges
    Association of Clinical Research Organizations
    Baylor Health Care System
    Blue Cross Blue Shield Association
    BlueCross BlueShield of Tennessee
    Boeringer Ingelheim Pharmaceuticals
    Cardinal Health
    CIGNA Corporation
    Cleveland Clinic
    College of American Pathologists
    C.R. Bard
    CVS Caremark
    Edwards Lifesciences
    Eli Lilly
    Express Scripts
    Federation of American Hospitals
    Franciscan Missionaries of Our Lady Health System
    Health Care Service Corporation
    Health Dialog
    Healthcare Leadership Council
    Healthways
    Ikaria
    IMS Health
    Indiana University Health
    Intermountain Healthcare
    inVentiv Health
    Johnson & Johnson
    Marshfield Clinic
    Mayo Clinic
    McKesson Corporation
    Medical Group Management Association
    Medtronic
    MemorialCare Health System
    Merck
    MetLife
    National Association of Chain Drug Stores
    National Association of Health Underwriters
    National Association of Psychiatric Health Systems
    National Community Pharmacists Association
    NewYork-Presbyterian Hospital
    NorthShore University HealthSystem
    Novo Nordisk
    Owens & Minor
    Pharmaceutical Care Management Association
    Pfizer
    Premier healthcare alliance
    Press Ganey
    Sanofi US
    SCAN Health Plan
    Siemens Corporation
    Stryker
    Surescripts
    Takeda Pharmaceuticals North America
    Texas Health Resources
    Theragenics
    ValueOptions
    Vanderbilt University Medical Center
    Vanderbilt University School of Nursing
    VHA
    Walgreens
    Weight Watchers International
    WellPoint

  6. Stuart Graves says:

    Re Goal 1, #5: Please see: “Confidentiality, Electronic Health Records, and the Clinician”, Perspectives in Biology and Medicine, Winter 2013, page 105.

  7. Jennifer says:

    As a client, I am concerned that many providers are asking to not have to offer accounting of disclosures for treatment purposes. I was abused by a mental health provider last year, and the documentation regarding the abuse was not only absent, but there were inflammatory statements that were untrue to protect that provider. I requested an accounting of disclosures for treatment purposes of all providers I had seen that year, which would have originally been due by September 23 per an Office for Civil Rights representative, so that I could find out who received the inaccurate and inflammatory documentation and what the damages to my safety and health were. Many providers honored that without trouble, but there were providers who did not want to and one that would not even honor the original accounting of disclosures requirement. Having this experience, I think it is imperative that providers find solutions to make it as convenient as possible for them but to also make sure it does become the right of every client in America to receive an accounting of disclosures for treatment purposes. Please hear not only the opinions of providers, but of clients as well. I will not be able to attend the web conference because I will be working, so I wanted to share my concern here. Thank you for this opportunity and for reading.

  8. Ralph Leask says:

    During the virtual hearing, one of the arguments put forward to support NOT extending the Accounting of Disclosures and Access Report as proposed is the current experience in which very few requests are received by Covered Entities. It should be borne in mind that the current experience suffers from tow important factors – 1) current requests are made under the current, limited AoD rule and part of the reason for expansion in the proposed rule is to make AoD / Access Report more useful to the requestor, and 2) apart from reading a statement of right in NPPs, most consumers have little understanding of what the whole thing means. That changes may need to be done in stages to match the practical limitations in systems and the time needed to develop standards is clear. During that staged development of a meaningful AoD rule, education of the consumer is vital.

  9. Will a transcript of this public hearing be made available?

  10. MW says:

    Is the next hearing on October 9 open to the public? When will call-in information be provided for that hearing?

  11. Kevin N. Nicholson, R.Ph., J.D. says:

    The National Association of Chain Drug Stores (NACDS) appreciates the opportunity to provide written testimony to the HHS Office of the National Coordinator Health IT Policy Committee Privacy and Security Tiger Team on the accounting of disclosures. NACDS represents traditional drug stores, supermarkets, and mass merchants with pharmacies – from regional chains with four stores to national companies. Chains operate more than 41,000 pharmacies and employ more than 3.8 million employees, including 132,000 pharmacists. They fill over 2.7 billion prescriptions annually, which is more than 72 percent of annual prescriptions in the United States. The total economic impact of all retail stores with pharmacies transcends their over $1 trillion in annual sales. Every $1 spent in these stores creates a ripple effect of $1.81 in other industries, for a total economic impact of $1.81 trillion, equal to 12 percent of GDP. For more information about NACDS, visit http://www.NACDS.org.

    Under the HITECH mandate on accounting of disclosures, Congress clearly stated that HHS was to “only require such information be collected through an electronic health record in a manner that takes into account the interests of the individuals interested in learning the circumstances under which their protected health information is being disclosed and takes into account the administrative burden of accounting for such disclosures.”

    Specifically, the expansion of the accounting of disclosures requirement under the HITECH Act only applies to disclosures through an electronic health record (EHR). It is important to note that an EHR is generated and maintained to give patients and, as appropriate, others access to a patient’s medical records. Just because health information is stored in or disclosed through a computer does not equate that computer system to an EHR.

    Notably, the HITECH Act provides grant funding for certain providers to adopt EHRs and provides a mechanism for the development of criteria for determining eligibility for such funding. It is logical to conclude that Congress intends for the expanded accounting of disclosures functionality to apply to providers who are eligible to receive funding for, and actually adopt, EHRs as they are envisioned under the provisions of the HITECH Act. Since not all health care providers are eligible for grant funding for the adoption of electronic records, it is clear that Congress intended for certain providers to adopt a certain type of EHR and for specific requirements to attach to those EHRs.

    Pharmacies are not among the entities that are eligible for grant funding under the HITECH Act for the adoption of EHRs. Consequently, we believe that pharmacy computer systems are not “electronic health records” as such term is defined under the HITECH Act.

    The logic that the expanded accounting of disclosure requirement applies to providers who are eligible to receive funding for, and actually adopt, EHRs as they are envisioned under the provisions of the HITECH Act is supported by the historical record of the HIPAA Privacy Rule. Specifically, HHS recognized under the original final HIPAA Privacy Rule that “the additional information that would be gained from including [treatment, payment, and health care operations] disclosures would not outweigh the added burdens on covered entities.” Since most pharmacies are using substantially similar computer systems as they did when the original HIPAA Privacy Rule was finalized, HHS should reach the same conclusions with respect to pharmacy computer systems now as they did in 2003.

    Furthermore, an important fact that illustrates that individuals do not necessarily view pharmacy systems as EHRs is that individuals have demonstrated limited interest in their right to receive an accounting of disclosures. Our member pharmacies, who serve patients in almost every community across the nation, have each received no requests or only a few requests each for an accounting of disclosures since the accounting rule became effective in 2003. Nevertheless, when an individual request is received, a significant investment of time and resource is typically required to respond to the individual’s request. Considering the billions of prescriptions that pharmacies dispense every year and the millions of patients served every year, and despite assertions to the contrary, our ten-year experience with HIPAA shows only that a fraction of a percent of Americans are interested in an accounting of disclosures of their health information.

    With respect to a proposed access report requirement, such a requirement would impose enormous new burdens on pharmacies. The cost to the pharmacy industry would be staggering and nearly impossible to quantify with any reasonable certainty. For most pharmacies, the current systems are not designed to track access at the individual record level; they do not capture the data elements suggested. The technical burden of creating an access report would be very high. It would require significant complexity that is not in place today. The access report would require many pharmacy computer systems to be completely redesigned and redeployed. This would require years of research, design, development, testing, rollout, and training. Complying with an access report requirement would most likely be a multi-million dollar project for a pharmacy.

    We have trouble identifying any specific individual privacy interest that would be served by an access report, beyond simple curiosity. We see no reasonable basis from a privacy perspective to mandate that individuals be given such details about the internal operations of every covered entity and business associate. Moreover, we fear that an access report would inherently create a conflict with existing employee confidentiality protections and could be misused by individuals who may have a problem with a pharmacy employee – one that could be hostile or threatening.

    For improper or unauthorized access to patient information, patients should already receive notification through the HIPAA breach rule or through the current accounting of disclosure requirements. For instance, if an employee inappropriately accessed a patient’s information, this access would be evaluated under the HIPAA breach rule. If the situation rose to the level of a breach, the covered entity would be required to provide the patient with a breach notification letter. If the incident did not, the covered entity would be required to log an accounting of disclosure which would be made available to the patient upon request. Additionally, covered entities investigate complaints received from individuals, which produces a much better privacy result that an accounting because it can address the root cause of a problem. In a competitive marketplace that is patient service driven, any pharmacy that does not work with its patients will soon find its patients going elsewhere.

    We believe that the technological and financial burden to implement the proposed access report right rule far exceeds the benefit to the few patients who will request this type of report each year. Considering the lack of benefit that we can see weighed against the vast burdens to covered entities and business associates, we must urge HHS to reconsider the access report requirement. In the NPRM for the access report, HHS recognizes that few individuals will request an access report, which only strengthens our belief that the benefits to individuals are greatly outweighed by the burdens. The fact that few requests will be made does not in any way diminish the technologic and systems burdens that would have to be overcome.

    In conclusion, we thank the Tiger team for the opportunity to provide our perspectives on accounting of disclosures and proposed access reports. We believe that the expansion of the accounting of disclosures requirement should apply only to disclosures made through an EHR as envisioned by the HITECH Act and that an access report requirement should be abandoned. An access report requirement would cause pharmacies to adopt dramatic and expensive new systems, with enormous financial, technical, and administrative resources, for a very limited and questionable patient interest.

  12. Katie Tenoever says:

    Privacy & Security Tiger Team Virtual Hearing
    Health IT Policy Federal Advisory Committee
    Office of the National Coordinator for Health IT

    The Federation of American Hospital (“FAH”) appreciates the opportunity to provide our comments on some of the questions raised in connection with the Department of Health and Human Services (“HHS”) Office of National Coordinator Health IT Policy Committee Privacy and Security Tiger Team public hearing addressing accounting of disclosures (“AOD”) in connection with electronic medical records.

    The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) includes a provision allowing individuals to receive an AOD report of their protected health information (“PHI”) disclosed through an electronic health record related to treatment, payment and health care operations. The HITECH Act also requires that implementing regulations take into account the “interests of the individuals in learning the circumstances under which their protected health information is being disclosed and takes into account the administrative burden of accounting for such disclosures.”

    In May 2011, the HHS Office for Civil Rights (“OCR”) issued a proposed rule to implement this HITECH Act AOD provision. Key components of the proposed rule include a consumer right to an “access report,” and a right to an AOD report that includes disclosures and uses. These reports also would be based on data sources beyond an electronic health record and would include names of individuals.
    As AOD policy is furthered considered, the FAH urges the Tiger Team and OCR to consider the following key policy points and concerns with OCR’s current proposed rule:

    • The proposed rule to implement the HITECH AOD requirement would significantly expand the scope of this requirement and impose financial and administrative burdens that far outweigh any reasonable benefit to patients, in violation of the statutory mandate to balance consumer benefits with the administrative burden of accounting for disclosures. Further, we urge the Tiger Team and OCR to develop a more focused approach that we believe would appropriately satisfy patient interest in how their health care information is used, and supply patients with relevant, responsive information, while at the same time minimizing the administrative burden on hospitals and other health care entities, as discussed further below.

    • We recognize that patients have an appropriate interest in understanding how their health information is used and disclosed, and support patients in this effort. In fact, this interest is reflected and addressed by requirements under the Health Insurance Portability and Accountability Act (“HIPAA”) for development and distribution of appropriate privacy notices. These notices describe how information is used and disclosed by every covered entity, and provide the information on a broad basis to all patients, without requiring detailed tracking, collection of new data and putting individual employees at risk. Further, these privacy notice provisions are delegated to business associates and their subcontractors through a business associate agreement. These privacy notices should provide the primary means of communicating to patients how their health information is used and disclosed. These HIPAA processes highlight that meeting the AOD requirement can be achieved through a focused approach that minimizes the administrative burden. Thus, regulations to implement the HITECH AOD requirement could satisfy patient interest in their health care information through a common sense interpretation of the statute that applies existing HIPAA privacy notice as well as complaint and investigation processes that address exactly these kinds of privacy issues.

    The primary patient interest described in the proposed rule relates to the desire to know about inappropriate access to information. The proposed “access report,” however, would provide voluminous detail of little value to the consumer, including information about all individuals whose use and disclosure of information was appropriate and consistent with specific job functions. Compiling this information would require extensive new technology efforts and expenditures from virtually all entities in the healthcare industry, as well as their business partners. This would shift substantial resources away from patient care and quality improvement and redirect it to compliance with access report requirements that have little value for the patient.

    The access report could be used for many inappropriate purposes that are unconnected to any incidental privacy interests. For example, the reports could be used in connection with various kinds of litigation, where the activities of a particular individual are in question, including whether a particular healthcare provider or insurance claims handler reviewed a record in a particular situation or with the appropriate frequency. Even more concerning, but a notable reality, is the use of this information by disgruntled parties to harass or even bring bodily harm to a healthcare company employees who perceive that they have been wronged by such individuals.

    • The HITECH AOD requirement should be limited to “disclosures of PHI” for treatment, payment and healthcare operations purposes that are made “through” an “electronic health record,” and “electronic health records” should be limited to those that incorporate “meaningful use” standards.

    The HITECH Act expressly focuses on disclosures made “through” an electronic health record. It is these electronic health records where the appropriate technology can exist, and where there can be some centralized control involving these kinds of “accounting” issues. This technology and centralization do not exist in all places in all covered entities (and do not currently exist even in many existing electronic health records). We encourage a proposal that is limited to disclosures made “through” this core electronic health record, not to all disclosures across a covered entity or business associate outside of this core electronic health record. A more expansive interpretation does not comport with the letter and spirit of the statute.

    HHS also should ensure that the definition of “electronic health record” is applied in a way that is consistent with the overall approach of the HITECH Act, which is to incorporate the “meaningful use” of electronic health records that are at the core of HITECH. All other disclosures of information, made outside of this specific electronic health record context, should be excluded from any expanded AOD requirement.

    Further, the AOD requirement should be limited to disclosures, and should not include uses. Uses and disclosures by a hospital or other healthcare provider would be exactly the type of information use that already is spelled out in the privacy notice. Thus, there is little additional privacy interest in identifying employees who were involved in “using” a patient’s healthcare information in settings where these activities are routine and consistent with the overall approach of HIPAA.

    We understand that a rationale for including uses as well as disclosures in the AOD report is that some companies or information technology systems cannot distinguish between them. To the extent that an entity is unable to distinguish between uses and disclosures, it could have the option of including uses, as well as disclosures, but there is no reason to require both uses and disclosures. The inability of the technology used by some companies to draw this distinction should not result in a broad-based mandate for all that extends beyond the statutory mandate.

    • Any compliance period for the new AOD requirement should be delayed until the meaningful use standards incorporate a corresponding requirement connected to the requirement (to ensure that these obligations can be met through appropriate technology) and the implementation date for this new meaningful use standard is in place (with accounting obligations applying only to disclosures from that point in time forward).

    • In moving toward implementation of the HITECH AOD requirement, it is critical to acknowledge the experience of our member hospitals in complying with the existing AOD requirement under HIPAA. In fact, patients have had very little interest in obtaining certain health care information under this HIPAA requirement. Our member hospitals have received few AOD requests. For example, ten hospitals in a 100+ hospital system received a total of only six AOD requests over two years (2011 and 2012), and this number is representative of all hospitals in that system. Another hospital system, with 20+ hospitals, only received 5 AOD requests over almost three years (2011 – 2013), and a 30 hospital system received only 15 AOD requests over two years (2011 and 2012). Yet, these requests typically require a significant investment of time and effort to respond appropriately, by gathering and analyzing the relevant information from multiple sources and creating an appropriate report. There is no simple vehicle for a covered entity to obtain AOD information from business associates, most of whom have no responsive information. Given this limited patient interest, it is all the more imperative to minimize the administrative burden on hospitals and other health care entities in providing information under the HITECH AOD requirement.

  13. blair w. barnhart-hinkle says:

    Don Sinko
    Chief Integrity Officer

    Cleveland Clinic Testimony on HITECH Accounting of Disclosures

    September 30, 2013

    Privacy and Security Tiger Team Virtual Hearing
    Health IT Policy Federal Advisory Committee
    Office of the National Coordinator for Health IT

    Cleveland Clinic (CC) is a not-for-profit, integrated healthcare system dedicated to patient care, teaching and research. Our health system is comprised of a main campus, eight community hospitals and 18 family health centers with over 3,000 salaried physicians and scientists. Last year, our system had nearly six million patient visits and over 165,000 hospital admissions.

    In 2011, Cleveland Clinic submitted comments to the proposed rule. Many of the comments in this testimony are consistent with the concerns we raised in our comment letter two years ago. We have attached a copy of our previous letter to this testimony.

    Congressional Intent
    We believe that any changes in the HIPAA accounting rule should be consistent with the congressional intent that was expressed in the HITECH act (the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009, Pub. Law No. 111-5), related to administrative burden. The following are some of the suggestions and concerns of Cleveland Clinic that address administrative burdens.

    Designated Record Set
    Much of the proposed rule revolves around a health system’s ability to produce access and accounting information from the designated record set. The current definition 45 C.F.R. 164.501 is:
    (1) A group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.

    We suggest that the definition of designated record set should be limited to the electronic health record (EHR). Further, we believe the definition of the EHR should be limited to those electronic health records that incorporate “Meaningful Use” standards.

    If the designated record set is not limited to the EHR, then it would appear that it will include the hundreds of clinical and business systems that run throughout our healthcare operation. This would require each system to run an audit trail, if possible, producing hundreds of different reports depending upon the vendor’s capability. Most hospital systems were implemented over a number of years with no intention or need for them to be integrated. Today, there is not a mechanism whereby all of the different audit reports can be collated to produce one standardized report. The required process takes countless hours of manual collation to produce just one patient report and is clearly administratively burdensome and costly.

    Privacy Investigations and Access Reports
    Our complaint and investigation processes have been specifically designed to address inappropriate access to patient information and patient complaints. We believe these processes appropriately manage the issue while the access report creates a tremendous administrative burden at a significant cost with little benefit to the patient. The access reports are both lengthy and complex. To create a readable and understandable report we undertake a laborious manual process to collate and synthesize all of the information. The report is oftentimes hundreds of pages long. Because most patients are unfamiliar with hospital operations, the reports can be confusing as patients typically do not understand the number of people who must access, use or disclose their protected health information (PHI) for treatment, payment or operational purposes.

    In addition to the time required to create the reports, there are data retention and storage issues that need to be considered because of their significant financial and system implications. To develop and store the data required for the accounting report, entities must acquire significantly more disk space to store all the information that is generated. Data storage costs increase the longer the data has to be retained. The storage requirements may also introduce latency in some critical systems, which may cause production issues that compromise patient safety. For example, some vendors design their systems to only capture audit data on the same database as the production EMR database. The EMR database happens to run on the highest performance, most resilient disk solution available. Thus, a provider would need to invest in many terabytes of identical (extremely expensive) disk to store the audit trail. Furthermore, if the granularity of audit trail needs to be at the highest level, processing cycles that are currently designed to best service the EMR users, would be diverted to generate the more detailed audit trail. Covered entities will need to invest in higher performance processors and/or memory, which is extremely costly. Such investments are difficult to justify when they are not directly tied to increased quality of care, patient experience or lower cost (i.e. value-based care).

    Finally, we are concerned with the safety of our employees. By expanding the mandate to cover all uses of PHI, we would be required to release the names of our employees who are performing their duties appropriately. There have been instances where requests for accountings have been made by individuals who have created serious safety concerns for our workforce.

    Thank you for conducting a thoughtful process that allows us to provide input on such important issues and for your consideration of this information. Should you need any further information, please do not hesitate to contact me.

    Sincerely,

    Don Sinko, CPA
    Chief Integrity Officer
    Cleveland Clinic

    [] Cleveland Clinic
    August 1,2011
    United States Department of Health and Human Services
    Office for Civil Rights
    Attention: HIP AA Privacy Rule Accounting of Disclosures
    Hubert H. Humphrey Building, Room 509F
    200 Independence Avenue, S.W.
    Washington, DC 20201
    Submitted electronically at: http://www.regulations.gov
    Donald A. Sinko, CPA
    Chief Integrity Officer
    RE: RIN 0991-AB62, Notice of Proposed Rule Making: HIPAA Privacy Rule
    Accounting of Disclosures Under the Health Information Technology for
    Economic and Clinical Health Act
    Cleveland Clinic (CC) is a not-for-profit, integrated healthcare system dedicated to patient care,
    teaching and research. Our health system is comprised of a main campus, ten community hospitals
    and 14 family health centers with over 2,700 salaried physicians and scientists. Last year, our
    system had more than four million patient visits and over 165,000 hospital admissions. We
    appreciate the dedication of the Department of Health and Human Services (the “Agency” or the
    “Department”) on behalf of the Medicare Program and the work they devote to its administration.
    We believe it is important for hospitals to share information with CMS so the Agency staff has a
    better understanding of the challenges and practicalities faced by the hospitals regarding proposed
    changes which influence hospital activity. The following are the comments of Cleveland Clinic in
    respect of the captioned proposed HIP AA Privacy Rule Accounting of Disclosures, as well as the
    proposed new right contained therein regarding provision of Access Reports.
    1. Designated Record Set (DRS)
    The proposed rule hinges on a health system’s ability to produce access and accounting
    information from the designated record set. As such, health systems must have a clear
    understanding of the Agency’s definition of the designated record set so they may ensure their
    compliance with the rule. According to 45 C.F.R. 164.501, the designated record set is defmed as:
    (1) A group of records maintained by or for a covered entity that is: (i)
    The medical records and billing records about individuals maintained by
    or for a covered health care provider; (ii) The enrollment, payment,
    claims adjudication, and case or medical management record systems
    maintained by or for a health plan; or (iii) Used, in whole or in part, by
    or for the covered entity to make decisions about individuals.
    The Cleveland Clinic Foundation
    Offices ofInternal Audit
    and Corporate Compliance
    9500 Euclid Avenue I HIS
    Cleveland, Ohio 44195
    Tel 216444-6185
    Fax 216444-9807
    sinkod@ccf.org
    Because this definition is very broad, it would be helpful if the Agency would either provide
    further guidance and clarification around what it views as the designated record set, or otherwise
    restrict the components of the designated record set to which the right of an access and accounting
    report would apply to simply core billing and treatment systems. Most healthcare systems have
    hundreds of systems that use dedicated hardware that either have Protected Health Information
    (“PHI”) or are likely to have PHI in them. Clarifying the definition or restricting the scope of these
    reports will aid health systems in identifying which of its many critical applications should thus be
    included in the review to produce the reports. Because healthcare systems often utilize hundreds of
    systems that contain PHI, we therefore would request that the Agency restrict the systems of the
    designated record set to which the access and accounting right would apply to core billing and
    treatment systems.
    In addition, healthcare organizations also likely need guidance to understand the scope of the
    requirements as there are other areas where PHI resides that are not addressed in the proposed rule.
    For example, many healthcare systems host databases and registries and use hosting systems
    similar to SharePoint to host information that contain e-PHI. In each of these examples, we are not
    aware of any way to track the document usage or create an audit trail that would comply with the
    currently proposed rules.
    Finally, the Proposed Rule does not exclude from the scope of the access report instances of
    access for privileged activities. Activities such as quality assurance, root cause analyses, adverse
    patient investigations, attorney-client communications and attorney work product/investigations
    seemingly would be included under the proposed rule and subject to the access report
    requirements. The purpose of such activities is to promote the timely reporting of adverse patient
    events, as well as a confidential, honest and aggressive evaluation that ultimately leads to enhanced
    future medical care. The disclosure of this information may have an adverse effect on such
    privileged activities; a result that could be detrimental to patient safety and harm prevention.
    2. Accounting Disclosures Costs and Benefits
    As many commenters have stated previously, the requirements as noted in the proposed rule
    would create an undue burden on the provider both in terms of the staff hours and the financial
    resources that would be required to undertake these efforts. With many healthcare providers
    struggling to survive, the financial and personnel resources to program, test, and implement
    changes to add the disclosure accounting data elements for the hundreds of systems which may fall
    under the designated record set definition may take many years and millions of dollars, depending
    on the size and the sophistication of the system. In this regard, larger, more sophisticated systems
    with advanced technology tools will be affected the most severely. It is difficult to imagine that the
    agency believes that this cost, which will detract from the monetary and personnel resources that
    should be dedicated to patient care, is in the best interest of patients and caregivers. Health
    systems have shared with the Agency that the potential benefit to the patient does not seem to
    justify the enormous investment required by providers that would be necessary to comply with the
    proposed rule.
    Finally, the process that is undertaken today by healthcare systems to comply with the current
    regulations is a manual process. If the hundreds (if not thousands) of systems all become defined
    2
    as within the scope of the designated record set, it will be necessary for healthcare systems to
    require each system to run the audit trail, producing hundreds of different reports depending upon
    the vendor’s capability. There does not appear to be a mechanism whereby all of the different
    audit reports could be collated to produce one standardized report. This process would require
    countless hours of manual collation to produce just one report.
    3. Time Frame for Accounting
    Accountings are a costly operating expense included within a healthcare system’s annual
    budget. This would be true regardless of the time frames associated with required responses. The
    proposed rule would cut the time to respond to an accounting request in half-by reducing it from
    60 to 30 days- thus further burdening an already fmancially and operationally difficult process.
    Most importantly, if the designated record set is defined as broadly as contemplated in the
    discussion above, 60 days is a wholly inadequate time to prepare an accounting. Many health
    systems utilize several hundred electronic systems that may constitute portions of the designated
    record set that must be queried in order to prepare an accounting. Once those systems are queried,
    it is often a manual process to sort through the resulting data in order to actually prepare the
    accounting document that is provided to the requestor. It is virtually impossible in large health
    care organizations to accomplish such a task within 60 days, let alone 30. Reducing the time frame
    to respond to an accounting from 60 to 30 days will render many health systems, particularly
    larger, more sophisticated systems with robust IT infrastructures, simply unable to comply with the
    more stringent requirements.
    In addition, many covered entities have heavily invested in systems and processes to permit
    them to respond to requests for an accounting within the now established 60-day time frame.
    Cutting the response time in half in this manner is fundamentally unfair to entities that have spent
    considerable time and resources developing systems and processes to bring them into compliance
    with the current 60-day response period. For these reasons, we respectfully request that the
    Department adhere to the current 60-day time frame to respond to requests for accountings.
    4. Reguiring Business Associates to Provide Access Reports
    Several aspects of the proposed rule regarding the obligation of business associates to provide
    access reports are problematic. At the outset, many health systems or other covered entities may
    have thousands of business associate agreements. The process the Department proposes would
    require covered entities to query each of their business associates each and every time a patient
    requests an access report. Given the sheer volume of business associate relationships, this
    requirement would be burdensome at best. Indeed, the resources it would take to coordinate the
    sending of communications to each business associate each and every time a patient requests an
    access report would be staggering. The cost of these communications would not be insignificant
    either; indeed, a single access request would cost a covered entity with 2,000 business associates
    approximately $880 in postage costs alone, assuming delivery via the u.S. Postal Service.
    Moreover, many types of business associates do not have the systems or capacity to provide the
    access report the department contemplates. Business associate agreements are entered into not
    only with healthcare vendors who are sophisticated in the privacy and security requirements of the
    3
    healthcare industry, but with a variety of other types of vendors that operate primarily outside the
    healthcare realm. Companies such as billing companies, business consultants, accountants,
    security companies, and attorneys are often engaged as business associates. These types of entities
    may have no ability to provide the type of access report the government contemplates. As such,
    these companies, which may only occasionally contract with covered entities as service providers,
    will find themselves faced with an extreme financial burden in order to comply with these rules.
    Many business associates and covered entities will be forced to terminate their relationships if the
    business associate is unable to comply with these requirements. Covered entities, in tum, will be
    forced to incur the time and cost to engage replacement vendors and transition service lines to new
    organizations. These replacement vendors’ services will likely be priced at a premium, in order to
    compensate for the extra resources required to ensure the ability to comply with these proposed
    regulations. Even if costs are not passed onto covered entities by vendors, the available pool of
    qualified vendors surely will decrease, as fewer organizations will be willing to take on the burden
    and obligations associated with being a business associate. Moreover, otherwise qualified
    companies will be precluded from servicing covered entities simply because of their inability to
    meet the requirements regarding provision of an appropriate access report- which will be harmful
    to businesses across the country and will likewise inadvertently decrease the efficiency of
    sophisticated healthcare systems whose flexibility in providing high quality care is partly reliant
    upon its business associate network.
    Additionally, we respectfully submit that the benefits to individuals resulting from the
    provision of access infonnation from every single business associate of a covered entity is minimal
    and are outweighed by the tremendous burdens this proposed rule will otherwise impose on
    covered entities and business associates alike. As set forth above, covered entities contract with a
    variety of business associates. Individuals may have no interest in knowing who accessed their
    PHI at every business associate of a covered entity. As such, a broad application of the rule will
    result in the requestor being inundated with thousands of pages of infonnation which may be of no
    utility or interest, but which took substantial effort to generate.
    In the context of an accounting report, the Department allows covered entities to provide the
    requestor with the names and address of its business associates so that the individual may
    detennine from which business associates he or she would like accounting infonnation. We submit
    that there is no basis for differentiating between an access report and an accounting in this regard.
    Providing the requestor with the list of business associates and their contact infonnation will
    provide the individual the same ability to obtain this infonnation as in the context of an accounting,
    while mitigating against the extreme burden this proposed rule would otherwise impose on covered
    entities and business associates alike.
    5. Encryption
    The NPRM states the following:
    “If the individual asks for an electronic copy of the accounting but does
    not want the file to be encrypted or password protected, then the covered
    entity should provide the electronic copy without such protections. The
    4
    covered entity is not responsible or liable for the information once it is in
    the individual’s possession.”
    This portion of the proposed rule is of concern because, while it specifies that the covered
    entity is not responsible for unencrypted PHI once it is in the person’s possession, it is silent on
    who is responsible for the materials while they are in transit to the individual. If the patient
    requests that the unencrypted electronic information be mailed to him/her, and the package is
    subsequently misplaced in the transit process or is intercepted by an unauthorized user, the covered
    entity should not be held liable or subject to breach reporting requirements for what happened in
    the delivery process. We would suggest that covered entities be allowed to encrypt and protect the
    information in a manner consistent with their policies. Alternatively, we would ask that the
    Department modify the proposed rule to provide that the covered entity is no longer responsible for
    unencrypted materials and shall not be responsible for any breaches associated with their loss or
    interception, once they leave its possession.
    Thank you for conducting a thoughtful process that allows us to provide input on such
    important issues and for your consideration of this information. Please do not hesitate to contact
    me if you need additional information.
    Sincerely,
    Donald A. Sinko
    Chief Integrity Officer
    DAS/ded
    5

