The Most Challenging Compliance Issue You Never Heard Of: The "Access Report"

By Karen Sealander and Jennifer S. Geetter

In 2009, the Health Information Technology for Clinical and Economic Health (HITECH) Act created the Medicare and Medicaid electronic health record (EHR) incentive program, commonly known as the “Meaningful Use” program.  Included within HITECH is an often overlooked provision that seeks to dramatically expand the current HIPAA Privacy Rule framework for sharing information with individuals about disclosures of their protected health information (PHI).  Although more than four years have passed since enactment of HITECH, the regulations promulgating this expansion of “accounting of disclosures” requirements to newly include routine disclosures for treatment, payment and healthcare operations have not yet been finalized.  The delay underscores the difficulty in crafting regulations that are both technologically feasible and respond to demonstrated patient interest.  To aid in the process, the U.S. Department of Health and Human Services (HHS) just this week announced a virtual hearing and an opportunity for public input on the stalled “accounting of disclosures” proposed rulemaking.  Information about the hearing, including links to the agenda, the discussion questions and instructions about public participation are set forth under “Next Steps” below. 

Proposed Rule Creates New Patient Right to a Comprehensive List of Access to their Electronic Health Record

Prior to HITECH, accounting of disclosures requirements for covered entities and business associates were limited to accounting of certain non-routine disclosures of PHI.  The most common disclosures, those related to treatment, payment and healthcare operations, were specifically excluded from the requirement.  The 2009 amendments to HIPAA, however, reversed course and require that covered entities and business associates be prepared to provide an accounting of disclosures of PHI for up to three years for treatment, payment and healthcare operations, if the covered entity uses electronic health record technologies.  Thus, at the same time that HITECH seeks to incentivize the rapid adoption of EHR technologies, it also presents a significant, albeit under the radar, cost to doing so in that it significantly expands the record-keeping requirements on covered entities and their business associates. Importantly, however, the statute specifically mandates that any regulations implementing this expansion of accounting of disclosures must take into account "the interests of the individuals in learning the circumstances under which their protected health information is being disclosed and takes into account the administrative burden of accounting for such disclosures." In other words, the statute includes a mandatory balancing test as part of the rulemaking process.

The HHS Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM or Proposed Rule) to implement this statutory change in May 2011.  The Proposed Rule makes targeted modifications to accounting of disclosures for non-routine disclosures and creates a new patient right to an “access report.”   Specifically, the Proposed Rule would give patients a new right to request a list of everyone who has accessed their electronic protected health information in a “designated record set” for treatment, payment and healthcare operations for up to three years preceding the request.  In essence, the access report is a comprehensive list of uses and disclosures of an individual’s electronic PHI maintained in a designated record set.  This “access report” must provide the following information about each access to the record:  date of access; time of access; name of natural person, if available, otherwise name of entity accessing the electronic DRS; a description of what information was accessed, if available; and a description of action by the user if available (e.g., create, modify, access or delete).  The access report does not need to specify what the purpose of the use or disclosure was because OCR determined that “the burden on covered entities and business associates in identifying the purpose of each access to electronic designated record set information significantly outweighs the benefit to individuals of learning of such information.”  (76 Fed. Reg. 31439) Not surprisingly, the Proposed Rule seeking to implement the statutory requirement to account for disclosures for treatment, payment and healthcare operations met with considerable concern and resistance. 

Provider, Payer and Vendor Response to the Proposed AOD Rule

Much of the concern about the approach put forth in the Proposed Rule revolves around anticipated costs to the covered entity community in light of existing technology.  For example, in comments filed in response to  the Proposed Rule, the American Academy of Family Physicians, the American Medical Association and 18 other physician associations describe the proposed access report requirements as “costly and overly burdensome to implement and difficult to achieve by physician practices and their business associates.”  The American Hospital Association (AHA) notes the “heavy administrative burdens involved in producing individualized, patient-friendly accounting of disclosures and the new required reports on electronic access.”  The AHA further finds that the proposed rule is “premised on a significant misunderstanding of the capabilities of technologies available to and used by covered entities to produce the relevant information that they must report” and “fundamentally misjudges the value of the particular information that must be reported under the proposed rule for individuals who seek to understand how their PHI is used and disclosed.”  America’s Health Insurance Plans calls the compliance cost to health plans “staggering,” and reports that 30% of plans who responded to a member survey expect costs to range between $10M and $50M while 7% of plans reported it would cost between $50 - $100M.  HIMSS, whose members represent the majority of installed EHRs, urged OCR to “rethink and consider withdrawal of the access report proposal entirely, which appears to us to be unworkable on many levels.” 

