HIPAA Gone Wild: HHS HITECH Act Proposed Rule Calling for On Demand All Records of Everyone

Imagine a world where every time someone accessed a patients record from the billing clerk to physicians, nurses and pharmacists, that accessing that record was recorded.  Imagine a patient requesting the home addresses of everyone outside of the hospital who accessed the record.  And imagine the administrative burden that collecting all this information would put on the healthcare system.  That day may soon be coming.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provided for the establishment of national standards to protect the privacy and security of personal health information. The Administrative Simplification provisions of HIPAA apply to three types of entities, which are known as ‘‘covered entities:” 

• health care providers who conduct covered health care transactions electronically
• health plans, and
• health care clearinghouses

 Consequently, the Department of Health and Human Services (HHS) recently Proposed a Rule to change the reporting requirements of covered entities under HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH Act). 

Comments are due by August 1, 2011 and can be submitted at Federal eRulemaking Portal: http://www.regulations.gov.  Be sure to identify comments with RIN 0991–AB62.  For more information, contact Andra Wicks at 202–205–2292. 

Background 

Pursuant to HIPAA, HHS promulgated the Standards for Privacy of Individually Identifiable Health Information, known as the ‘‘Privacy Rule,’’ on December 28, 2000 (amended on August 14, 2002). The Privacy Rule requires covered entities to make available to an individual upon request an accounting of certain disclosures of the individual’s protected health information made during the six years prior to the request. 

A disclosure is defined as ‘‘the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.’’ For each disclosure, the accounting must include: 

1. The date of the disclosure;
2. The name (and address, if known) of the entity or person who received the protected health information;
3. A brief description of the information disclosed; and
4. A brief statement of the purpose of the disclosure (or a copy of the written request for the disclosure).

 For multiple disclosures to the same person for the same purpose, the accounting is only required to include: 

1. For the first disclosure, a full accounting, with the elements described above;
2. The frequency, periodicity, or number of disclosures made during the accounting period; and
3. The date of the last such disclosure made during the accounting period.

 An accounting must include all disclosures of protected health information, except for disclosures: 

• To carry out treatment, payment and health care operations
• To individuals of protected health information about them
• Incident to a use or disclosure otherwise permitted;
• Pursuant to an authorization
• For the facility’s directory or to persons involved in the individual’s care or other notification purposes
• For national security or intelligence purposes;
• To correctional institutions or law enforcement officials
• As part of a limited data set; or
• That occurred prior to the compliance date for the covered entity

 The current accounting provision applies to disclosures of paper and electronic protected health information, regardless of whether such information is in a designated record set. While the obligation to provide an individual with an accounting of disclosures falls to the covered entity, the accounting must include disclosures to and by its business associates. Business associates are required, as a term of their business associate agreements, to make available the information required for the covered entity’s accounting

Changes Required by the HITECH Act

When the American Recovery and Reinvestment Act (ARRA) of 2009 was signed into law in 2009, it contained the HITECH Act.

HITECH provides that the Privacy Rule for disclosures to carry out treatment, payment, and health care operations no longer applies to disclosures ‘‘through an electronic health record (EHR).” An EHR is defined as ‘‘an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.’’

As a result, an individual now has a right to receive an accounting of disclosures to carry out treatment, payment, and health care operations made during the three years prior to the request. With respect to these kind of disclosures by business associates through an EHR, business associates must provide either an accounting of the business associates’ disclosures, or a list and contact information of all business associates (enabling the individual to contact each business associate for an accounting of the business associate’s disclosures).

The HITECH Act requires the Secretary of HHS to promulgate regulations governing what information is to be collected about these disclosures. The regulations ‘‘shall only require such information to be collected through an electronic health record in a manner that takes into account the interests of the individuals in learning the circumstances under which their protected health information is being disclosed and takes into account the administrative burden of accounting for such disclosures.’’ 

HITECH also requires the Secretary to adopt an initial set of standards, implementation specifications, and certification criteria for EHR technology. These standards, implementation specifications, and certification criteria are required to address the

‘‘[t]echnologies that as a part of a qualified electronic health record allow for an accounting of disclosures made by a [HIPAA covered entity] for purposes of treatment, payment, and health care operations (as such terms are defined for purposes of [the HIPAA regulations].’’ 

In an interim final rule published on January 13, 2010, the HHS Office of the

National Coordinator for Health Information Technology (ONC) adopted a standard and certification criterion to account for disclosures. The standard and certification criterion provide that certified EHR technology have the capability to record the date, time, patient identification, user identification, and a description of the disclosure, for disclosures made for treatment, payment, and health care operations. 

ONC published a final rule on July 28, 2010, which retained this standard but made the certification criterion optional. In the final rule, ONC discussed its rationale for retaining the standard for accounting for treatment, payment, and health care operations disclosures and making the related certification criterion optional. 

Accordingly, EHR technology is not required to have the capability to account for treatment, payment, and health care operations disclosures as a condition of certification for meaningful use Stage 1 under the Medicare and Medicaid EHR incentive payment programs. 

On May 3, 2010, HHS published a request for information (RFI) seeking further information on individuals’ interests in learning of disclosures, the burdens on covered entities in accounting for disclosures, and the capabilities of current technology. We received approximately 170 comments from numerous organizations representing health plans, health care providers, privacy advocates, and other non-covered entities. These comments are summarized in the proposed rule. 