  14. Jeff Smith says:

    Production of an access report is technologically unfeasible and production of an Accounting of Disclosures report for Treatment Payment and Operations across multiple information systems is enormously difficult, expensive and cannot be achieved with technology alone. This is not simply a matter of certification criteria, there are literally dozens of information systems included as part of a “designated record set” that fall outside the purview of Meaningful Use. I would urge the Tiger Team to recommend to HHS that further work be done to develop more practical ways to ensure patients’ data rights are protected.

  15. Tina Grande says:

    To Whom It May Concern:

    This resource published by the Journal of the American Medical Association in August provides valuable insights about patient preferences regarding disclosures that should be considered.

    Grande D, Mitra N, Shah A, Wan F, Asch DA. Public Preferences About Secondary Uses of Electronic Health Information. JAMA Intern Med. 2013.
    http://archinte.jamanetwork.com/article.aspx?articleid=1729534

    Thank you,

    Tina Olson Grande
    Sr. Vice President, Policy
    Healthcare Leadership Council on behalf of the Confidentiality Coalition
    750 9th Street, NW, Suite 500, Washington, DC 20001
    p 202.452.8700 | f 202.296.9561

  16. Russ Branzell says:

    October 21, 2013

    Devin McGraw, JD, MPH
    Chair, Privacy & Security Tiger Team
    Health IT Policy Committee
    Office of the National Coordinator for Health IT
    Department of Health and Human Services
    Submitted electronically at http://www.healthit.gov/buzz-blog/

    Re: Transparency and Implementation of HITECH Accounting of Disclosures

    Dear Ms. McGraw:

    The College of Healthcare Information Management Executives (CHIME) appreciates the opportunity to submit feedback regarding the implementation of HITECH Accounting of Disclosures requirements. This request for information was published through ONC’s Buzz Blog September 23, 2013.

    CHIME’s over 1,400 members represent chief information officers (CIOs) and other top information technology executives at hospitals and clinics across the nation. CHIME members have frontline experience in implementing the kinds of clinical and business IT systems needed to realize healthcare transformation. Healthcare CIOs share the vision of an e-enabled healthcare system as described by the many efforts underway at the Department of Health and Human Services.

    We wish to thank the Tiger Team for its diligence and for its efforts in working with other parts of HHS to find appropriate ways to bring transparency and bolster privacy to the delivery of healthcare. Before addressing the individual questions of the Tiger Team, we wish to make a few general points raised during deliberation by the nation’s healthcare CIOs and that have been echoed by other stakeholders. We greatly appreciate this opportunity and hope you find our comments helpful.

    Fragmentation and market solution maturity

    When considering the questions posed by the Tiger Team, a few common themes emerged. Of chief concern to many CIOs is that all audit logs are not created equal. Despite having common data elements recorded across different solutions, there are few, if any, standard ways to generate reports. Stemming from this issue is the complicated and costly task of aggregating audit logs from different systems into a singular report. The fragmentation inherent in much of the health information technology landscape is no different where access reports or release of information applications are concerned.

    Another point we wanted to highlight concerns the relative immaturity of solutions in this space. Both in form and in function, current market solutions do not capture information or do not display information in ways that would provide patients with greater transparency about the uses and disclosures of their digital, identifiable health information. Many solutions produce reports that require interpretation and specialized skill. Keeping aside the voluminous amount of data that could be generated through a single episode of care, audit log reports do not usually render information in a way that is helpful to patients.

    Likewise, current market solutions do not capture the purpose of access. We are concerned that were clinicians asked to answer a question of why they were accessing each record, it would create disruptions of immeasurable proportions. Imagine if your computer required a justification for every email you read and every document you opened. EHR usability already suffers from a bad reputation among clinicians.

    Lastly, we would like to note that very few of our membership have ever received a request for access or for an accounting of disclosures from patients. This is not to discount the right of patients to request information on how their personally identifiable health information is used, but merely to suggest that current processes, prescribed by HIPAA and conducted via notice of privacy practices, is sufficient. We do not believe there to be systemic abuse of PHI by the nation’s providers, therefore we do not believe that industry-wide regulations need to correct a problem that can be addressed under current policy.

    Below we have responded to questions pertaining to Goals 2 through 4. We note that many patients and “consumer advocate” groups will levy thoughtful commentary to Goal 1: “what patients would like to know about uses, accesses, and disclosures.”

    Goal 2: Gain a greater understanding of the capabilities of currently available, affordable technology that could be leveraged to provide patients with greater transparency re: use, access, or disclosure of PHI.
    1. What capabilities are currently used to enable transparency regarding (or to track or monitor) each use, access, or disclosure of PHI? To whom (and for what purpose) is this information communicated?
    Most software today has the capability to generate audit logs. However, most of these systems produce individual streams of audit logs and produce individual reports with varying degrees of readability to the general public. You are then dealing with multiple audit logs, some looking like quite technical.
    Some facilities also have release of information software that records disclosures that meet the current definition of disclosure we must account for.
    There are no systems, to the best of our knowledge, which have the ability to record the purpose for access.
    2. If you currently do not track each user that accesses a record internally along with the purpose of that access, what would it take to add that capability from a technical, operational/workflow, and cost perspective? What would it take to add that capability for external disclosures? EHRs can track accesses but not the purpose of the accesses. Adding this functionality would be costly and it would cripple the workflow of using EHRs. Each application in use today would need to add the ability to enter this information. For hospital staff taking care of patients each day, plus staff that don’t work at the bedside, but work with patient information, i.e. coders, billers, dieticians, IT staff, etc., the step of having to enter a purpose for access would be extremely time-consuming and unrealistic.

    Release of Information applications already have the ability to enter a reason for the disclosure, i.e. attorney request, insurance request, patient request, continuing care, etc. There may be some assumptions we could make electronically by matching the role and function

    3. Is there is any “user role” or other vehicle that can be utilized to distinguish an access by in internal user from an external disclosure? Can it be determined, for example, that the user is a community physician who is not an employee of the healthcare organization (IDN or OHCA)? If not, what are the obstacles to adding this capability? There is wide variability among audit log software to capture “user role” information; most software does not explicitly support the concept of roles. To the degree that the information displayed in audit logs could be used to determine “user role,” we are suspect. Some technology can determine if the user is an employee, contractor or credentialed physician and their staff. However, employment status of a user is not relevant to their role. Many hospitals have employed and non-employed medical staff who have the same rights and roles in the care of the patient.

    Additionally, many EHR users serve in multiple capacities (multiple roles), and the system would not have an understanding of which role they are acting in for each access. For example a nurse could access one patient record because they are caring for them and another patient record because they are curious. The systems have no way to accurately judge the reason for the access.

    4. Does the technology have the capability to track access, use, or disclosure by vendor employees, like systems’ administrators, (for example, who may need to occasionally access data in native mode to perform maintenance functions)? Do you currently deploy this capability and if so, how? We are not aware of systems that have this capability at this time. If database administrators login through the application, audit logs could capture this. However, if they remotely access the database directly we cannot track access, use or disclosure.

    5. Are there certain uses, access, or disclosures within a healthcare entity that do not raise privacy concerns with patients? What are these uses and disclosures? Can the technology distinguish between these others that might require transparency to patients? We believe the original definition of treatment, payment and operations appropriately defined those activities that patient’s shouldn’t raise privacy concerns. However we also believe there is no logical way that certain uses, accesses and disclosures can be identified as causing a privacy concern and that other uses, accesses and disclosures do not. No one should be accessing the information without the need for it but, once obtained, information can be used inappropriately regardless of what the original purpose of the access was.

    This is primarily a concern best managed through clear policy constructs and controls, not technology.

    6. Do you have the capability to generate reports of access to, uses of, and disclosures from, a medical record? Yes, we can generate audit logs from various systems in the hospital and disclosures from our release of information software. However this capability varies by system – ambulatory, OB, anesthesia and acute EHRs generally have different reporting capabilities. Our information system can generate access reports to show who accessed a patient record. We cannot track the purpose of an access.
    How frequently are the reports generated, and what do they look like? The frequency of reports generated varies by facility. Some members’ Compliance Office runs a report once a month to proactively audit a sample of users accessing records of patients with the same last name, access after 90 days of discharge, and access to VIP records. Other members only run reports if there is a business reason to run a report such as a patient complaint or other business reason.

    Some audit logs can be modified to display different data, but other logs cannot be modified and are difficult to understand. And generally, the reports are highly technical and not understandable by anyone other than one of our EHR analysts who must interpret it.

    How granular are these reports? Are they detailed by aggregate data categories, individual type of data, or individual data element, or in some other way? Most reports are extremely granular; many reports list the patient, the user, the application the user was in, and the length of time the user was in the application. However this information is rarely displayed in a manner that is easily intertwined among different systems. And while every touch point – function or screen – is usually captured, the reports are not to the data element level.

    Can they be generated automatically, or do you use manual processes? Reports are usually generated with both automated and manual processes. Do you integrate reports across multiple systems?
    Generally, no, each system produces separate reports that are not integrated. Some members have limited capability to integrate EHR systems with ADT systems, for example. Even at this level, however, the ability to combine reports is costly.

    What is the look-back period?
    Look back periods vary from 90-days to three years. The capability to look-back varies by system and module.

    Goal 3: Gain a greater understanding of how record access transparency technologies are currently being deployed by health care providers, health plans, and their business associates (for example, HIEs).1. How do you respond today to patients who have questions or concerns about record use/access/disclosure? What types of tools/processes would help you improve your ability to meet patient needs for transparency regarding record use/access/disclosure? Have you ever received a request from a patient (or subscriber) that requested a list of every employee who had access to PHI? To date, it has been the experience of our members that requests are of a legal nature, stemming from lawyers, not from patients. And rarely, if ever, have our members received a request from a patient for a list of every employee who had access to personal health information.

    To improve transparency, highly uniform national standards for the retention and export of use/access/retention data that allowed simple data consolidation would be required of all systems.
    2. What types of record use/access/disclosure transparency or tracking technologies are you deploying now and how are you using them? There exists a spectrum of technologies available to generate audit logs for access and Release of Information software for disclosures. They can vary from “nothing” to “elegant” depending on the system. Separate products are available that extracts, analyzes, stores and reports on the EHR usage logs.

    However, the cost to attempt integration to other systems with these tools can be prohibitive for some systems, and not possible for others.

    3. For transparency, what do you currently provide to patients regarding use/access and disclosure, and do you see any need to change your current approach?
    Most members believe there is no need to change their current approach, which is usually defined in notice of privacy practices. Some members would not provide the patient the actual audit log nor would they presentably accommodate a request to produce all accesses. Very few, if any, members have ever received a request for an access report or accounting of disclosure from patients. If there are privacy complaints levied by patients, member facilities will conduct an internal investigation and verbally communicate back to the patient about findings – usually they are accusing a specific person of accessing their information, not asking about everyone that might have accessed their information.
    4. Do you have any mechanisms by which patients can request limits on access? For example, if a patient had concerns about the possibility that a neighbor employed by the facility might access his/her record, is there a way for this to be flagged? No. Most members do not have this functionality in either certified EHR systems or other clinical systems. They cannot block a record per user in any system. Our abilities to block are limited to settings approximating the role of the user. For example, confidential patients can be hidden from front desk and switchboard staff, but not from clinical staff. Our members are concerned the ability to allow patients to exclude specified users from access could impose unacceptable constraints on our ability to care for the patient and manage our operations efficiently.

    Goal 4: Gain a greater understanding of other issues raised as part of the initial proposed rule to implement HITECH changes.
    1. Regarding access reports, what information do you collect besides the basic information collected in an audit log? This information varies by the system being accessed. Generally, most members collect user, device the user was on, patient, time and function/module accessed.

    2. What would be involved in obtaining access information from business associates? Do current business associate agreements provide for timely reporting of accesses to you or would these agreements need to be renegotiated? We believe it would be incredibly difficult for Bas to provide an accounting of all access and use for all the same reasons it is difficult for member facilities to explain the logs to patients. Some members have instituted Business Associate Agreement rights to ask for an investigation regarding a specific complaint. Current BAA’s do not require them to maintain detailed audit logs for any and all reasons. And most members do not have direct requirements that business associates maintain such access logs, thus they have no knowledge if the capability even exists to report from.

