By Kevin Heubusch
The Office for Civil Rights proposed rule on the HITECH modifications to the HIPAA accounting of disclosure provision contains an interesting attempt to balance the mandates of the statute with the realities of today's accountings.
OCR was faced with the difficult task of expanding accounting of disclosures to include disclosures made for purposes of treatment, payment, and healthcare operations (TPO). The administrative burden of tracking disclosures in the current environment is high, and the interest from individuals in receiving accountings has been low.
OCR proposes a new "access report" that would be easier for covered entities to maintain and more likely to provide individuals with the information they want. The report would not distinguish between use and disclosure-something few if any current IT systems can do. Instead, it would identify anyone inside or outside the facility who accessed an individual's information.
The report would be restricted to protected health information contained within the individual's designated record set and existing in electronic format. The designated record set and access tracking-features of HIPAA-should be well-established within covered entities, OCR reasons.
Under the proposal, the modification regarding TPO would not apply to accountings of disclosure. It would apply only to the access report, which would serve to meet the HITECH requirement.
Take, for example, a staff member who logs into a claims system and discloses information to a payer. An access report would detail the name, date, and system accessed, but it would not be required to report the disclosure. The same event would not appear in an accounting of disclosure, because the disclosure was for purposes of payment.
The Access Report
The access report, in effect, answers the simple question "who?" It would show that John Smith accessed the individual's record, but it would not indicate that Smith is a clinical researcher, for example. It would not be required to indicate the purpose of Smith's access or any action that he took.
As proposed, the access report would include:
- Date and time of access
- Name of person accessing the record
The proposed rule is very clear that the report provide actual names. Although some organizations have expressed concern for the privacy and safety of their employees, OCR believes the value of the access report is in the individual's ability to know who has seen his or her protected information.
If the name of the individual is not available-as may be the case with access by a person outside the organization-the access report would include the name of the organization from which access was gained.
Covered entities would not be required to include a description of the information accessed or of the user's action unless their systems have the capability to record these. There is no requirement to alter existing systems that lack the ability.
The access report would cover a period dating back three years from the request, reflecting the reduction from six years that HITECH specified for accountings.
Covered entities would be required to respond to requests within 30 days (with one 30-day extension allowed), a reduction from 60 days under the current rule for accountings.
Individuals may specify whether access reports are limited to the covered entity or its business associates. Further, individuals have the right to limit their requests by date, time period, or person. OCR notes that it is to no one's advantage to collect and report three years of access data if the individual is only interested in access that occurred within a 30-day period.
The access reports must be made available in an electronic format such as a PDF. However, if possible, reports should be in a machine-readable format, such as a word-processing or spreadsheet file, which will aid the individual in searching the contents for specific names or dates.
Accounting of Disclosures
With a belief that the access report will provide much of the information that individuals are seeking, OCR makes relatively few changes to the accounting of disclosure provisions. However, some are significant.
Most notably, the rule would limit accountings to disclosures of protected health information contained in the designated record set. Accountings would continue to be made on information in both paper and electronic format.
The rule attempts to eliminate earlier confusion by specifying the disclosure types that must be reported, and it expands the list of those that are exempt. The rule details these changes.
The Coming Year
OCR will accept comment on the proposed rule until August 1, so the first step for covered entities is to review the rule, consider its impact, and comment.
Covered entities that purchased systems after January 1, 2009, would have until January 1, 2013, to comply with the final rule. Those that purchased systems before 2009 would have until January 1, 2014.
Preparing for the rule will require that covered entities identify all systems that contribute to their designated record sets. That inventory must include the date on which each system was purchased, since this determines when systems must be included in the report. In future years, any new systems will have to be evaluated for inclusion in reporting.
Organizations whose ancillary systems feed into the EHR or a hub will have an easier time generating a report, because they can report access through a single point. In more decentralized arrangements, where individuals can query individual systems, the report must track access to each system. Further, each of these systems must have the ability to record the name, date, and time of each individual who logs on.
Covered entities will require good lines of communication with their system vendors to determine how and when updates will be available. In some instances they may find that their current systems possess functionality to address new requirements that has not been implemented.
Comparing Access and Accounting The proposed access report and the full accounting of disclosure would show two views of the same event. Or, as in the second scenario below, they may not overlap at all. Example 1. A nurse accesses the EHR system, prints a record, and faxes it to a law enforcement agency. - The access report would indicate the nurse accessed the EHR system. It would not indicate why she was in the system; however, depending on the system capabilities, the report may show that she printed the information.
- The accounting of disclosure would include the disclosure to law enforcement. It would not detail the nurse's access, which involved internal use.
Example 2. A physician with staff privileges accesses the hospital EHR system and sends a record to a specialist for purpose of treatment. - The access report would show the physician's access to the EHR system. It would not indicate her purpose. However, depending the capability of the system, the report may show that the physician sent the information to a third party, and it may even identify the recipient.
- The accounting of disclosures would not include this event, because the disclosure is for purposes of treatment.
The following table summarizes the main differences. Information | Access Report | full
accounting | Name of recipient | Yes | Yes | Paper disclosures | No | Yes | Exact dates | Yes | No | Purpose | No | Yes | Treatment, payment,
and operations |
Yes
|
No
| Disclosures outside the DRS system |
No
|
Yes
| Machine-readable format | Yes | Optional | Source: Greene, Adam, and Dan Rode. "Proposed Regulations for Accounting of Disclosures Audio Seminar/Webinar." AHIMA. June 7, 2011. www.ahimastore.org. |
References
Department of Health and Human Services. "HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act." Federal Register 76, no. 104 (May 31, 2011): 31426–49.
Greene, Adam, and Dan Rode. "Proposed Regulations for Accounting of Disclosures Audio Seminar/Webinar." AHIMA. June 7, 2011. www.ahimastore.org.
Kevin Heubusch (kevin.heubusch@ahima.org) is editor-in-chief of the Journal of AHIMA.
Article citation:
Heubusch, Kevin.
"Access Report: OCR Tries Subtraction through Addition in Accounting of Disclosure Rule"
Journal of AHIMA
82, no.7
(July 2011):
38-39.
|