What’s at Stake

If the May 2011 Proposed Rule is finalized as proposed, then HIPAA covered entities and their business associates must develop the capacity to produce, upon request, a patient-understandable report aggregating information about access to a patient’s electronic PHI for treatment, payment and healthcare operations for up to a three-year period in all of the information systems that comprise a designated record set.

Next Steps

On Monday, September 30, 2013, the Privacy and Security Tiger Team, a workgroup of the Health Information Technology Policy Committee that advises the HHS Office of the National Coordinator (ONC) for Health Information Technology, will hold a virtual hearing on issues related to this rulemaking, including “realistic ways to provide patients with greater transparency about the uses and disclosures of their digital identifiable health information.”  Invited witnesses representing patient advocates, vendors, business associates, providers and payers will testify, and public comment is being accepted during the virtual hearing for 15 minutes from 4:45 pm – 5:00 pm (EDT).  The public may also respond in writing to posted questions.  Click here for the questions and information about how to post responses.

This presents an important opportunity for interested stakeholders to provide input to OCR and ONC with respect to the technological feasibility of the expanded accounting requirements, the extent and nature of expressed patient interest in different types of historical use and disclosure information, and anticipated costs, burdens and benefits relevant to the balancing test.  The four years that have passed since the legislation and the two years that have passed since the Proposed Rule may suggest the acute difficulty of navigating the interplay of protecting privacy, identifying material patient interests in understanding different types of uses and disclosures, assessing existing technological tools and predicting the next generation of IT platforms, and designing a report that informs but does not overwhelm, and may signal that no regulation immediately presents itself that successfully meets the patient benefit/provider burden balancing test.

Health Care Reform: An Implementation Checklist for Hospitals

In the months since the Patient Protection and Affordable Care Act (PPACA) was enacted, organizations have been inundated with law and consulting firm client advisories, articles and seminars—all focused on summarizing the new health care reform law.  But to what extent have those articles and seminars provided a clear plan of action and said clearly, "Do this"?

This checklist provides that action plan and will help hospital and health system executives make sense of the new health care reform law, and translate it into specific action steps for their institution.

The checklist provides hospital and health system executive leadership with concise implementation recommendations to address each of the key themes of the health care reform law including:

  • fraud and abuse enforcement
  • insurance reforms
  • reimbursement
  • employment matters
  • tax-exempt status
  • information technology
  • corporate governance
  • strategic alliances

The checklist is intended to serve as a “yardstick” by which hospital and health system executives can measure their progress in responding to health system reform changes.

Click here to receive a copy of this checklist.

Additional resources on each of the topics covered and lawyers who specialize in these areas can be found here.

HHS Proposes Definition of Meaningful Use of Certified Electronic Health Record Technology

The Facts 

On January 13, 2010, the U.S. Department of Health and Human Services (HHS) proposed requirements for hospitals, physicians and other eligible providers to earn incentives for the adoption and “meaningful use” of “certified electronic health record (EHR) technology.”  Incentives in the form of enhanced Medicare and Medicaid reimbursement are received by demonstrating meaningful use of certified EHR technology.  The incentives start in 2011, but become penalties by 2015 through reduced reimbursements for those who do not achieve meaningful use.  This initial set of standards is intended to begin to define “a common language to ensure accurate and secure health information exchange across different EHR systems.”  Certified EHR technology can be either a “complete EHR or a combination of EHR modules" to enable providers to adapt to innovations in a rapidly evolving industry while ensuring access to a wide array of technology options, from vendor-based products, to homegrown technology, to hosted services on a subscription basis, to open source products.  For more information, see McDermott Will & Emery’s White Paper HHS Establishes the Initial Pathway for Qualifying for HITECH Act Incentives Dollars for Meaningful Use of Certified Electronic Health Record Technology.”

What’s at Stake

Eligible hospitals and professionals may receive incentive payments for achieving and may avoid penalties for failing to achieve meaningful use of certified EHR technology.  Some hospitals and doctors have already expressed concern about the all or nothing structure of the proposed rule, which requires providers to meet 23 criteria at once, or fail to qualify at all.  Vendors of EHR systems or EHR modules must ensure their products have the features and functionality to be certified and to enable meaningful use although the certifying bodies have yet to be certified.

Steps to Consider

Providers, vendors of health information technology and other interested parties should consider submitting comments to HHS prior to the March 15, 2010, deadline.  

In selecting an EHR, ensure that the EHR product by itself or combined with other EHR modules will achieve, or be modified by the vendor to achieve, certification.  Assess interoperability of modules.  Consider contractual commitments covering interoperability, certification and meaningful use. 

Vendors should develop a road map or work-around to ensure that products will be certified and that they will enable meaningful use.  Vendors should be ready to address customer demand for assurances.   

Penalties for HIPAA Violations Increase Significantly

The Facts

On October 30, 2009, the U.S. Department of Health and Human Services issued an Interim Final Rule (the Rule) to amend the existing administrative simplification enforcement regulations adopted pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The Rule implements amendments to HIPAA made by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) enacted as part of the American Recovery and Reinvestment Act of 2009. Prior to enactment of the HITECH Act, covered entities under HIPAA (health care providers that conduct certain transactions in electronic form, health plans and health care clearinghouses) were subject to HIPAA civil money penalties of up to $100 per violation, with an annual cap of $25,000 for identical violations within a calendar year. The Rule preserves this structure for violations occurring prior to February 18, 2009. Violations occurring on or after February 18, 2009 are subject to a new penalties scheme, which ranges from a minimum per-offense penalty of $100 to $50,000, depending on the level of culpability. The Rule also increases the annual cap for identical violations from $25,000 to $1.5 million, and alters the available affirmative defenses to a HIPAA enforcement action. Business associates are directly subject to the new enforcement scheme beginning February 17, 2010. HIPAA’s criminal penalties remain unchanged.

What’s at Stake

The new HIPAA civil money penalties scheme that will be enforced under the Rule substantially increases the potential penalties for HIPAA violations by covered entities occurring on or after February 18, 2009. Business associates will be directly subject to HIPAA, including the new enforcement scheme, for the first time beginning February 17, 2010. Prior to February 17, 2010, business associates are only subject to HIPAA requirements through contracts with covered entities.

Steps to Consider

Covered entities and business associates should review their current HIPAA compliance policies and procedures to ensure they are meeting amended requirements.  Business associates that previously lacked HIPAA privacy and security policies and procedures should implement policies and train their work force. McDermott has prepared HIPAA privacy policies and forms for covered entities and business associates.  A preview of the manual's table of contents for covered entities can be viewed here, and the business associates table of contents can be viewed here.

Security Breach Notifications

The Facts

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) includes significant investment in health information technology to facilitate the adoption of a U.S.-wide health information network and requires HIPAA covered entities, business associates, vendors of personal health records and related entities to notify individuals when their personal health information is subject to a breach of security.  The U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) recently issued rules relating to these security breach notification requirements.  Compliance with these regulations will require the expenditure of significant time and expense, and, therefore, health care and related industries should begin immediately familiarizing themselves with the rulemakings and updating their processes and procedures to comply accordingly. 

What’s at Stake

HIPAA covered entities, business associates, vendors of personal health records and related entities could be subject to penalties for not properly notifying patients or customers, as applicable, of security breaches involving the patients’ or customers’ individually identifiable health information.  Note that while the HHS rule is effective September 23, 2009, HHS will delay enforcement for six months.  This means that HHS will not impose sanctions for failure to provide the required notification for breaches discovered before February 22, 2010.  Similarly, while the FTC rule is effective September 24, 2009, the FTC will delay enforcement for six months.  This means that the FTC will not impose sanctions for failure to provide the required notification for breaches discovered before February 22, 2010.