    3. What issues, if any, are raised by the NPRM requirement to disclose the names of individuals who have accessed/received copies of a patient’s PHI (either as part of a report of access/disclosures or in response to a question about whether a specific person has accessed)? What are the pros and cons of this approach? Firstly, CHIME has significant concerns with releasing names of employees that have accessed a patient’s record to the patient. There are examples where patients have inappropriately used HIPAA as a tool to retaliate against an employee for a personal situation that is occurring outside of the health care arena. We also have needs in some areas to protect staff from stalking and/or threats by patients, such that name badges do not include full names, and may not show real names.

    Members have found it significantly more prudent to question the patients about the concern they have about a specific employee accessing their record and then investigate the complaint instead of just handing an access report to the patient.

    Secondly, when a patient is an inpatient in a hospital, there are many different individuals involved in their care, plus many individuals that must use the information post-discharge for coding, billing, performance improvement, peer review, etc…patients will require an explanation regarding each name on the list, even if the log can display their department and job title.

    4. How do you think current mechanisms to allow patients to file a complaint and request an investigation regarding possible inappropriate uses or disclosures are working? Could they be enhanced and be used in lieu of, or in addition to receiving a report? Members believe the mechanisms and regulations currently in place are sufficient. Complaints are taken seriously and investigated thoroughly.

    We believe patients would be overwhelmed if an access report was handed to them. It would not be uncommon for more than 80 staff members to access a patient record during a typical in-patient stay. Most patients don’t understand the number of tasks that have to be completed on a record throughout the patient’s stay and afterward so they would not anticipate that number of accesses nor be able to determine if an access was appropriate or not. Careful questioning of the patient about their complaint and thorough investigation by the provider is adequate to deal with these inquiries.

    Should entities be required to do such an investigation – if so, what should be the scope?
    Yes, we believe providers should be required to investigate a complaint, but the scope should not be overly prescriptive. System capabilities often will define how wide an investigation can be; to be too specific in how wide the scope should be may not be possible since all information systems cannot provide the same level of tracking. And for more advanced systems there should be some consideration of incident specificity, within a certain timeframe, to avoid “fishing scenarios,” from patients without probable cause.
    Should entities still be required to produce a report if the patient wants one? CHIME does not believe entities should be required to produce a report for the numerous reasons explained previously. However, providers should be required to share the outcome of their investigation, with current regulatory recourse.

    What recourse does the patient have if he/she is not satisfied with the response? Patients should utilize the recourses afforded to them under HIPAA and or take legal action if they felt they suffered some damages from an alleged inappropriate access, use or disclosure.

    What options do entities have if patient’s transparency requests cannot be honored A closed meeting with the patient could be advised to review and explain the audit logs, but not let them leave with it. Many member investigations include an interview with employees and their co-workers on word of mouth and paper based breaches as well as electronic breach. We caution policymakers to not misplace their focus on electronic logs when so many breaches occur via other means.

    We hope these comments are helpful. If there are any questions about our comments or more information is needed, please contact Sharon Canner at scanner@cio-chime.org or (703) 562-8834. CHIME looks forward to a continuing dialogue with the Centers for Medicare & Medicaid Services, the Agency for Healthcare Research and Quality, and other stakeholders within and outside of the Department of Health and Human Services on this and other important matters.

    Sincerely

    Russell P. Branzell
    President & CEO
    CHIME

  17. NCHICA ( The North Carolina Healthcare Information and Communications Alliance, Inc.) prepared and submitted comments on the previously proposed, but never finalized, rule making from the HHS Office for Civil Rights related to accounting of disclosures. We hope this posting of that work will be helpful in informing the Tiger Team of the various perspectives we brought together for the document enclosed below.

    Submitted via Federal eRulemaking Portal
    July 28, 2011

    U.S. Department of Health and Human Services
    Office for Civil Rights
    Attention: HIPAA Privacy Rule Accounting of Disclosures
    Hubert H. Humphrey Building
    Room 509 F
    200 Independence Avenue, SW
    Washington, DC 20201

    RE: Response to “HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act; Proposed Rule,” hereinafter “NPRM” (RIN 0991-AB62).

    Dear Secretary Sebelius:

    The North Carolina Healthcare Information and Communications Alliance, Inc. (NCHICA) is a nationally-recognized, nonprofit consortium that serves as an open, effective, and neutral forum for health information technology (HIT) and policy initiatives that improve health and care. NCHICA is comprised of over 240 member organizations representing the many sectors of the healthcare industry, including covered entities (CEs), as well as government agencies, business associates (BAs), research organizations, application vendors, consultants, and attorneys.

    NCHICA’s role in advancing healthcare technology through the protection of individuals’ privacy and security of individual data with supportive policies has been well established. NCHICA was actively involved in analyzing and providing support to its members regarding compliance with the provisions of the HIPAA Privacy Rule, which became effective in 2003. NCHICA’s comments on this Notice of Proposed Rulemaking (NPRM) are the result of a collaborative effort from NCHICA’s various and diverse member organizations, which have considerable combined expertise in the various aspects of the HIPAA Privacy and Security Rules.

    NCHICA’S COMMENTS ON THE NPRM
    NCHICA commends the Department of Health and Human Services (the Department) on the intent behind these proposed implementing regulations, which are required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). We appreciate that the NPRM is designed to provide increased transparency to patients by permitting them to access greater information about how their health care information is used for purposes of treatment, payment and health care operations and supporting an accountable health and care system.

    Having said that, it is NCHICA’s view that the proposed modifications to the Accounting of Disclosures, and in particular the NPRM’s addition of a newly created right to an Access Report, goes well beyond HIPAA’s intent and does not materially add to HIPAA’s already strong protections for protected health information (PHI). Our suggestions for clarification to the NPRM follow in the order in which the topics are discussed in the NPRM.

    As follows, in response to the Department’s request for comment to the NPRM, NCHICA is providing comment on the following topics:
    1. The revised right to an Accounting of Disclosures;

    2. The new right to an Access Report
    a. The need for a definition of “access”;
    b. The significant operational and technical burdens the new right to an Access Report would impose;
    c. The difficulties of providing an “understandable” Access Report from currently-available audit or access logs;
    d. The likely increase in complaints to OCR that result in a finding of no violation or cases not eligible for enforcement;
    e. The infringement on privacy interests of employees and the potential misuse of Access Report information;
    f. The exclusion of Patient Safety Work Product and other restrictions on Access Report information;
    g. Issues related to timely response to requests for Access Reports and the effective date of the new right; and

    3. Changes to Notices of Privacy Practices.
    NCHICA believes that clarifications in these areas will better enable CEs and BAs to comply with HIPAA while maximizing the protections afforded to PHI and minimizing unintended consequences that restrict the necessary flow of electronic information.

    ACCOUNTING OF DISCLOSURES UNDER REVISED 45 CFR § 164.528(a)
    NCHICA appreciates the Department’s efforts to clarify a number of the previous revisions to the Accounting of Disclosures standard. NCHICA commends the Department for modifying the standard from one of exclusion to one where the disclosures for which an accounting is required are explicitly listed. This modification will resolve much of the confusion CEs experienced under the existing Privacy Rule. We further commend the Department for proposing that a CE may provide an individual with an accounting specific to that individual’s request, thereby permitting CEs greater flexibility to narrow the information to be included in the accounting on a specific time period, type of disclosure, or recipient. We further appreciate the changes to 45 CFR 164.528(a)(2) permitting a CE to include in the accounting the name of the entity, instead of the name of the individual recipient of a disclosure, in order to prevent a new HIPAA violation where identification of the entity or person would constitute an impermissible disclosure of PHI about another individual. Further, during our consideration of the NPRM our members raised concerns of personal safety if specific individuals involved in a person’s care or subsequent payment or operations were identified.

    We recommend several further clarifications to the standard for accounting to ensure that an Accounting of Disclosures will not be misused in specific situations. For example, we recommend that the Department clarify information about both elder abuse, subject to increased reporting requirements under the Elder Justice Act of the Patient Protection and Affordable Care Act (P-PACA) of 2010, and domestic abuse be treated like information about child abuse and therefore excluded from an accounting. This should include preventing a personal representative from obtaining such information where appropriate and necessary to protect the individual who has been abused. This clarification could be added as a new subsection 45 CFR § 164.528(a)(3)(v), providing that,

    RECOMMENDATION:
    “The covered entity is not required to provide an accounting to a personal representative, family member, or guardian of an individual where abuse is reasonably suspected or such accounting is otherwise not in the best interest of the individual.”

    We agree with the decision to no longer include research disclosures in the accounting for disclosures. 

    RIGHT TO AN ACCESS REPORT UNDER REVISED 45 CFR § 164.528(b)

    OVERVIEW
    NCHICA has significant concerns about certain aspects of the Department’s creation of a right to an Access Report, at least as that new right is established in the NPRM. NCHICA and its members appreciate and support individual’s rights associated with health information and recognize the harm caused by inappropriate access to PHI by authorized and unauthorized users alike. NCHICA believes, however, that the right to an Access Report as detailed in the NPRM is burdensome, not based in statutory authority, and would be largely inadequate to correct the problem of inappropriate or improper access. We implore the Department to reassess the NPRM’s Access Report provisions in light of the Security Rule’s repeated emphasis on the need for “flexibility of approach” in addressing the requirements of HIPAA. See 45 CFR § 164.306(b)(1) which states that “Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.” (emphasis added). In contrast to the approach set forth in the Security Rule, where CEs were expressly required to balance factors such as cost, probability and criticality of the risks, and size of the organization in determining how they would comply with the law’s requirements, the NPRM offers little to no flexibility on the manner in which a CE would be required to log and produce reports of access in response to an individual’s request.

    We also are concerned about the Department’s assumption that the historical low volume of patient’s requests for Accountings of Disclosures likely equates to a future low volume of patient requests for Access Reports. We believe that most patients have not exercised their right to request an accounting in large part due either to: (i) a lack of understanding of the benefits of an accounting; or (ii) the fact that no private right of action exists under HIPAA, so attorneys have not prompted their clients to obtain this information. In contrast, we believe that concerns about unauthorized access to PHI are rising, and that providing such a broad Access Report to individuals will have the unintended consequences of increasing unsubstantiated allegations of improper access, which in turn will subject employees and contractors performing legitimate services to unnecessary identification and scrutiny, and will waste valuable CE and BA resources. For the most part, we do not believe the mere provision to an individual of an Access Report, without the commitment of substantial additional (and currently unfunded) resources to provide interpretation or explanation to the individual about the contents of the report, will target inappropriate access or provide the benefit to individuals that the Department appears to be seeking to address in this section of the NPRM. With this in mind, we implore the Department to revisit this new right and craft an appropriate mechanism to address the Department’s concerns without the many failings and risks of the proposed approach.

    Some concerns raised by our members would be mitigated by more clearly addressing the scope of records and systems to which the new right to an Access Report will apply. For example, there are certain procedures, such as a colonoscopy or an echocardiogram, for which certain patient data is captured during the procedure but not maintained in its entirety for more than a total of two to three weeks. Such data from feeder sources can be best described as “not persistent;” therefore, it is not “maintained” by or for a CE, and accordingly this data traditionally has not been considered to part of the “designated record set” or “designated record set information.”

    NCHICA recommends that the definition of the “designated record set” in 45 CFR § 164.501 be clarified so that the “designated record set” specifically excludes records that are “not persistent” and is a subset of all data or information created by or on behalf of a CE. In any event, the “designated record set” should not include source data, such as, but not limited to, slides, films, and tracings that are not transferred to the Electronic Health Record (EHR).

    RECOMMENDATION:
    We request that the Department use clear and consistent terms of phrases in any final rule and not mix similar, but actually distinct, terms like “designated record set” with “designated record set information” or “designated record set system”, which have not been further defined in the NPRM.

    We address specific concerns raised by our members about the NPRM’s new right to Access Reports in the following pages.

    THE NEED FOR A DEFINITION OF “ACCESS”

    We believe that CEs require more guidance on what OCR considers “access” for purposes of the “Access Report.” We understand that “access” includes certain “action by the user” of an EHR, such as “create”, “modify”, “access” or “delete.” In some situations, however, what constitutes “access” is not clear. Many times, information that is “viewed” in an EHR is not in fact viewed but, rather, returned in response to a query of appointments, for example. We are concerned that all records returned in response to such a query could be construed as having been accessed and therefore would need to be logged in all such individuals’ records. For instance, entering “John Doe” into the search box of an EMR might return several hundred entries but would only display the demographics necessary to more positively identify the particular “John Doe” being sought. These entries would seem to be of no value to an individual requesting an Access Report and are currently not logged in many EHRs. To reduce unnecessary information collection and the burden on CEs, we recommend that the Department add a risk-based assessment of access to 45 CFR 164.528(b)(2). A suitable example of regulatory text permitting a risk-based assessment in already found in 45 CFR 164.306(b)(i) – (iv), which includes taking into account factors that include the “probability and criticality of potential risks to electronic protected health information” in a CE’s decision of which security measures to use.

    We recommend that the Department add a section like 45 CFR 164.306(b)(2)(i) – (iv) to read as follows:

    RECOMMENDATION:
    45 CFR 164.528(b)(5)
    Flexibility of approach. In deciding the format and information to use to collect access information, a covered entity must take into account the following factors:
    (i) The size, complexity, and capabilities of the covered entity.
    (ii) The covered entity’s technical infrastructure, hardware, and software capabilities.
    (iii) The costs of access logging and collection measures.
    (iv) The benefit of additional access information related to electronic protected health information versus the cost of logging, storing, and translating such access information into an Access Report as required under this subpart.

    The definition of access also needs to be refined to exclude data aggregation services and other “back office” operations (e.g. IT operations, system maintenance, and database backups). These activities are performed outside of the clinical applications and the “activity review” records access by the name of the individual whose data is viewed, but rather by the name of the person accessing the data. This lack of tie back to the individual who is the subject of the data makes tracking this type of “access” on a per patient or per individual basis practically impossible with currently available systems.


    SIGNIFICANT OPERATIONAL AND TECHNICAL BURDENS ARE CREATED BY GENERATING AN ACCESS REPORT

    We are concerned that OCR is under the impression that the generation of an Access Report from the currently available information systems logs or audit trails does not impose significant operational or technical burdens on CEs. Our members have very clearly indicated that the new requirement for an Access Report cannot be met through the push of a button. The “designated record set” exists in a multitude of systems within a single enterprise and in the systems of their BAs. Collection and aggregation of these multiple logs and BAs’ logs and then the further refining of the data to include the appropriate information in a single report in a common format will be time consuming and likely will require substantial manual manipulation. For example, the designated record set of many CEs consists of distinct feeder systems that generate audit logs in differing formats and containing different information. Many systems track according to user IDs instead of user name. Translating these differing formats and information into a single comprehensible Access Report will place a significant burden on many CEs and require upgrades to existing systems that will need to be provided by their vendors in most cases. As noted below, we believe most individuals would not understand or be able to interpret accurately a report based on the audit logs generated by information systems today.

