HIPAA Regulatory Alert

Proposed rule allows patients to see details of health record access

Begin analysis of your facility's ability to meet requirements now

Compliance and regulatory officers have until Aug. 1 to comment on a proposed rule that includes a new accounting of disclosures provision that gives individuals the right to receive a report on who has electronically accessed their protected health information (PHI).

Although healthcare organizations have been required to maintain an audit trail of access to PHI since the implementation of the HIPAA Privacy Rule, and institutions have always been required to provide a report upon request, the proposed rule will be a challenge for some, according to experts interviewed by HIPAA Regulatory Alert.

"Under the existing privacy rule, an individual has a right to an accounting of disclosures of PHI made by a covered entity, and the accounting must be provided to an individual within 60 days of a request," explains Gina M. Cavalier, Esq., Partner, Reed Smith in Washington, DC. The proposed rule suggests several changes to the existing rule, including shortening the timeframe for response to a request for an accounting of disclosures from 60 days to 30 days, Cavalier says. "This shortened time-frame may pose challenges, depending on the hospital's current systems for tracking disclosures," she says.

The proposed rule also adds the right to an access report that enables individuals to learn if specific people have accessed their electronic personal health information. "In effect, OCR [The Office of Civil Rights] bifurcated the existing right to an accounting and created two separate rights: accounting and access report," says Cavalier. The right to an access report implements the HITECH Act's mandate that covered entities account for disclosures, including disclosures made for treatment, payment, and healthcare operations, of PHI made though an electronic health record, she says. "The proposed rule has a broader reach and includes uses in addition to disclosures of PHI in a designated record set, not only an electronic health record," she explains. "Moreover, the report must include a description of who has accessed this PHI for treatment, payment, healthcare operations purposes, as well as any other reason."

"Hospitals already have audit trails in place to identify access to a patient's designated record set, but this capability may only apply to the primary system," says Kate Borten, CISSP, CISM, president of The Marblehead Group, a privacy and information security consulting firm in Marblehead, MA. "Some feeder systems, such as a lab or registration system, may not be able to provide the audit trails now needed," Borten adds.

Software that identifies users who access patient records is used by many hospitals to produce access audit trails and identify "snoopers," but the proposed rule will require hospitals to produce a report for patients that provides specific information.

Another issue for many hospitals will be related to business associates, Cavalier says. "With respect to both accounting and access reports, covered entities [CEs] must be able to quickly obtain relevant information from their business associates," she says. "The logistics associated with coordinating numerous business associates may pose challenges."

Prepare now

Even though the rule is not yet final, Borten suggests that hospital compliance officers start now to prepare.

"Go through the proposed rule carefully, and evaluate your organization's ability to meet the proposed requirements," she suggests. "Put a plan together to address the technological adjustments and process changes that you will need to make."

After the plan is put together, wait for the final rule, she suggests. Re-evaluate your plan to make adjustments that reflect changes between the proposed and the final rules, and then begin implementation, she says.

At this time, the proposed rule sets Jan. 1, 2013, as the date on which individuals have the right to request an access report from organizations that acquired electronic designated record sets after Jan.1, 2009. Organizations that had acquired electronic designated record sets as of Jan. 1, 2009, have until Jan. 1, 2014, to implement processes to provide the access reports.

Also, start talking to your business associates now, recommends Borten. Because the proposed rule refers specifically to designated record sets, carefully review your business associate relationships to identify which business associates have all or part of the information covered by the proposed rule. Work with those associates to make sure they are aware of the proposal for changes related to disclosure accounting and access reports, Borten suggests. "Don't necessarily make the technological changes at this time, but make sure everyone involved has inventoried their capabilities and identified how they will make changes to comply once the rule is final," she adds.

While you are analyzing your compliance readiness, be sure to talk with your information technology vendors as well, suggests Borten. Be sure they are ready to implement changes once the final rule is published, she adds. "There will be time to implement updates and changes, but no one should wait until the final rule to make plans," Borten says.

There already is pushback from some healthcare organizations with complaints that meeting the requirements are too difficult or too burdensome, admits Borten. Even though OCR states in the proposed rule that the access report must include "information that a covered entity is already required to collect under the security rule," the requirements will present a challenge for hospitals that might not be in full compliance with the rule at this time, she says. The rule requires covered entities to record and examine activity in information systems and to regularly review the activity related to information access.

"There has been a disconnect between the security rule regulations and the interpretation of the rule," Borten says. "The rule is often interpreted loosely, and the access log technology often doesn't extend to departmental or feeder systems, such as lab systems."

At this time there are no official government resources available to help compliance officers prepare, but there should be once the rule is finalized, says Cavalier. "However, the OCR, which enforces the Privacy and Security Rules, periodically posts training materials, answers to FAQs, and other resources on its web site," which is located at http://www.hhs.gov/ohr, she points out. "In addition, covered entities may submit comments on the proposed rule, which may include questions or requests for clarifications," she adds.

Borten says that even with the policy updates and potential technology changes some organizations will need to implement, "I think access reports are a good thing." If employees know there is a record of access of PHI and that an individual can request the report, there might be fewer cases of internal snooping, she points out.

"Be sure to remind your employees and anyone who may have access to electronic PHI that there is an audit trail that shows access," Borten says.

Sources/Resource

• Kate Borten, CISSP, CISM, President, The Marblehead Group, One Martin Terrace, Marblehead, MA 01945. Telephone: (781) 639-0532. E-mail: kborten@marbleheadgroup.com.

• Gina M. Cavalier, Esq., Partner, Reed Smith, 1301 K St. NW, Suite 1100, East Tower, Washington, DC 20005. E-mail: gcavalier@reedsmith.com.

To see a copy of the proposed rule and to see information on how to submit comments, go to www.gpo.gov/fdsys. On the right-side navigational bar under "Featured Collections," select "Federal Register." Select "2011," and choose "May 31." Scroll down to "Health and Human Services" and under "Proposed Rules," select "HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act." Comments about the proposed rule must be submitted by Aug. 1, 2011.