Steps to Consider

  • If your organization is a HIPAA covered entity, business associate, vendor of personal health records or related entity, review the HHS and FTC regulations, which can be viewed here and here, respectively. 
  • Affected entities should immediately begin to develop a compliance plan, because the effective date of the HHS rule is September 23, 2009, and the effective date of the FTC rule is September 24, 2009.
  • Consider filing comments on the HHS rule on or before the October 23, 2009, deadline. 
  • For a summary of these regulations, review McDermott’s White Paper entitled “Regulatory Update: HITECH’s HHS and FTC Security Breach Notification Requirements.”

Continuing Developments in Defining "Meaningful Use"

The Facts

The Office of the National Coordinator for Health Information Technology’s HIT Policy Committee has taken another important step towards defining “meaningful use” under the American Recovery and Reinvestment Act of 2009 (ARRA). Hospitals and eligible providers must meet the requirements for “meaningful use” of certified electronic health records (EHRs) in order to qualify for Medicare incentive payments under ARRA. Recently, the HIT Policy Committee approved revised recommendations for an initial definition of “meaningful use.” These recommendations are outlined in a lengthy matrix, which sets forth measures for meeting specified objectives for each of the years 2011, 2013 and 2015:

  • Goal for 2011 objectives – Capacity to electronically capture in coded format and report health information, and use that information to track key clinical conditions
  • Goal for 2013 objectives – Ability to guide and support care processes and care coordination
  • Goal for 2015 objectives – Capability to achieve and improve performance and support care processes and key health system outcomes

The HIT Policy Committee also recommended that the incentives be paid according to an “adoption year” timeframe rather than a calendar year timeframe. Accordingly, the objectives and measures for the year 2011 would apply to an organization’s first adoption year, if an organization is not ready for incentive payments until after 2011. The U.S. Department of Health and Human Services (HHS) will use the recommendations to develop regulations to implement the incentive payments under ARRA. 

What’s at Stake

Hospitals and eligible providers that meet the requirements of “meaningful use” of certified EHRs will be eligible for Medicare incentive payments beginning in 2011. Medicare payments may be reduced to hospitals and providers that do not meet the requirements for “meaningful use” of certified EHRs by 2015.

Steps to Consider

Evaluate how the 2011 Objectives and Measures in the Meaningful Use Matrix may require changes in the operations of your organization, anticipating that some form of the objectives and measures may ultimately be included in the regulations promulgated by HHS. Monitor regulatory actions by HHS regarding the definition of “meaningful use” and Medicare incentive payments under ARRA.

HIT Policy Committee Announces Proposed "Meaningful Use" Definition

The Facts
The American Recovery and Reinvestment Act authorizes the Centers for Medicare & Medicaid Services (CMS) to provide incentives to certain physicians and hospitals who achieve “meaningful use” of a certified electronic health record (EHR) system.

The act established the Health Information Technology (HIT) Policy Committee, which issued a draft definition of “meaningful use” at its June 16, 2009, meeting.  The committee recommended a progressive definition, where “meaningful use” is ultimately linked to achieving measurable outcomes in patient engagement, care coordination and population health.  The 2011 objectives are intended to establish a foundation for affecting a more comprehensive set of health outcomes in the future.  By 2015, the objectives are to achieve and improve performance and support care processes.  A matrix including the full proposed definition of “meaningful use” is available at

The committee has asked a workgroup of the committee to submit a new set of recommendations for “meaningful use” at the committee’s July meeting.  The committee is currently accepting comments regarding the proposed draft, but it is not clear whether it will offer a comment period after the revised draft.  The committee’s recommendations are non-binding, but will provide guidance to CMS, which will ultimately establish the definition for “meaningful use.”