    The NPRM’s new Access Report requirements would impose tremendous technical burdens on CEs and BAs. These burdens include the generation of millions of log records to be stored, associated storage space, personnel to manage this system, query capability in multiple systems for a large volume of data to extract requested data for the reports, and ultimately having the ability to correlate the data to the audit logs in a meaningful, accurate, and manageable way.

    One example from within our membership is that the estimated resources and costs associated with one team developing a product to comply with the NPRM and its Access Report as 10,000 hours in development time, plus the cost of management, quality assurance, testing, software and hardware-related costs, installation, and implementation, which amounts to millions of dollars. Health information teams at CEs are currently upgrading to ICD-10 and implementing the requirements for “meaningful use”. These are significant enterprise endeavors, taking substantial resources, time, and commitment as teams work across disparate systems.

    RECOMMENDATION:
    We recommend that OCR consider minimizing the unintended consequences and burdens that likely will arise from the NPRM by realigning the proposal for the contents of an Access Report to conform to the requirements of “meaningful use” and thereby avoid creating an additional burden on covered entities.

    Some of our hospital members reported a total volume of audit logs in the range of 400 million to 3.2 billion records annually for a partial list of their designated record sets. One member reported a partial access listing averaged 170 accesses for outpatient visits and over 1800 accesses for a typical 6-day inpatient stay. These examples are an underestimate of those required under the NPRM’s Access Report. Maintaining logs containing the level of detail required by the NPRM will result in considerable storage costs. If the overall scope of an Access Report in the final rule is restricted, then some of the overhead and costs could be reduced.

    In addition to the changes that need to be made on a systems basis, CEs will need to revise their BA agreements to reflect these new requirements. For most CEs, this will be a time-consuming and costly process of drafting, negotiating, and executing agreements with numerous vendors. We recommend that OCR consolidate any changes needed to be made to BA agreements under this NPRM with other currently outstanding HITECH changes to the Privacy and Security Rule so that the costs and resources associated with changing the BA agreements can be reduced.

    In summary, our members have expressed significant concerns because the logging capabilities of currently available EHRs are less robust and standardized than the Department assumes. A significant shortfall of the NPRM is the Department’s overly optimistic estimate of current access log capabilities, and that access information logged in the current state likely will address patients’ expectations of receiving meaningful information about who accessed their PHI and why.

    INDIVIDUALS WILL NOT UNDERSTAND THE LOGS THAT ARE CURRENTLY GENERATED BY EHRS, AND TRANSLATING OR RENDERING THESE LOGS “UNDERSTANDABLE” WILL REQUIRE SUBSTANTIAL TIME, STAFF EFFORT, AND RESOURCES

    As we have previously stated, the information generated by currently available audit controls and access logs is not typically in a format that a person unfamiliar with information technology would understand. Converting the logged information into a usable and understandable “Access Report” as currently described in the NPRM will take significant time, effort, and resources. In addition, once produced, the Access Reports are likely to raise many more questions than the answers they provide. Patients likely will not understand the logs and will have numerous questions about information contained in them; the need to respond to this increase in patient questions will likely create significant customer services concerns for covered entities. We believe without question that the typical individual is unaware of the number of employees that routinely access that individual’s information in the course of treatment, payment, and heath care operations, let alone other legitimate uses or disclosures of PHI.  

    CONCERNS ABOUT THE LIKELY INCREASE IN UNSUBSTANTIATED COMPLAINTS TO OCR

    In addition to our concerns about the burden on CEs and lack of benefit to patients, our members are concerned that Access Reports will result in a substantial increase in complaints alleging violations of the Privacy and Security Rules, many of which may be founded on misinformation or mistaken impressions about the number of individuals who legitimately and typically have access to ePHI.

    We recognize that there is certain information that individuals would expect or want to see in an Access Report, but there is also other access information that is generated in the course of health care treatment, payment, and operations that would not be of interest to most, if not all, individuals. For example, a patient might be interested in whether a specific person has accessed his or her information, but not interested in the fact that many employees legitimately accessed the patient’s information to perform their job duties. However, due to increased attention being paid in the media to inappropriate access of PHI and other personal information, we are concerned that individuals may be reluctant to limit their Access Report requests to the specific individuals or time frames about which they are truly concerned, believing that a broader report will enable them to detect whether there has been any inappropriate access to their PHI. We do not believe that the Access Reports, as currently outlined in the NPRM, will permit individuals to easily make this determination.

    Moreover, patients generally do not understand that multiple users legitimately need to access their records, including accessing records multiple times, in the course of their job functions. Nor do individuals understand that for many legitimate and necessary purposes, CEs share information with BAs. Individual education on the meaning of the report content will require significant staff resources, yet the failure to provide such education most likely will result in a substantial increase in patient complaints to both CEs and OCR.OCR will have to investigate such complaints, which will require additional staff, time and resources. Unfortunately, such complaints will shift resources and staff away from other investigations. The end result is likely the inefficient use or waste of OCR’s and CEs’ resources when individuals file unsubstantiated complaints based on such individual’s misunderstanding of the information contained in an Access Report.

    PRIVACY AND SAFETY INTERESTS OF EMPLOYEES AND POTENTIAL MISUSE OF ACCESS REPORT INFORMATION

    Our members have expressed concerns about the interests of the persons whose names will be listed in Access Reports. First, we have serious concerns that the Access Report as proposed may jeopardize the privacy interests of CE employees. Second, our members have raised concerns about how to protect the safety of employees or staff who work with particular patient populations. Third, we are concerned that in some instances Access Reports will be requested solely to investigate potential complaints or for the purpose of pursuing claims in litigation. We believe these concerns all require modification of the Access Report provisions NPRM to appropriately protect employees.

    We have concerns that the Access Report as described by the NPRM will provide significant information about employees of covered entities, thereby unnecessarily subjecting such employees to potential litigation and harassment by patients and counsel for patients. These Access Reports will give patients access to staff names and permit intrusive behavior. The NPRM places no controls on how Access Reports can be used by individuals; accordingly, we do not see how CEs will be able to prevent various types of behavior adverse to CE staff, ranging from harassment and fishing expeditions which may lead to litigation.

    When treating certain patient populations, there is a heightened need for instituting protections for treating practitioners and staff. For example, many of our members have indicated that full names of practitioners and staff typically are not available on name tags, directories, or in other locations in which certain patient populations, including mental health and emergency department patients, are treated. The risk of patients potentially harassing or causing harm to these practitioners and staff, already has been determined to be high enough risk to outweigh any benefit to patients in identifying the full names of the employees. For the same reasons, many working with these populations have unlisted telephone numbers or other contact information. The Access Report requirements of the NPRM would remove these protections from individuals who provide these important services.

    In addition, the proposed requirement that Access Reports name individual employees who accessed information likely will increase the number of patient concerns about access in other common workforce situations. These include situations where a patient’s neighbor is an employee or practitioner on a care team or where employees are patients. In these situations, we are concerned that an Access Report will permit individuals to subject many employees or practitioners who are simply performing their usual job functions to additional employment scrutiny and investigation.

    We believe that a request for an Access Report is most likely to be made where an individual either has received a breach notification or some other indication that his or her information has been inappropriately accessed. In general, it is believed that patients are not interested in who created, modified, accessed, printed or deleted their information. We also believe that Access Reports may be requested frequently in an effort to develop private claims, complaints, or lawsuits based on allegations of wrongful access (or improper trade practices). Our members are concerned that under the NPRM, individuals will have a list of all employees who accessed information which they may use for any purpose, legitimate or otherwise. Plaintiffs’ counsel and defense counsel likely will request these types of reports, and each employee named in an Access Report in their role as a member of the CE’s workforce will be vulnerable to being contacted in litigation.

    We are also concerned that personal concerns of employees regarding access logs may cause them to avoid accessing a record due to a fear of being targeted by a “difficult patient.” This unintended consequence could lead to medical errors and worse outcomes.

    EXCLUSION OF PATIENT SAFETY WORK PRODUCT AND OTHER LIMITATIONS ON ACCESS REPORT INFORMATION IN THE NPRM

    NCHICA commends the Department on recognizing the importance of protecting Patient Safety Work Product (“PSWP”) as defined by the Patient Safety and Quality Improvement Act of 2005 and associated regulations in 45 CFR § 164.528(c), and otherwise providing some limitation on Access Report information in the NPRM. We believe that it is both necessary and appropriate to protect PSWP, including its exclusion from Access Reports. The feasibility of excluding any particular source of information or information system from the Access Report, as broadly described and implemented in this NPRM, however, seems difficult, if not impossible.

    ISSUES RELATED TO RESPONSE TIME AND EFFECTIVE DATE

    We have significant concerns about the ability of any CE to generate the type of report envisioned and seemingly required by this NPRM within thirty (30) days of receiving a request for such an Access Report. We believe that a compliant response, including the time to gather, consolidate and create a single report in a complex environment and potentially involving BAs, will take on average 45 to 60 days.
    With this in mind, we suggest that 45 CFR § 164.528(b)(3)(i) be revised to read: “

    RECOMMENDATION:
    45 CFR § 164.528(b)(3)(i)
    “The covered entity must act on the individual’s request for an Access Report no later than 60 days after receipt of such a request.”

    RECOMMENDATION:
    To the extent that the Department retains the newly created right to an Access Report, we recommend that the Department delay the effective date of any right to an Access Report until the widespread implementation of EHR systems that are compliant with the staged requirements of Meaningful Use. Such a delay would permit currently available EHR systems to be modified to address compliance with this newly created right and will enable implementation of the right in a manner that better serves both individuals and CEs.

    CONFORMING CHANGES TO NOTICE OF PRIVACY PRACTICES UNDER REVISED 45 CFR § 164.520

    The NPRM obligates CEs to amend further their Notice of Privacy Practices (NPP) to conform to changes to the Accounting of Disclosures standard and to address individual’s new right to an Access Report. NCHICA supports the need for clear communication regarding individual rights in health information privacy and security. Given that additional changes to NPPs have been proposed by the Department but have not yet been finalized, NCHICA recommends that the Department set a reasonable effective date for CEs to revise their NPPs to address all necessary changes to be made arising from this NPRM and the NPRMs published in 2009 and 2010 associated with breach notification and other changes to the Privacy and Security Rules specified in the HITECH Act.

    As we have stated in comments we filed with the Department regarding the July 14, 2010 HITECH Act NPRM, the costs and time associated with revising and redistributing the NPP of a CE in either paper or poster form can be significant whether the CE is a health plan or a provider, although admittedly the scale may differ. In previous NPP revisions, our members have incurred significant costs and expenses per draft revision that the Department identifies in the NPRM’s Regulatory Flexibility Analysis, and therefore we believe that the costs of these revisions will substantially exceed the $20.2 million figure estimated. Not only does the NPP revision process require staff time and effort in both creation and distribution of the NPP, it also frequently leads to additional costs, such as legal review, publication, formatting, and other professional services.

    RECOMMENDATION:
    Given the process involved in revising NPPs, NCHICA requests that the Department consider a process that will avoid the time, effort, and cost of revising NPPs multiple times.

    SUMMARY

    NCHICA appreciates that the Department issued this NPRM to implement the provisions on accounting of disclosures set forth in the HITECH Act. While NCHICA agrees that provisions of the Privacy and Security Rules must be revised to achieve the goals of the HITECH Act, NCHICA urges the Department to revise the rules on Access Reports contained in this NPRM to avoid unintended consequences, including confusing individuals by providing lengthy reports containing a large quantity of irrelevant information and overburdening CEs and their BAs beyond the requirements of law.

    The member organizations of NCHICA include CEs and BAs, research entities, and aggregators of health data, as well as other entities that support them every day. Our member organizations recognize that inappropriate access to PHI is a significant concern and we all are committed to the goal of an accountable health and care system that protects individual privacy and engenders consumer confidence. However, NCHICA is very concerned that the Department’s creation of a new right to an Access Report, not based in any existing statutory or regulatory authority, likely will have unintended and unanticipated consequences that may negatively affect treatment, payment, and health care operations and other necessary activities of CEs and their BAs.

    NCHICA recommends that the Department reconsider whether the new right to Access Reports is in the best interests of patients, CEs and BAs alike and, should the Department determine to retain this new right, NCHICA believes it is imperative that the Department revise these proposed rules as noted herein before issuing final regulations.

    Respectfully submitted,

    W. Holt Anderson John M. Jenkins William D. Mattern, MD
    Executive Director President 2010-2011 Chairman of the Board

  18. Kel Callahan says:

    Devin McGraw, JD, MPH
    Chair, Privacy & Security Tiger Team
    Health IT Policy Committee
    Office of the National Coordinator for Health IT (ONC)
    Department of Health and Human Services

    October 25, 2013

    Topic: Transparency and Implementation of HITECH Accounting of Disclosures

    Dear Ms. McGraw:

    The management of HIPAAT appreciates the opportunity to respond to the request for public comments on the topic of implementing an Accounting of Disclosures for healthcare consumers. Some of the members of this Tiger Team will already be aware that we have made contributions to several ONC initiatives in recent years.

    2012-2013 S&I Framework: Data Segmentation for Privacy (DS4P): VA-SAMHSA Pilot
    2010 HITPC P&S Tiger Team: Consumer Choice Technology Hearing Panelist
    2008-2009 HISPC III Use Cases: Consent 1 (Data Elements) & Consent 2 (Policy Options)
    2007-2009 HITSP: Security, Privacy & Infrastructure Technical Committee
    2008 NHIN II Forum 5: Consumer Access to Clinical Information Use Case

    In keeping with our patient-centric focus, we offer our own comments – and pointers to the work of others – for some of the thoughtful questions this Tiger Team has posed.

    Goal 1: (Q1 & Q2)
    What are the reasons patients may want to learn who/what entities have used, accessed or received their PHI as a disclosure? What are the reasons they might want to know about internal uses or accesses? What information would patients want to know about such use, access, or disclosure? For example, is it important to know the purpose of each, or the name or role of the individual involved?

    Answer:
    A very recent study published by the Journal of American Medical Informatics Association concluded, “that most US adults are concerned about the security and privacy of their PHI, and such concerns are associated with an increased likelihood of non-disclosure of sensitive information to a healthcare professional. This underscores the need for intensified efforts to ensure the confidentiality, integrity, and availability of patients’ PHI in order to foster trustful patient–physician interactions.”
    Source: http://jamia.bmj.com/content/early/2013/08/23/amiajnl-2013-002079.abstract

    Goal 1: (Q5)
    If patients have a concern about possible inappropriate access to or disclosure of their health information, what options currently are available to address this concern? What options should be developed for addressing or alleviating that concern?

    Answer:
    This question rightly distinguishes the difference between a security-construct where access is determined by the role of the system’s user, and a privacy-construct where access may be permitted by a user’s role – but still be completely inappropriate. Consent management has been recognized by leaders in the industry as the technology which best supports the healthcare consumer for their privacy needs.

    Gartner Research defines consent management as, “a system, process or set of policies for allowing consumers and patients to determine what health information they are willing to permit their various care providers to access. It enables patients and consumers to affirm their participation in e-health initiatives (patient portal, personal health record or health information exchange) and to establish privacy preferences to determine who will have access to their protected health information (PHI), for what purpose and under what circumstances. Consent management supports the dynamic creation, management and enforcement of consumer, organizational and jurisdictional privacy directives.”

    First publically demonstrated in Washington, DC, for the ONC initiative called the Nationwide Health Information Network (NHIN II) Trial Implementations (Forum 5) in 2008, Gartner Research began formally tracking this form of technology with its Hype Cycle for Healthcare Provider Technologies and Standards in 2009. Consent management technology was again demonstrated to the ONC through this Tiger Team by HIPAAT, the Department of Veterans Affairs (VA) and others for its Consumer Choice Technology Hearing in 2010. Indeed, consent management technology was used to support the ONC’s Standards and Interoperability Framework’s Data Segmentation for Privacy (DS4P) VA-SAMHSA Pilot demonstrations at the Health Level Seven (HL7) conference in 2012, and the Health Information and Management Systems Society (HIMSS) conference in 2013.

    The standards that support a well designed electronic consent management system are well exercised and mature. These standards come from internationally recognized bodies such as Health Level Seven (HL7), Integrating the Healthcare Enterprise (IHE) and the Organization for the Advancement of Structured Information Standards (OASIS), and are in version 2 or higher.

    Aside from the numerous electronic health information exchange (HIE) technology platforms that exist today in the marketplace whose platforms have included a consent management module for years, standalone consent management service vendors exist in the marketplace as well. Utilizing standards known well to this industry (and others), electronic medical record (EMR) vendors can interoperate with each other, and/or consent management services, through application programming interfaces (APIs) currently available in the marketplace.

    Goal 2: (Q6)
    Do you have the capability to generate reports of access to, uses of, and disclosures from, a medical record? How frequently are the reports generated, and what do they look like? How granular are these reports? Are they detailed by aggregate data categories, individual type of data, or individual data element, or in some other way? Can they be generated automatically, or do you use manual processes? Do you integrate reports across multiple systems?

    Answer:
    Yes, buy using the standard that the Health Information Standards Panel (HITSP) Security, Privacy & Infrastructure Technical Committee recommended in the form of the Collect and Communicate Security Audit Trail Transaction (T15), in 2009. At the core of this HITSP transaction “released for implementation,” is the IHE Audit Trail and Node Authentication (ATNA) profile.

    As a matter of background, HITSP was formed as a volunteer-driven, consensus-based organization funded by the Department of Health and Human Services (DHHS) to harmonize and integrate diverse standards to meet clinical and business needs for the sharing of information among organizations and systems in 2005. Volunteers included such stakeholders as employers, government agencies, patients, payers, physicians and members from the vendor community.

    The HITSP T15, Section 2.1 Context Overview, refers to IHE ATNA and specifies that, “the format and content of audit reports are subject to local implementation policy and set by the organizations, guided by the ASTM E2147 standard.” This standard is the, “standard specification for audit and disclosure logs for use in health information systems.”

    An IHE ATNA compliant audit repository is a good means to generate a detailed report of disclosures. For example, there are data fields described in the ATNA profile to record disclosure date, time, user/recipient ID (name, number) and Patient ID (name, number). Additional information, such as Description of Disclosure (e.g. reason for disclosure), may be recorded in an optional field. All of these fields are available to support an accounting of disclosures for a patient.

    First exercised and supported by a relatively small number of vendors at the HIMSS IHE Interoperability Showcase in 2005, IHE now lists over 60 vendors who now support the ATNA profile. That said, not all EMR vendor systems are able to distinctly record disclosures. As such, we suggest the simplest first step to electronically record disclosures is for users to leverage an online web tool to manually do so. With manual recording of disclosures, users may record important details such as method of disclosure (e.g. fax, voicemail, verbal ‘in person’) as well as details of the PHI disclosed.

    Using an electronic manual disclosure tool, disclosure attributes may be recorded in IHE-ATNA format and stored in an ATNA-compliant repository. Manual disclosure logs will later supplement disclosures that are recorded automatically, when EHR systems mature in this area. This fits well with IHE ATNA, as this profile encourages centralized auditing and lends itself to a comprehensive accounting of disclosures.

    Over time, EMR vendors may choose to leverage HITSP’s extensive work on their Access Control Transaction Package (HITSP TP20) to assist in automating Disclosure reporting and add value to the disclosure report. As specified in Section 2.1.2: Interface Interactions, PHI Disclosure requests can be required to include the Purpose of Use (i.e. reason for disclosure). Accordingly, the “description of disclosure” of Treatment, Payment and Healthcare Operations (TPO) may be automatically recorded, providing the required additional detail for the patient report.

    Increased adoption of the IHE ATNA profile will lead to a reduction in administrative burden as the act of mining various proprietary audit logs in order to assemble a report for the patient becomes unnecessary. Thus, organizations whose systems comply with the ATNA profile are able to have a centralized repository of real-time audit logs from which to generate a comprehensive report of disclosures.

    Available in the marketplace today are IHE ATNA compliant repositories that allow reports to be scheduled at any frequency, and customizable for content. The profile itself contains over 30 discrete items that can be queried. As to production hardening, we know of at least one instance that receives 1,000,000 audit messages sent to its repository per day from five (5) different source systems.

    Goal 3: (Q4)
    Do you have any mechanisms by which patients can request limits on access? For example, if a patient had concerns about the possibility that a neighbor employed by the facility might access his/her record, is there a way for this to be flagged?

    Answer:
    Yes, this is a classic use case and one that is facilitated by a standards-based consent management system supported by a standards-based centralized audit repository. Such electronic systems were demonstrated to this Tiger Team for its Consumer Choice Technology Hearing.

    [PDF] https://lists.oasis-open.org/archives/pmrm/201105/pdf00001.pdf
    [Movie] http://nmr.rampard.com/hit/20100629/session4.asx

    As to production hardening, such a system is live with a healthcare information exchange serving a population of 5.5 million, and being deployed to serve as a consent registry for a jurisdiction with a population of 13 million.

    Sincerely,

    Kel Callahan
    President & COO
    HIPAAT International Inc.

  19. It could be set up as follows:
    – By default no one can access a patient’s record
    – When the patient goes to see a physician, he can authorize the physician (and any supporting nursing or pharmacy staff) to see his records on a person-by-person basis
    – Patient can revoke access for anyone at any time
    – If the patient goes to a new provider and a new specialist needs access, the specialist sends the patient an email for the patient to grant new access as needed
    – Should probably be an override of some sort for emergency department team members in a situation in which the patient is unconscious or disoriented
    – Use two-factor authentication to prevent hackers from gaining access (both the physicians and patients should use two factor authentication)

    Another thing to think about is the hospital’s computer systems. Many providers have windows-based systems. Windows systems are very vulnerable to viruses / malware. If providers switched over to use Linux, then that would make their systems more secure.

  20. Jutta Williams says:

    Intermountain’s submitted testimony to the hearing:

    Accounting for Disclosures Virtual Hearing September 30, 2013
    Questions for Panelists and Responses from Intermountain Healthcare

    Goal 1: Gain a greater understanding of what patients would like to know about uses, accesses, and disclosures of their electronic protected health information (PHI).

    1. What are the reasons patients may want to learn who/what entities have used, accessed or received their PHI as a disclosure? What are the reasons they might want to know about internal uses or accesses?

    Intermountain Answer: The Intermountain corporate compliance privacy office provides oversight for all privacy related inquiries, concerns or complaints received from patients and employees at our 22 hospitals and 185 clinics. It has been our experience that patients, with rare exception, are interested in requesting an investigation of access and are not interested in learning about routine uses or routine disclosures of PHI. Most (over 90%) of investigation requests include a specific user suspected of inappropriately accessing or sharing PHI.

    2. What information would patients want to know about such use, access, or disclosure?
    For example, is it important to know the purpose of each, or the name or role of the individual involved?

    Intermountain Answer: It has been our experience over 12 years of performing privacy investigations in response to patient concerns that patients not interested in the name of each individual, but they are interested in understanding whether information was used or accessed appropriately or inappropriately. They want to know that a complaint was thoroughly investigated and appropriate action taken in cases of inappropriate access. Intermountain does not reveal the name or title of employees involved in HR related actions to the patient complainant generally. Patients in general have not expressed dissatisfaction with this practice and we have not experienced requests by patients for information on how information has been appropriately accessed or used for routine treatment, payment or hospital operational purposes.

    3. What are acceptable options for making this information available to patients? (report, investigation, etc.)

    Intermountain Answer: Intermountain supports informing patients about investigational outcomes in a general sense though we do not believe that employee names or private HR related actions should be detailed. Should inappropriate access be identified as a part of an investigation request, breach notification processes provide important information to patients about the nature of the incident and what it means to them. Note, however, that breach notification rules do not require inclusion of employee names.

    4. If there are limitations to the information about uses, accesses or disclosures that can be automatically collected given today’s technologies, what are the top priorities for patients?

    Intermountain Answer: It is very challenging to develop systems that can convert security logs into a human readable report. It requires integrations between user identity management systems, patient indexing services and the systems performing access logging. No system we have evaluated can add contextual information like the “purpose” for the access today.

    It has not been our experience that patients seek a list of employees who have accessed their record. Rather, patients want to be able to understand if a specific, unauthorized access occurred. A patient reading such a report will not be able to derive context or purpose for access even if HR title were to be included. The goal of transparency is to provide clarity. It is Intermountain’s position that currently available technology will not answer the question of “why” only the question of “who” as it relates to employee access. We do not believe that without purpose or context, current technology delivers information that provides patients transparency.

    The information available from inquiry audit logging – which we must highlight is not universally available in clinical systems – does allow a trained professional to identify those users who have accessed records and with whom further discussions might be necessary to validate that access was appropriate. Context and purpose for access, in our environment, requires human evaluation and is not available using technical tools alone.

    5. If patients have a concern about possible inappropriate access to or disclosure of their health information, what options currently are available to address this concern? What options should be developed for addressing or alleviating that concern?

    Intermountain Answer: Investigation of inappropriate access to or disclosure of PHI in our environment relies on a number of tools and processes. We utilize security audit logs and data correlation tools to identify potentially inappropriate access and then conduct in-person interviews to understand the purpose for access. Unfortunately, not all clinical applications deliver inquiry (read) level access logging at the patient record level.

    Goal 2: Gain a greater understanding of the capabilities of currently available, affordable technology that could be leveraged to provide patients with greater transparency re: use, access, or disclosure of PHI.

    1. What capabilities are currently used to enable transparency regarding (or to track or monitor) each use, access, or disclosure of PHI? To whom (and for what purpose) is this information communicated?

    Intermountain Answer: Some functions within a hospital are not as automated as others. With regard to access that occurs within mature information systems like our proprietary EHR systems, we can track and monitor uses and disclosures by analyzing inquiry audit level security logs though this data is kept only for13 months. However, many disclosures that are allowed without a patient authorization like those made as required by law (e.g., patient overdose reporting to the State of Utah) or those performed as permitted for the purpose of public health reporting (e.g, CDC survey disclosures) are often performed using database queries rather than by directly accessing a patient record. For database queries, access to and delivery of specific patient data is not logged at the individual record level but rather is limited by current database technology to only record the query script itself. This does not help us identify individual patient data disclosed as part of a query. For the disclosures that use database queries, analysts must manually prepare and deliver spreadsheets to the privacy office. For some CMS reporting not related to direct payment, for example, our Quality department manually prepares and delivers a spreadsheet each quarter that includes all patient record data delivered to meet quality measure reporting requirements.

    For individual patient record requests that do not require an authorization such as those that are delivered in response to a subpoena or court order, Intermountain tracks and monitors each request and record delivery by manually inputting data into a proprietary release of information application.

    2. If you currently do not track each user that accesses a record internally along with the purpose of that access, what would it take to add that capability from a technical, operational/workflow, and cost perspective? What would it take to add that capability for external disclosures?

    Intermountain Answer: Inquiry (read) access is tracked for some systems but not for all. Many legacy systems cannot accommodate the processing impact that turning on such functionality, even with the existence of the underlying software code – which is not assured since this is not required by law. We inquired of the cost associated with developing such code for one of our more modern systems that is considered part of our Designated Record Set. The supplier responded that they would be happy to deliver a solution as a consulting arrangement and suggested that such services would cost on the order of $3M to complete. We estimate that in order to upgrade all systems considered part of our Designated Record Set as proposed would cost Intermountain upwards of $100M to complete.

    Many legacy systems could not be upgraded to meet such a technical requirement and would need to be replaced should this level of auditing be mandatory. Intermountain would encourage regulators to consider the importance of the flexible approach within the Security rule for other, addressable security requirements. Not all systems are capable of meeting all requirements; in this case we urge ONC and OCR to consider making an auditing requirement addressable such that older, less sophisticated, and lower risk systems may implement a reasonable and appropriate control.

    3. Is there is any “user role” or other vehicle that can be utilized to distinguish an access by in internal user from an external disclosure? Can it be determined, for example, that the user is a community physician who is not an employee of the healthcare organization (IDN or Organized Health Care Arrangement (OHCA))? If not, what are the obstacles to adding this capability?

    Intermountain Answer: Potentially; if read-level auditing is available and a user serves in one capacity or the other, an access might be defined as either by an employee or by a non-workforce member. However, many of our users wear multiple hats so it is not simple to understand what role they are serving at a specific point in time. It is easier to establish policies for how to flag access for non-OHCA users – who would presumably have less reason to have direct access to patient records in any case.

    4. Does the technology have the capability to track access, use, or disclosure by vendor employees, like systems’ administrators, (for example, who may need to occasionally access data in native mode to perform maintenance functions)? Do you currently deploy this capability and if so, how?

    Intermountain Answer: For some high-risk systems, this functionality is enabled to track all access; however, it does not natively determine the employment status of a user so does not automatically make a differentiation between a use or a disclosure. This determination would require use of a separate security audit management software product which is not widely employed in the healthcare industry today.

    5. Are there certain uses, access, or disclosures within a healthcare entity that do not raise privacy concerns with patients? What are these uses and disclosures? Can the technology distinguish between these others that might require transparency to patients?

    Intermountain Answer: Typically those uses and disclosures made for routine treatment, payment and hospital operational purposes are not of interest to patients. A patient receives notice of how information will be used and disclosed for these routine purposes. Importantly, a number of transparency-related rights afforded to patients have been augmented and/or created since the Access Report was proposed in May 2011, including a more detailed notice of privacy practices statement, specific criteria for notifying patients of a breach of their PHI, and the delivery of records and care team information through Meaningful Use Criteria.

    6. Do you have the capability to generate reports of access to, uses of, and disclosures from, a medical record?

    Intermountain Answer: Yes for a very limited number of systems; particularly for the systems we consider part of our legal electronic medical record. However, this report does NOT generate and could never generate an understanding of why a record was accessed.

    • How frequently are the reports generated, and what do they look like?

    Intermountain Answer: Intermountain has shared a copy of such a report. It is voluminous and confusing. An access report for one patient for one month from one system was nearly 900 pages long. When shown to patients, this report was identified as confusing and useless.

    • How granular are these reports? Are they detailed by aggregate data categories, individual type of data, or individual data element, or in some other way?

    Intermountain Answer: We have built our reporting to be granular in nature so we can use it as an investigative tool. Reporting can be built to be aggregated by data categories (i.e., all clinical notes rather than a specific clinical note) however, it cannot be aggregated across multiple systems with our current technology. Even these aggregated reports, however, cannot derive context or purpose for access. They can be used only to support an investigation, not to complete one.

    • Can they be generated automatically, or do you use manual processes?

    Intermountain Answer: Some portions of the report can be created automatically but others require highly manual processes that includes hours of human assessment and evaluation.

    • Do you integrate reports across multiple systems?

    Intermountain Answer: No. We prepare separate reports from different systems. There is no standard for how audit data is created so each system requires a custom report to parse and convert the proprietary system log data into a human readable format.

    • What is the look-back period?

    Intermountain Answer: We retain 13 months of data. We store and must process approximately 70 million security logs per month. While data storage may be relatively inexpensive, processing and correlating larger quantities of data is not possible with our current hardware and software.

    Goal 3: Gain a greater understanding of how record access transparency technologies are currently being deployed by health care providers, health plans, and their business associates (for example, HIEs).

    1. How do you respond today to patients who have questions or concerns about record use/access/disclosure? What types of tools/processes would help you improve your ability to meet patient needs for transparency regarding record use/access/disclosure? Have you ever received a request from a patient (or subscriber) that requested a list of every employee who had access to PHI?

    Intermountain Answer: We conduct a thorough investigation that begins by running access reports for those systems that have inquiry audit logs available. If access is identified that appears to be inappropriate or if a specific user was identified by the complainant and access by that user is identified, an interview is conducted by a privacy official assigned to that user’s facility. A strict sanction policy is applied for all inappropriate access. Notice is provided to the patients as appropriate. For those investigations that result in no findings of impropriety we inform complainants. With rare exception, our patients appear satisfied with this process.

    In 12 years, we have had one request for a list of everyone in our workforce who had looked at this patient’s record. We have never been asked for a list of everyone who has accessed (internal uses and external disclosures). In speaking with the patient about his concern and purpose for asking for such an access report, he identified that his request was aimed at collecting proof of inappropriateness to use as evidence in a civil action involving his ex-wife, our employee. Our offer to conduct an investigation into his ex-wife’s access and notify him of the outcome of our investigation seemed to satisfy the patient.

    2. What types of record use/access/disclosure transparency or tracking technologies are you deploying now and how are you using them?

    Intermountain Answer: We have just signed a contract with a firm to replace our aging, home-grown tools used to report on access to our EMR. In our integrated health care delivery system that serves millions of patients our legal electronic medical record systems include about four distinct systems compared to the much larger number of systems included in the very broad designated record set definition. While we hope that new systems will be able to monitor access within more systems than our current systems, we do not believe that integration with the >30 systems classified as a DRS will be possible even with the new tools. We are also investing in new security tools for our Enterprise Data Warehouse to improve tracking for database queries to PHI.

    3. For transparency, what do you currently provide to patients regarding use/access and disclosure, and do you see any need to change your current approach?

    Intermountain Answer: It has been our experience that thorough investigations of patient privacy concerns or complaints provide the best form of transparency for patients and employees who feel something inappropriate may have occurred. The current AOD report for non-routine disclosures has been identified by patients as having less value, but is another form of reporting that we plan to continue to provide. Based on the positive track record we feel we have with our patients, we do not see our approach changing unless required to do so.

    4. Do you have any mechanisms by which patients can request limits on access? For example, if a patient had concerns about the possibility that a neighbor employed by the facility might access his/her record; is there a way for this to be flagged?

    Intermountain Answer: This is a very challenging thing to accomplish technologically and we have investigated the feasibility of doing such a thing. To prevent access, it would require that our EMR and likely other commercial products add access control lists to each patient record. As a detective control, it is possible to prepare an access report on a periodic basis to flag access as inappropriate after such an access has already occurred. The detective, rather than preventative method, is how commercially available tools that monitor patient access function today.

    Goal 4: Gain a greater understanding of other issues raised as part of the initial proposed rule to implement HITECH changes.

    1. Regarding access reports, what information do you collect besides the basic information collected in an audit log?

    Intermountain Answer: We collect identity information and demographic details (like home address) for employees and patients so we can derive answers to questions like are they neighbors. We also collect time-card information and conflict of interest information to identify whether employees are serving in secondary roles when accessing information. We collect patient encounter histories to identify if a patient was seen in a facility on or around the time of an access event. We also collect and correlate payment related activities to help explain why revenue cycle employees may be accessing information on patient encounters. There are many other sources of information that help us to derive as much knowledge as possible about the potential purpose or context for an access event prior to sending out an interview request. Interviewing employees about access when it is appropriate has a negative impact on morale so we attempt to find any and all information to explain an access event and reduce false positives in our proactive audit processes.

    2. What would be involved in obtaining access information from business associates? Do current business associate agreements provide for timely reporting of accesses to you or would these agreements need to be renegotiated?

    Intermountain Answer: It would be very challenging operationally to collect information in a timely way. It would also be arguable that we have a right to ask for this information. Our agreements require access to investigate security incidents and data breach concerns. We also require timely reporting of inappropriate accesses and to account for disclosures to other 3rd parties. However, it would be challenging to require delivery of access information for appropriate internal uses under current BAA terms and conditions. Renegotiation would be necessary.

    3. What issues, if any, are raised by the NPRM requirement to disclose the names of individuals who have accessed/received copies of a patient’s PHI (either as part of a report of access/disclosures or in response to a question about whether a specific person has accessed)? What are the pros and cons of this approach?

    Intermountain Answer: We feel the proposed right to an access report introduces a new and significant threat to the safety of Intermountain’s healthcare workers. Intermountain has made a risk-based decision to not include last names on our badges in order to limit our employees’ exposure to potential harm or harassment by patients. By requiring access reports to include the names of employees, the NPRM exposes the named employees to risks, particularly in rural areas, of being tracked down.

    Intermountain has an obligation to protect its employees from unnecessary harassment. Further, Intermountain feels strongly that a court order should be required to supply employee names in cases of both appropriate and inappropriate access. Accordingly, Intermountain feels that employee names should not be included in a patient- requested access report. Because of the lack of contextual information in an access report that explains why a healthcare employee may have accessed a record, a patient may feel justified in contacting the healthcare employees directly to ask why they saw the patient’s PHI. If a patient raises a privacy concern based on an AOD or access report, then the covered entity should be responsible for investigating that concern for the patient and reporting back to the patient. This gives us the opportunity to address patients’ concerns, make any needed adjustments to our privacy processes, and take appropriate disciplinary action.

    In addition, an increasing number of Intermountain’s investigation requests relate to domestic or civil disputes. On many occasions, Intermountain’s privacy-compliance investigators become de-facto enlistees in supplying evidence in legal cases. One of the reasons we do not name employees involved in breach notification letters today, which we are not required to do under current law, is to limit the degree to which investigation requests provide evidence in legal actions. Intermountain suggests that the prime beneficiary of an access report containing employee names would be litigants.

    The proposed access report would have significant adverse effects on state peer review immunity and the conduct of quality improvement activities. Many states have enacted laws that protect healthcare employees from litigation when performing investigations, surveys, audits and other business activities to improve healthcare quality. The purpose of the immunity, of course, is to encourage providers to improve healthcare quality without the fear of litigation. Intermountain relies on this immunity to conduct quality improvement projects that have directly resulted in both reduced costs and better clinical outcomes for our patients. In recognition of Intermountain’s use of information technologies and its data-driven quality improvement projects, President Obama honored Intermountain as a leader in providing quality care at low costs during his 2009 address to a joint session of Congress on healthcare.

    The NPRM would provide attorneys a “back door” to uncover more detail about the reason or purpose for access, thereby nullifying any privilege or immunity for quality improvement projects. While a covered entity could request a protective order from the court to protect these projects and their data, the covered entity’s administrative burden to do that would be significant.

    The NPRM would increase litigation costs as attorneys and litigants seek to obtain copies of detailed access reports. And because the access report provides little information about the purpose of the access or what part of the record was accessed, a follow-up deposition or subpoena seeking more detailed information would likely follow an access report request. In an extreme case, an attorney could choose to interview all persons who had accessed a patient’s record for information. So both these added fees and the added risks to the safety of healthcare workers argue against adoption of the access report provisions of the NPRM.

    4. How do you think current mechanisms to allow patients to file a complaint and request an investigation regarding possible inappropriate uses or disclosures are working? Could they be enhanced and be used in lieu of, or in addition to receiving a report?

    Intermountain Answer: We believe this would be a very reasonable approach to providing patients with transparency. We have conducted such investigations for 12 years with very favorable feedback from the patients we have been able to help.

    • Should entities be required to do such an investigation – if so, what should be the scope?

    Intermountain Answer: If a patient provides vague or incomplete information about their concern, it diminishes our ability to investigate. If patients were to be afforded such a right, it would be necessary that we receive some specifics before we can investigate a complaint – either a specific period of time during which access may have occurred, a specific location where an inappropriate event occurred, or a specific employee of concern should be supplied to ensure we can investigate the complaint.

    • Should entities still be required to produce a report if the patient wants one?

    Intermountain Answer: No. The report requirement is fundamentally flawed and represents a safety risk to employees. Given the costs involved and the lack of value to the patient, the access report does not appropriately meet the patient benefit/provider burden balancing test required by the statute.

    • What recourse does the patient have if he/she is not satisfied with the response?

    Intermountain Answer: If the patient feels that a covered entity has not met its obligations to investigate and respond appropriately, they have the right to appeal to OCR. While we agree that OCR is not a customer service oversight organization, we believe the OCR is best suited to evaluate if a covered entity has established a fair and appropriate process for investigating privacy complaints.

    • What options do entities have if patient’s transparency requests cannot be honored?

    Intermountain Answer: If it is not feasible to accommodate the patient, we can seek guidance from OCR to identify an appropriate response.

  21. AHIMA says:

    Good afternoon. Ms. McGraw, Mr. Egerman, and members of the Tiger Team, thank you for inviting AHIMA to testify today “to explore realistic ways to provide patients with greater transparency about the uses and disclosures of their digital, identifiable health information.”

    My name is Lynne Thomas Gordon and I am the Chief Executive Officer of the American Health Information Management Association (AHIMA). Prior to joining the AHIMA team, I served as the associate vice president for hospital operations at Children’s Hospital at Rush University Medical Center in Chicago, Illinois.

    AHIMA is an 85-year-old not-for-profit association of professionals, educated, trained, certified and working in the field of health information management (HIM). We have more than 67,000 members who work in multiple settings including hospitals, physician offices, long term care organizations, clinics, colleges and universities, health information technology vendors and developers, consulting firms and life science companies across the healthcare industry. AHIMA’s members can be found in numerous and diverse roles with a wide range of responsibilities. Individual members are educators; hospital administrators; deans of universities; lawyers; students pursuing advanced degrees and careers in informatics; government officials; coders and data analysts, and consultants and industry professionals.

    AHIMA members are subject matter experts and AHIMA is an unbiased, trusted authoritative source within the health information management and applied informatics communities. AHIMA and its members are ensuring quality health and healthcare through data and information governance and stewardship.

    AHIMA provides certification in a number of practice areas, including:

    • Health Information Management
    o Registered Health Information Administrator (RHIA)
    o Registered Health Information Technician (RHIT)
    • Coding
    o Certified Coding Associate (CCA)
    o Clinical Coding Specialist (CCS)
    o Clinical Coding Specialist-Physician Based (CCS-P)
    • Specialty
    o Clinical Documentation Improvement Practitioner (CDIP)
    o Certified Health Data Analyst (CHDA)
    o Certified in Healthcare Privacy and Security (CHPS)
    o Certified Healthcare Technology Specialist (CHTS)

    For more than 85 years AHIMA’s members have been on the front lines and in the trenches of health information management practice, especially privacy and security requirements and adherence to the applicable federal and state laws. AHIMA members are committed to several foundational principles and tenets, especially data integrity and data confidentiality. These principles are the basis for our comments today.

    AHIMA’s oral testimony focused on two primary topics:

    1. Data Collection, Management and Processing–Ensuring Balance
    2. Ensuring the Safety of the Healthcare Workforce

    Our written testimony will focus on the questions supplied by the Privacy and Security Tiger Team.

    Goal 1: Gain a greater understanding of what patients would like to know about uses, accesses, and disclosures of their electronic protected health information (PHI).

    1. What are the reasons patients may want to learn who/what entities have used, accessed or received their PHI as a disclosure? What are the reasons they might want to know about internal uses or accesses?

    Our members report that patients rarely request specific data about who or what entities have used, accessed or received their PHI, especially with regard to internal uses or accesses. When an accounting of disclosure is requested, it is usually for a very specific disclosure that the patient is already aware of but would like to learn more about.

