AHA, CHIME, other health orgs skeptical of HIPAA disclosure rule

By Anthony Brino
08:01 AM
Share

With patients being given more access to their health information in digital form comes new challenges for providers, like telling patients how their data is being used and to whom it’s being disclosed.

In tandem with the HHS Office of Civil Rights’ plans to finalize rules for accounting of disclosures as part of the HITECH Act, the Privacy and Security Tiger Team, a part of the Office of the National Coordinator’s Health IT Policy Committee, is taking a survey of the current landscape and crafting recommendations based on stakeholder input.

So far, there are some diverging views on the proposed rule, released in 2011, which would require providers to give patients a report detailing all internal access to their digital records as well as disclosures.

The American Hospital Association wrote that “the centerpiece” of the rule — a list of all access to patient records and an accounting of its use — “is misguided because it does not appropriately balance the relevant privacy interests of individuals with the substantial burdens on covered entities, including hospitals.”

The AHA is asking HHS to clarify designated record sets and adopt proposed exclusions, including data on child and adult abuse, neglect or domestic violence, most research and oversight of population health trends. The AHA is also asking that the accounting mandate be limited to information no more than three years old — something HHS is on board with. The proposed rule would revise a previous HIPAA provision and decrease the disclosure accounting window from six to three years.

[Related: Wait, could HIPAA disclosure rules actually cost providers more than ICD-10?]

The Confidentiality Coalition, a broad group of hospitals, teaching colleges, health plans, pharmaceutical companies, and electronic health records companies, largely echoed the AHA, but is even more skeptical of the need for rigorous disclosure rules, citing the potential for overburdening covered entities and an incentive to look for information for “frivolous lawsuits.”

“In general, we see little appropriate patient privacy interest in the details of these disclosures beyond information that already is received by patients or that can be accomplished through other existing means,” the coalition wrote in comments to the Tiger Team.

They’re suggesting that the new rule “should only be applied to disclosures that are ‘through’ an electronic health record.”

The College of Health Information Management Executives (CHIME) is concerned about variation in disclosure accounting and access reports. “Of chief concern to many CIOs is that all audit logs are not created equal. Despite having common data elements recorded across different solutions, there are few, if any, standard ways to generate reports,” CHIME wrote to the Tiger Team.

CHIME also wrote that patients requests for access and accounting of disclosures are very rare. “This is not to discount the right of patients to request information on how their personally identifiable health information is used, but merely to suggest that current processes, prescribed by HIPAA and conducted via notice of privacy practices, is sufficient. We do not believe there to be systemic abuse of PHI by the nation’s providers, therefore we do not believe that industry-wide regulations need to correct a problem that can be addressed under current policy.”

Other organizations and trade associations are asking for the rules to be scaled back as well. The National Association of Chain Drug Stores wrote that a mandate for pharmacies to provide patients with access reports “would impose enormous new burdens,” with costs that “would be staggering and nearly impossible to quantify with any reasonable certainty.”

[See also: To encrypt or not to encrypt -- is that the question?]

Most computer systems used by pharmacies “are not designed to track access at the individual record level; they do not capture the data elements suggested,” the association wrote.

Meanwhile, there is pressure from patient advocacy groups to maintain many of the standards within the proposed rules, as representatives from American Federation for the Blind, Patient Privacy Rights and Consumer Action called for at a recent Tiger Team hearing.

In reponse to provider concerns about time and cost burdens and a lack of software for easy accounting and disclsoure, the group Patient Privacy Rights is suggesting the government and industry focus on automating accounting of disclsoures by "piggybacking" on existing intitiatives like Direct messaging and the Blue Button.

"A market-based transition to the Triple Aim requires informed patients and competition for new patient-facing services," the group wrote to the Tiger Team. "The essential first step for informing patients is AOD. It must be done in a way that actually engages patients through independent decision support, independent risk assessment and independent audit of all personal data uses." 
 
Still a ways out from issuing recommendations to finalize the rules, the Tiger Team’s members are collecting perspectives on patients’ interests, and provider, vendor and insurer capabilities currently available for tracking the life of PHI, and comments are open through October 25.
 
See also: