The Most Challenging Compliance Issue You Never Heard Of: The "Access Report"

By Karen Sealander and Jennifer S. Geetter

In 2009, the Health Information Technology for Clinical and Economic Health (HITECH) Act created the Medicare and Medicaid electronic health record (EHR) incentive program, commonly known as the “Meaningful Use” program.  Included within HITECH is an often overlooked provision that seeks to dramatically expand the current HIPAA Privacy Rule framework for sharing information with individuals about disclosures of their protected health information (PHI).  Although more than four years have passed since enactment of HITECH, the regulations promulgating this expansion of “accounting of disclosures” requirements to newly include routine disclosures for treatment, payment and healthcare operations have not yet been finalized.  The delay underscores the difficulty in crafting regulations that are both technologically feasible and respond to demonstrated patient interest.  To aid in the process, the U.S. Department of Health and Human Services (HHS) just this week announced a virtual hearing and an opportunity for public input on the stalled “accounting of disclosures” proposed rulemaking.  Information about the hearing, including links to the agenda, the discussion questions and instructions about public participation are set forth under “Next Steps” below. 

Proposed Rule Creates New Patient Right to a Comprehensive List of Access to their Electronic Health Record

Prior to HITECH, accounting of disclosures requirements for covered entities and business associates were limited to accounting of certain non-routine disclosures of PHI.  The most common disclosures, those related to treatment, payment and healthcare operations, were specifically excluded from the requirement.  The 2009 amendments to HIPAA, however, reversed course and require that covered entities and business associates be prepared to provide an accounting of disclosures of PHI for up to three years for treatment, payment and healthcare operations, if the covered entity uses electronic health record technologies.  Thus, at the same time that HITECH seeks to incentivize the rapid adoption of EHR technologies, it also presents a significant, albeit under the radar, cost to doing so in that it significantly expands the record-keeping requirements on covered entities and their business associates. Importantly, however, the statute specifically mandates that any regulations implementing this expansion of accounting of disclosures must take into account "the interests of the individuals in learning the circumstances under which their protected health information is being disclosed and takes into account the administrative burden of accounting for such disclosures." In other words, the statute includes a mandatory balancing test as part of the rulemaking process.

The HHS Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM or Proposed Rule) to implement this statutory change in May 2011.  The Proposed Rule makes targeted modifications to accounting of disclosures for non-routine disclosures and creates a new patient right to an “access report.”   Specifically, the Proposed Rule would give patients a new right to request a list of everyone who has accessed their electronic protected health information in a “designated record set” for treatment, payment and healthcare operations for up to three years preceding the request.  In essence, the access report is a comprehensive list of uses and disclosures of an individual’s electronic PHI maintained in a designated record set.  This “access report” must provide the following information about each access to the record:  date of access; time of access; name of natural person, if available, otherwise name of entity accessing the electronic DRS; a description of what information was accessed, if available; and a description of action by the user if available (e.g., create, modify, access or delete).  The access report does not need to specify what the purpose of the use or disclosure was because OCR determined that “the burden on covered entities and business associates in identifying the purpose of each access to electronic designated record set information significantly outweighs the benefit to individuals of learning of such information.”  (76 Fed. Reg. 31439) Not surprisingly, the Proposed Rule seeking to implement the statutory requirement to account for disclosures for treatment, payment and healthcare operations met with considerable concern and resistance. 

Provider, Payer and Vendor Response to the Proposed AOD Rule

Much of the concern about the approach put forth in the Proposed Rule revolves around anticipated costs to the covered entity community in light of existing technology.  For example, in comments filed in response to  the Proposed Rule, the American Academy of Family Physicians, the American Medical Association and 18 other physician associations describe the proposed access report requirements as “costly and overly burdensome to implement and difficult to achieve by physician practices and their business associates.”  The American Hospital Association (AHA) notes the “heavy administrative burdens involved in producing individualized, patient-friendly accounting of disclosures and the new required reports on electronic access.”  The AHA further finds that the proposed rule is “premised on a significant misunderstanding of the capabilities of technologies available to and used by covered entities to produce the relevant information that they must report” and “fundamentally misjudges the value of the particular information that must be reported under the proposed rule for individuals who seek to understand how their PHI is used and disclosed.”  America’s Health Insurance Plans calls the compliance cost to health plans “staggering,” and reports that 30% of plans who responded to a member survey expect costs to range between $10M and $50M while 7% of plans reported it would cost between $50 - $100M.  HIMSS, whose members represent the majority of installed EHRs, urged OCR to “rethink and consider withdrawal of the access report proposal entirely, which appears to us to be unworkable on many levels.” 

What’s at Stake

If the May 2011 Proposed Rule is finalized as proposed, then HIPAA covered entities and their business associates must develop the capacity to produce, upon request, a patient-understandable report aggregating information about access to a patient’s electronic PHI for treatment, payment and healthcare operations for up to a three-year period in all of the information systems that comprise a designated record set.

Next Steps

On Monday, September 30, 2013, the Privacy and Security Tiger Team, a workgroup of the Health Information Technology Policy Committee that advises the HHS Office of the National Coordinator (ONC) for Health Information Technology, will hold a virtual hearing on issues related to this rulemaking, including “realistic ways to provide patients with greater transparency about the uses and disclosures of their digital identifiable health information.”  Invited witnesses representing patient advocates, vendors, business associates, providers and payers will testify, and public comment is being accepted during the virtual hearing for 15 minutes from 4:45 pm – 5:00 pm (EDT).  The public may also respond in writing to posted questions.  Click here for the questions and information about how to post responses.

This presents an important opportunity for interested stakeholders to provide input to OCR and ONC with respect to the technological feasibility of the expanded accounting requirements, the extent and nature of expressed patient interest in different types of historical use and disclosure information, and anticipated costs, burdens and benefits relevant to the balancing test.  The four years that have passed since the legislation and the two years that have passed since the Proposed Rule may suggest the acute difficulty of navigating the interplay of protecting privacy, identifying material patient interests in understanding different types of uses and disclosures, assessing existing technological tools and predicting the next generation of IT platforms, and designing a report that informs but does not overwhelm, and may signal that no regulation immediately presents itself that successfully meets the patient benefit/provider burden balancing test.