AHA calls on CMS to rethink HIPAA rule change
The American Hospital Association is the latest healthcare group to urge the Centers for Medicare and Medicaid Services to reconsider its accounting of disclosures rule, included in proposed changes to the HIPAA privacy rule under the HITECH Act.
In an Aug. 1 letter to Department of Health and Human Services Secretary Kathleen Sebelius, Rick Pollack, AHA executive vice president, says the rule fails to "appropriately balance the relevant privacy interests of individuals with the substantial burdens on covered entities, including hospitals."
The association urged HHS to withdraw the proposal and "reissue a request for information aimed at better reflecting the statutory requirements, the technological realities, and better alignment of the regulation's effectiveness with the compliance burdens."
While generally endorsing the rule's proposed accounting of disclosures revisions, AHA urged additional changes to ensure a proper balance of the value of the information to patients with the burdens to covered entities of producing it. AHA also urged HHS to retract the rule's preamble commentary about the HIPAA security rule in order to reflect longstanding department guidance.
Other groups calling on the government to reconsider the proposed new rule include the Medical Group Management Association and CHIME. MGMA is requesting that HHS engage with medical groups and other stakeholders to develop a consensus-driven solution before moving forward with the regulation.
“These reports, which would be required to show all electronic access to a patient’s health information for up to three years, could be hundreds or even thousands of pages long, making them extremely challenging for physician practices to produce and of little practical value to the patient receiving them,” said William F. Jessee, MD, president and CEO of MGMA.
The AHA also offered the following recommendations:
- While the AHA generally supports HHS’s efforts to implement changes to the existing accounting of disclosures requirements, we request that HHS clarify the discussion of designated record sets, adopt its proposed exclusions to the accounting requirement and maintain existing exclusions. We urge HHS to maintain a 60-day response requirement and limit an accounting to three years.
- Instead of moving forward to establish the new individual right to an access report, HHS should reissue a request for information aimed at better reflecting the statutory requirements, the technological realities, and better alignment of the regulation’s effectiveness with the compliance burdens.
- The AHA is concerned about the assumptions HHS makes regarding the HIPAA Security Rule in its preamble commentary and asks HHS to retract the preamble discussion in order to reflect longstanding department guidance.
- In the event HHS declines our request to abandon the access report, we urge HHS to adopt a number of changes, including extending the compliance date and removing the requirement to name employees. We also request that HHS reflect the statutory requirement that covered entities be permitted to direct individuals to a business associate. In addition, we ask that HHS make clear that a covered entity is not liable for unsecure transmissions requested by a patient. Finally, we request that HHS provide at least 60 days for the provision of an access report.