Seeking Your Input: Transparency and Implementation of HITECH Accounting of Disclosures
Deven McGraw, JD, MPH, LLM | September 23, 2013
The HIT Policy Committee’s Privacy and Security Tiger Team will be holding a virtual, public hearing to explore realistic ways to provide patients with greater transparency about the uses and disclosures of their digital, identifiable health information next Monday.
Such exploration should also help facilitate implementation of the HITECH requirement that a patient’s right under the HIPAA Privacy Rule to an “accounting” of disclosures include disclosures for “treatment, payment and operations” when such disclosures are made through “an electronic health record.” The Privacy Committee of the National Committee on Vital and Health Statistics’ Subcommittee on Privacy, Confidentiality and Security and the HIT Standards Committee’s Privacy and Security Work Group will also participate in the question and answer periods. This hearing will be held on September 30 from 11:45 a.m. to 5:00 p.m. Instructions on how to listen to this meeting here.
At the hearing, the Tiger Team will hear testimony from stakeholders–including providers, payers, vendors and business associates, and patient advocates–on key questions, organized by four goals for the hearing. These questions are shown below. In addition, the Tiger Team invites you – members of the public – to provide written answers to the questions we are posing below. The Tiger Team will consider these answers as it continues to deliberate and make recommendations on these issues.
Goal 1: Gain a greater understanding of what patients would like to know about uses, accesses, and disclosures of their electronic protected health information (PHI).
- What are the reasons patients may want to learn who/what entities have used, accessed or received their PHI as a disclosure? What are the reasons they might want to know about internal uses or accesses?
- What information would patients want to know about such use, access, or disclosure? For example, is it important to know the purpose of each, or the name or role of the individual involved?
- What are acceptable options for making this information available to patients? (report, investigation, etc.)
- If there are limitations to the information about uses, accesses or disclosures that can be automatically collected given today’s technologies, what are the top priorities for patients?
- If patients have a concern about possible inappropriate access to or disclosure of their health information, what options currently are available to address this concern? What options should be developed for addressing or alleviating that concern?
Goal 2: Gain a greater understanding of the capabilities of currently available, affordable technology that could be leveraged to provide patients with greater transparency re: use, access, or disclosure of PHI.
- What capabilities are currently used to enable transparency regarding (or to track or monitor) each use, access, or disclosure of PHI? To whom (and for what purpose) is this information communicated?
- If you currently do not track each user that accesses a record internally along with the purpose of that access, what would it take to add that capability from a technical, operational/workflow, and cost perspective? What would it take to add that capability for external disclosures?
- Is there is any “user role” or other vehicle that can be utilized to distinguish an access by in internal user from an external disclosure? Can it be determined, for example, that the user is a community physician who is not an employee of the healthcare organization (IDN or OHCA)? If not, what are the obstacles to adding this capability?
- Does the technology have the capability to track access, use, or disclosure by vendor employees, like systems’ administrators, (for example, who may need to occasionally access data in native mode to perform maintenance functions)? Do you currently deploy this capability and if so, how?
- Are there certain uses, access, or disclosures within a healthcare entity that do not raise privacy concerns with patients? What are these uses and disclosures? Can the technology distinguish between these others that might require transparency to patients?
- Do you have the capability to generate reports of access to, uses of, and disclosures from, a medical record?
- How frequently are the reports generated, and what do they look like?
- How granular are these reports? Are they detailed by aggregate data categories, individual type of data, or individual data element, or in some other way?
- Can they be generated automatically, or do you use manual processes?
- Do you integrate reports across multiple systems?
- What is the look-back period?
Goal 3: Gain a greater understanding of how record access transparency technologies are currently being deployed by health care providers, health plans, and their business associates (for example, HIEs).
- How do you respond today to patients who have questions or concerns about record use/access/disclosure? What types of tools/processes would help you improve your ability to meet patient needs for transparency regarding record use/access/disclosure? Have you ever received a request from a patient (or subscriber) that requested a list of every employee who had access to PHI?
- What types of record use/access/disclosure transparency or tracking technologies are you deploying now and how are you using them?
- For transparency, what do you currently provide to patients regarding use/access and disclosure, and do you see any need to change your current approach?
- Do you have any mechanisms by which patients can request limits on access? For example, if a patient had concerns about the possibility that a neighbor employed by the facility might access his/her record, is there a way for this to be flagged?
Goal 4: Gain a greater understanding of other issues raised as part of the initial proposed rule to implement HITECH changes.
- Regarding access reports, what information do you collect besides the basic information collected in an audit log?
- What would be involved in obtaining access information from business associates? Do current business associate agreements provide for timely reporting of accesses to you or would these agreements need to be renegotiated?
- What issues, if any, are raised by the NPRM requirement to disclose the names of individuals who have accessed/received copies of a patient’s PHI (either as part of a report of access/disclosures or in response to a question about whether a specific person has accessed)? What are the pros and cons of this approach?
- How do you think current mechanisms to allow patients to file a complaint and request an investigation regarding possible inappropriate uses or disclosures are working? Could they be enhanced and be used in lieu of, or in addition to receiving a report?
- Should entities be required to do such an investigation – if so, what should be the scope?
- Should entities still be required to produce a report if the patient wants one?
- What recourse does the patient have if he/she is not satisfied with the response?
- What options do entities have if patient’s transparency requests cannot be honored?