    AHIMA members have indicated that the primary reason patients request an access or disclosure report is that the patient suspects that a particular party(s) may have inappropriately accessed, used, or disclosed their PHI. For example, a patient may want to know:

    • Whether a former or current acquaintance has been looking at his or her record for some inappropriate purpose.
    • To see if relatives or friends who work in the hospital or provider’s office have accessed their medical record.
    • To learn the names of the staff/physicians who accessed their record and provide this information to an attorney to subpoena them.
    • Whether a sibling has accessed information on a parent or a deceased parent in an effort to resolve family matters such as settling estates.
    • Employees of covered entities may be “required” by their insurance to obtain treatment at the organizations at which they work, and the employee may want to know if co-workers (not their caregivers) have been inappropriately accessing their records.

    2. What information would patients want to know about such use, access, or disclosure? For example, is it important to know the purpose of each, or the name or role of the individual involved?

    AHIMA’s members report that patients typically seek to confirm any instances of inappropriate access. The patients often seem to have an awareness of who may have inappropriately accessed their data and when the access may have occurred. Our members report that patients do not seem to question routine use or access by individuals performing their jobs.

    3. What are acceptable options for making this information available to patients? (report, investigation, etc.)

    AHIMA believes that there are acceptable options to comply within the existing HIPAA regulations such as reports from investigations. As previously stated, AHIMA is not supportive of routinely providing a copy of an access audit log to patients. Access logs typically contain detailed and granular data. However, AHIMA continues to be concerned that significant resources are required to produce such reports, as the data are not necessarily housed in one central database, nor are they readily available. Covered entities and business associates have complex and diverse organizational structures, and thus it may not be readily apparent who or why specific data were accessed.

    Regardless, AHIMA believes that it is essential to review any requested access reports with the patient so that an explanation of the report can be provided.

    4. If there are limitations to the information about uses, accesses or disclosures that can be automatically collected given today’s technologies, what are the top priorities for patients?

    AHIMA believes that issues regarding use and disclosure of data are not simply technological issues. Data governance and integrity are critical. AHIMA believes that the top priority for patients is the issue of trust. Patients need to trust that their healthcare providers are complying with all relevant and applicable federal and state laws related to the confidentiality, privacy, and security of their health information. AHIMA believes that patients seek assurances that their data are protected from unauthorized use or disclosure.

    If patients have a concern about possible inappropriate access to or disclosure of their health information, what options currently are available to address this concern? What options should be developed for addressing or alleviating that concern?

    AHIMA believes that providers should continue to follow their policies and procedures for investigating potential breaches and reporting confirmed breaches as required by Breach Notification Rule. AHIMA is aware of efforts to establish principles of data stewardship and governance, and stands ready to help further refine and evaluate these efforts.

    AHIMA believes that in accordance with HIPAA, providers have already implemented processes to ensure that information is only being accessed for legitimate reasons.

    Organizations responsible for PHI should already have clearly defined policies and procedures for the access and disclosure of health information. In addition, organizations should have training and monitoring programs in place to enforce compliance.

    When inappropriate access or disclosures are identified, providers typically take appropriate steps to counsel their workforce, up to and including termination. Security measures are established to ensure that only caregivers who are participating in the care of a patient or staff working within scope of their jobs have access to a patient’s record. In addition, role management is often implemented to limit access to those who have a legitimate need to know. Finally, facilities are required to comply with all federal and state laws associated with privacy and security and educate and re-educate all workforce members on these policies and practices.

    In addition, if patients are not satisfied, they may file a complaint with the Privacy Officer or the Office for Civil Rights.

    Goal 2: Gain a greater understanding of the capabilities of currently available, affordable technology that could be leveraged to provide patients with greater transparency re: use, access, or disclosure of PHI.

    1. What capabilities are currently used to enable transparency regarding (or to track or monitor) each use, access, or disclosure of PHI? To whom (and for what purpose) is this information communicated?

    AHIMA believes that in general organizations are currently successfully addressing accounting for disclosures to external parties. As patient records continue to move to electronic environments, AHIMA recommends that covered entities and business associates coordinate and centralize their release of information functions, especially accounting of disclosures, within an organization’s health information management processes.

    AHIMA understands that in some settings, the release of information process may be more loosely defined and may require additional attention. Internal access by staff and practitioners may not be routinely or easily tracked. We understand that security audits are used as a primary investigative tool. Telephone lines or support lines, also known as “hotlines,” are available to allow organization staff to report irregular or suspicious activities.

    2. If you currently do not track each user that accesses a record internally along with the purpose of that access, what would it take to add that capability from a technical, operational/workflow, and cost perspective? What would it take to add that capability for external disclosures?

    AHIMA members report that tracking each user who accesses a record internally along with the purpose of that access, would be extremely cumbersome and burdensome for all healthcare organizations. We are concerned that current technological solutions and related workflow processes may not be able to consistently and efficiently identify internal user access.

    AHIMA believes that the HIPAA Security Rule already requires that organizations be able to track of user access. These capabilities are, however, costly in both financial and human resources. In addition, the data is expansive because of the increasingly larger number of individuals involved in various aspects of the healthcare delivery process that across multiple organizational entities and delivery systems.

    3. Is there is any “user role” or other vehicle that can be utilized to distinguish an access by in internal user from an external disclosure? Can it be determined, for example, that the user is a community physician who is not an employee of the healthcare organization (IDN or OHCA)? If not, what are the obstacles to adding this capability?

    AHIMA believes that the availability to electronically utilize “user roles” or other mechanisms to appropriately distinguish the various types of accesses or disclosures varies widely by organization and by electronic system.

    While policies and practices vary from organization to organization, generally, individuals who are not employed, or granted privileges to practice at a given organization, do not have access to patient information within that organization.

    4. Does the technology have the capability to track access, use, or disclosure by vendor employees, like systems’ administrators, (for example, who may need to occasionally access data in native mode to perform maintenance functions)? Do you currently deploy this capability and if so, how?

    AHIMA is not aware of whether specific vendor technology has the capability to track access, use, or disclosure by vendor employees. However, we remind the Tiger Team that the privacy and security of the data is generally covered by contract between the two parties. Under HIPAA, business associates are bound by the privacy and security policies of both the organization they are working with and their own policies and procedures. Our understanding is that if a vendor logs into a system, the audit trail has the capability to track if the vendor viewed, printed, or edited any information while in the system if they accessed a record.

    5. Are there certain uses, access, or disclosures within a healthcare entity that do not raise privacy concerns with patients? What are these uses and disclosures? Can the technology distinguish between these others that might require transparency to patients?

    According to our members, patients do not seem concerned about general access by staff performing their job duties. For example, patients understand that allied health professionals such as therapists and pharmacists need to access records to know what has been ordered for the patient.

    AHIMA questions the extent to which currently available technologies can automatically and accurately discern appropriate uses/access from inappropriate uses/access. We believe that significant human interaction/judgment is required. Furthermore, organizational policies and procedures that govern data access, use, integrity, and governance must be in place and providers and employees must be regularly trained.

    6. Do you have the capability to generate reports of access to, uses of, and disclosures from, a medical record?
    • How frequently are the reports generated, and what do they look like?
    • How granular are these reports? Are they detailed by aggregate data categories, individual type of data, or individual data element, or in some other way?
    • Can they be generated automatically, or do you use manual processes?
    • Do you integrate reports across multiple systems?
    • What is the look-back period?
    .
    AHIMA members report that some systems can generate some reports. The reports are cumbersome and difficult to generate.

    • How frequently are the reports generated, and what do they look like?

    Typically reports are usually generated from audits or when there is a patient complaint. Report formats vary.

    • How granular are these reports? Are they detailed by aggregate data categories, individual type of data, or individual data element, or in some other way?

    The granularity of the reports varies.

    • Can they be generated automatically, or do you use manual processes?

    Manual processes are usually required.

    • Do you integrate reports across multiple systems?

    Typically reports cannot be generated across multiple systems.

    • What is the look-back period?

    The look-back period varies based on the system’s capability.

    Goal 3: Gain a greater understanding of how record access transparency technologies are currently being deployed by health care providers, health plans, and their business associates (for example, HIEs).

    1. How do you respond today to patients who have questions or concerns about record use/access/disclosure? What types of tools/processes would help you improve your ability to meet patient needs for transparency regarding record use/access/disclosure? Have you ever received a request from a patient (or subscriber) that requested a list of every employee who had access to PHI?

    Our members report that these requests are very infrequent. When patients make such requests, our members typically ask patients to be as specific as possible regarding their concerns about who might have inappropriately accessed their information. Reviewing an extensive report of internal access to ensure that all access was appropriate is labor intensive, since doing so requires researching every user ID on the list, matching that user ID to a name, and then investigating the purpose of the access.

    Members have also shared that providing the actual access report raises more questions and concerns from the patient, such as confirming why the access was appropriate for the individual’s job duties. Our members report instances of patients confronting or contacting staff directly if individuals are identified by first and last name on the report.

    2. What types of record use/access/disclosure transparency or tracking technologies are you deploying now and how are you using them?

    AHIMA members stated that they are generally using accounting of disclosure applications supplied by their vendors or still use a paper/manual process. The application is used to track external requests for records and internal requests. AHIMA members also note that not all requests for information or for disclosures of access are handled by the organization’s health information management function/department (such as birth and or death certificates reporting or specific diseases that are reported to a state department of health).

    3. For transparency, what do you currently provide to patients regarding use/access and disclosure, and do you see any need to change your current approach?

    The offer to investigate potential concerns regarding the access, use, or disclosure of PHI and then discussing the results of the investigation or sending a summary letter appears to meet patient needs. Employee names are generally not provided and AHIMA would not support making them available.

    4. Do you have any mechanisms by which patients can request limits on access? For example, if a patient had concerns about the possibility that a neighbor employed by the facility might access his/her record, is there a way for this to be flagged?

    Our members are not aware of any widely mechanisms by which patients can request limits on access. Access management tools appear to be the primary means used to control access to patient records. However, the ability to employ access management as a solution depends upon system configuration.

    Goal 4: Gain a greater understanding of other issues raised as part of the initial proposed rule to implement HITECH changes.

    1. Regarding access reports, what information do you collect besides the basic information collected in an audit log?

    Our respondents indicated that nothing beyond the basic information is collected.

    2. What would be involved in obtaining access information from business associates? Do current business associate agreements provide for timely reporting of accesses to you or would these agreements need to be renegotiated?

    Reviewing access information from business associates would need to be negotiated into the business associate contract. If the covered entity does not currently have review or audit ability written into the contract then that function/process would need to be added.

    3. What issues, if any, are raised by the NPRM requirement to disclose the names of individuals who have accessed/received copies of a patient’s PHI (either as part of a report of access/disclosures or in response to a question about whether a specific person has accessed)? What are the pros and cons of this approach?

    This raises major employee safety concerns. AHIMA is very concerned about protecting the staff of the covered entity. Healthcare workers should expect to be safe in their workplace. AHIMA believes that identifying individuals in an access report would unnecessarily jeopardize that safety. We can think of no other industry that places employees in this type of predicament. Further, we are not aware of any other industry that is required to share its internal uses of data with the consumer. This data comprises the business records of the covered entity or business associate. AHIMA believes that any type of access report should only carry identifiers for the workforce members who appear on the report, not individual names. Identifiers would make workforce members more difficult to identify and help to enhance their safety. One option might be to emulate the common practice of using only employee first names and last name initials on an ID badge.

    4. How do you think current mechanisms to allow patients to file a complaint and request an investigation regarding possible inappropriate uses or disclosures are working? Could they be enhanced and be used in lieu of, or in addition to receiving a report?

    AHIMA believes current mechanisms to allow patients to file a complaint and request an investigation regarding possible inappropriate uses or disclosures are working. Patients know they can file a complaint and that it will be investigated. Patients are also made aware and provided information to file a complaint with the Secretary if they so choose. Extensive manual processes are required to compile and interpret an access report as part of any investigation. A contributing factor to the work involved is the current lack of a standard format for an access report or log. Standardizing the access reports has the potential to lessen the time and labor it takes to conduct an investigation.

    As stated in our July 29, 2011, submitted comments regarding the Accounting of Disclosures Notice of Proposed Rulemaking (NPRM), “AHIMA believes that education is necessary prior to implementation of the rule to ensure that individuals fully understand the various types of accesses that can be included on an access report. And we re-affirmed that AHIMA fully supports the individual’s right to understand what to expect when he or she receives an access report. “ Furthermore, AHIMA believes that there is a need to educate patients about the definitional differences between the use (means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information) and the disclosure (means the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information) of PHI. These terms are often used synonymously and that creates challenges with regard to the proper use of PHI for treatment, payment and healthcare operations.

    • Should entities be required to do such an investigation – if so, what should be the scope?

    AHIMA supports the investigation of suspected inappropriate use or disclosure of PHI. Complaint investigations are part of the Breach Notification Rule and should be part of the mitigation process. We also believe that any processes or investigations required to providing responses to such access and use questions must be tempered with a balance that includes an emphasis on the burden and value of the response and the safety of the healthcare workforce involved.

    • Should entities still be required to produce a report if the patient wants one?

    Employee safety concerns are paramount. Patients should have the right to file a complaint regarding potential inappropriate access to or disclosure from their records, as it exists now. The covered entity should then respond by conducting an investigation according to its organizational policies and procedures in compliance with the existing Breach Notification Rules.

    Patients should be required to identify [to the best of their ability] the individuals (by name) who they think may have inappropriately accessed their records. Then standard investigation procedures to address the concern would follow.

    What recourse does the patient have if he/she is not satisfied with the response?

    The privacy rule requires that organizations provide patients with the information to file a complaint with the HHS Office for Civil Rights.

    What options do entities have if patient’s transparency requests cannot be honored?

    AHIMA is not sure what is meant by a “patient’s transparency request.” However, we believe that covered entities can only be held accountable for the maintenance of records in accordance with state law regarding health record retention and destruction.

    Additionally, AHIMA is concerned about any proposal to inform a patient about any disciplinary actions taken against specific employees. There are specific human resources rules and labor laws that prohibit informing other employees about specific employee sanctions. It would not be appropriate to share that information with patients. It would be appropriate to inform the patient that the situation has been addressed without including any specifics.

    Conclusion

    Thank you for providing AHIMA the opportunity to testify today. As an addendum to our testimony, AHIMA is supplying the Tiger Team with several additional resources:
    • AHIMA Comments on the Accounting of Disclosures Notice of Proposed Rulemaking
    • AHIMA Release of Information Toolkit
    We look forward to working with key stakeholders to identify proper balance of an individual’s request and an appropriate process for accounting of disclosures to ensure the safety of our healthcare workforce.

Leave a ReplyComment Policy


*