The HITECH Act provides that the effective date of the new accounting requirement for HIPAA covered entities that have acquired an EHR after January 1, 2009, is January 1, 2011, or the date that it acquires an EHR, whichever is later. For covered entities that acquired EHRs prior to January 1, 2009, the effective date is January 1, 2014. The statute authorizes the Secretary to extend both of these compliance deadlines to no later than 2013 and 2016, respectively. 

Overview of Proposed Rule

 

The Proposed Rule will revise the Privacy Rule by dividing it into two separate rights for individuals: 

–       An individual’s right to an accounting of disclosures and

–       An individual’s right to an access report (which would include electronic access by both workforce members and persons outside the covered entity). 

The revisions to the right to an accounting of disclosures are based on HHS’s general authority under HIPAA. The right to an access report is based on the requirements of the HITECH Act. These two rights, to an accounting of disclosures and to an access report, would be distinct but complementary. 

Under OCR’s proposal, the right to an access report would provide individuals with information on who has accessed electronic protected health information in a designated record set (including access for purposes of treatment, payment, and health care operations).  This right to access would not distinguish between uses or disclosures, thus covering both internal (e.g., workforce members) and external (e.g., business associate) access. 

OCR also proposes that this new access report would identify the date and time of access, the name of the person who accessed the information (to the extent available), a description of the PHI (to the extent available) and the user’s action (i.e., “create”, “modify”, “access” or “delete”). Neither the purpose for access nor the ultimate recipient of the data if the information is further disclosed would have to be included in the report. 

The intent of the access report is to allow individuals to learn if specific persons have accessed their electronic designated record set information (it will not provide information about the purposes of the person’s access). 

The right to an accounting would provide additional information about the disclosure of designated record set information (whether hard-copy or electronic) to persons outside the covered entity and its business associates for certain purposes (e.g., law enforcement, judicial hearings, public health investigations). Designated record set is defined under HIPAA to include medical and billing records as well as any other record used by a covered entity to make decisions about an individual. 

The intent of the accounting of disclosures is to provide more detailed information (a ‘‘full accounting’’) for certain disclosures that are most likely to impact the individual. 

HHS believes the changes to the accounting requirements will provide information of value to individuals while placing a reasonable burden on covered entities and business associates. They also believe that the process of creating an access report will be a more automated process that provides valuable information to individuals with less burden to covered entities and business associates. HHS asserted that by limiting the access report to electronic access, the report will include information that a covered entity is already required to collect under the Security Rule. 

HHS stated that the proposal only attempts to shift the accounting provision from a manual process that generates limited information to a more automated process that produces more comprehensive information (since it includes all access to electronic designated record set information, whether such access qualifies as a use or disclosure). 

Discussion

OCR Director Georgina Verdugo asserted that the “proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information.”

However, the HHS Office of Civil Rights NPRM represents a tremendous shift in policy.  Under the new proposed rule, HIPAA Covered Entities and Business Associates would have to keep records about not only disclosures of, but also internal access to, certain health records.   

This means that a patient would have a new right to ask for and get an Access Report, which would provide the name of every individual inside the Covered Entity (doctors, nurses, billing staff, food service, radiology, pharmacy, etc.) who viewed their records.  For disclosures outside the Covered Entity, more information would have to be provided, including the address of individuals and organizations to whom the records were disclosed.

This new proposed rule goes far beyond what was required by the already problematic expansion of the Accounting of Disclosures required by HITECH.  Implementation costs seem enormous.  One midsized health system in the Denver area estimates that compliance to this regulation will cost them $250 million dollars.  Furthermore, even aside from the cost issues, there is a large concern about the very idea of releasing large numbers of medical employees’ names to patients. At a minimum, it is easy to foresee medical employees being subjected to hassles and intrusive, uncomfortable interactions if they are directly confronted by patients who were given their names but do not understand why they needed access to records.  At worst, the safety of medical staff is being put at personal risk if patients are angered by what they believe was inappropriate access.

Moreover, while the scope of the new rule applies to “Designated Record Sets,” which are a subset of Protected Heath Information, the NPRM uses some ambiguous phrases interchangeably, making the scope of the new requirements for Business Associates highly unclear.  As a result, Business Associate need to research the possible application of the new rule to its business carefully. 

Additionally, Kirk Nahra, a partner at the Washington law firm Wiley Rein, contends that this latest in a series of rules to carry out HITECH Act mandates is far less reasonable than previously released rules, including the breach notification rule.  He asserted that, the rule is “fundamentally inconsistent with the normally very reasonable approach regulators have taken with most of these rules.”

Further, he added that the latest rule’s access report provision is based on the faulty premise that most healthcare organizations already track every instance when patient information is accessed so they can comply with the HIPAA Security Rule. Nahra argued however, that the security rule does not explicitly mandate this approach because it does not provide details on the technology or methods that must be used to monitor access.  

In addition, he asserted that very few organizations do this level of access tracking, focusing instead on more practical strategies, such as conducting periodic checks to determine, for example, if unauthorized staff members are accessing records.  Accordingly, Nahra advised healthcare organizations to “get your comment letters going and point out all the problems” to make sure regulators are aware of how difficult it will be to comply.

Ultimately, OCR’s proposal position fails to appreciate the significant administrative burden that will result from having to take reports generated for internal purposes and produce them to the public.  “Although the Proposed Rule contains some provisions that would make compliance by covered entities and business associates easier, overall the Proposed Rule would impose significant additional administrative burdens on these entities through the requirement to provide access reports.”

Comments are due by August 1, 2011 and can be submitted at Federal eRulemaking Portal: http://www.regulations.gov.  Be sure to identify comments with RIN 0991–AB62.  For more information, contact Andra Wicks at 202–205–2292.