What’s at Stake
Beginning in 2011, those physicians and hospitals who can demonstrate “meaningful use” of a certified EHR system will receive incentive payments through additional Medicare reimbursement.  Beginning in 2015, those who have not achieved “meaningful use” will be subject to certain downward adjustments in their Medicare reimbursement rates.

Steps to Consider

  • Consider submitting comments to the Department of Health and Human Services (HHS) on the draft definition of “meaningful use.”  Comments are due by 5 pm Eastern time, June 26, 2009.
  • If your organization does not have an EHR system, consider options for EHR technology that fit within your organization’s structure and that will assist you in capturing data to meet evolving “meaningful use” requirements.
  • If your organization already has an EHR, examine the systems and consider internal and external steps necessary to implement flexibility in capturing data required for an evolving definition of “meaningful use.”
  • Obtain contractual commitments from EHR system vendors to assist you in achieving “meaningful use.”

Guest Commentary: Defining "Meaningful Use" Under the HITECH Act

Guest commentary from Susan Reynolds, M.D., Ph.D., president and CEO of the Institute for Medical Leadership, and Jay Volk, president of

The concept of interoperability is part of the definition of “meaningful use.”  Therefore, many hospitals and physicians that want to position themselves for the Medicare incentives are asking whether EHR systems will “talk” to each other, i.e., what standards will be set by the administration so that these information systems are easily integrated, and when those standards will be set.

The administration should carefully consider its ultimate goals when developing the standard for “meaningful use.”  If the administration’s goal is to get technology in the hands of doctors, it should consider writing rules that define meaningful use very liberally.  If the goal of the administration is return on investment, it should consider writing rules that define meaningful use with measurable goals.  A liberal standard may mean more practitioners buying, but not ultimately using EHRs as effectively as they could be used.  A stricter standard may mean fewer practitioners purchasing EHRs, but those practitioners will make the commitment to use them and likely see the metric benefits of EHR use.  Of course, the devil in the details of “meaningful use” is usability.  Vendors will need to respond to the new federal regulations to make their systems user-friendly for physicians and hospitals.

Susan Reynolds, M.D., Ph.D., can be contacted at or +1 800 361 5321. Jay Volk can be contacted at or +1 440 827 2020.

Defining "Meaningful Use" Under the HITECH Act

The Facts
The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, includes Medicare incentives for adoption and meaningful use of certified electronic health record (EHR) technology.   To be eligible for incentive payments, hospitals and physicians must use EHRs in a meaningful manner, exchange electronic health information to improve the quality of care, and report on clinical quality and other measures.  Additional guidance regarding these parameters is expected from the U.S. Department of Health and Human Services through the regulatory process.  The Health Information and Management Systems Society has published recommendations regarding the definition of “meaningful use”: 

  • Recognize Certification Commission for Healthcare Information Technology (CCHIT) as the certifying body of EHRs.
  • Adopt metrics that can be reasonably captured and reported beginning in 2011.  These metrics should then become increasingly stringent every two or more years to achieve incremental maturation of “meaningful use.”
  • Coordinate with Health Information Technology Standards Panel and Integrating the Healthcare Enterprise to publish implementation guides and standards for output of EHR data to bridge existing gaps in interoperability of health information.
  • Collaborate with CCHIT to fairly evaluate hospitals and physicians that use “best of breed” systems from multiple vendors or open source technologies.

What’s at Stake
Hospitals and physicians that meet the requirements of “meaningful use” of certified EHRs will be eligible for Medicare incentive payments beginning in 2011.   Medicare payments may be reduced to hospitals and physicians that do not meet the requirements for “meaningful use” of certified EHRs by 2015. 

Steps to Consider

  • If your organization is considering acquiring an EHR system, seek counsel on the legal requirements of “meaningful use” (including interoperability) and anticipate the timeframe for your organization to meet these requirements before the eligibility dates. 
  • Obtain a contractual commitment from the vendor that the system will permit usage in accordance with the federal definition of “meaningful use.”
  • Conduct due diligence on and obtain contractual commitments from your vendor to make sure it is certified and can meet the requirements of certification panels.
  • When selecting an EHR system, obtain stakeholder endorsements to support system success.