The HITECH Act requires HHS to revise the HIPAA Privacy Rule to remove the exclusion for Accounting of Disclosures for treatment, payment and health care operations to the extent that the disclosures are made through an EHR. In addition, it requires HHS to determine what information is to be collected and then included in these disclosures. In 2010 HHS published a Request For Information (RFI) to seek comments on individual’s interests in learning of disclosures, the burdens on Covered Entities in accounting for these disclosures and the capabilities of current technologies to facilitate disclosures. The resulting proposed rule is an attempt by HHS to balance the individual’s privacy rights against the burdens on Covered Entities. HHS is accepting comments on this proposed rule up until August 1, 2011.
At a high level, it appears that the proposed rule primarily does two things:
- Provides individuals a right to request a new "Access Report" that lists who has accessed their PHI in an electronic designated record set (which is basically medical records, billing records, or other electronic information that is used for payment or treatment decisions) for any purpose including for treatment, payment and health care operations. The proposed rule limits the information in an Access Report to content which is already required by the Privacy Rule to be collected. The assumption is that limiting content in this manner will enable a more automated process by which Covered Entities could produce an Access Report and that this would therefore ease their burden.
- Makes changes to "streamline" the Privacy Rule's current Accounting of Disclosures provision, such as limiting the types of disclosures that must be accounted for. As with the Access Report, HHS showed consideration to the burden placed on Covered Entities by making a number of changes to the individual's existing right to an Accounting of Disclosures that would make it easier for Covered Entities to comply with the requirements.
Despite these positive changes, the proposed rule significantly underestimates the burden on small physician practices. Although I agree that these changes do, in general, ease some of the burden on Covered Entities, it is primarily the large healthcare systems that will be able to leverage these changes to their advantage. I do not believe that these changes sufficiently ease the excessive burden on providers in small practices who do not have the resources to leverage the changes to their advantage.
HHS uses the assumption that limiting content in the Access Report to that which is already required to be collected [i.e. in an EHR] will enable a more automated report and therefore ease the burden on Covered Entities when an individual requests a report. This assumption is misleading because it assumes that all Covered Entities have the resources necessary to produce a report that meets all the requirements. According to the proposed rule, the Access Report must meet certain specifications as defined in the rule, must consolidate content from multiple systems if they exist, must allow individuals to limit their requests to specific time periods or persons, and must be made available in an electronic format as requested by the individual if possible. Although the information in the Access Report is limited to content already required to be collected, EHR vendor products are not required to provide an automated process to produce an electronic report that meets the proposed rule’s requirements. Therefore, it will not typically be a simple automated process to produce the report. Instead, the Covered Entities will have to produce the report through a manual process in which some technical skills are needed to design and configure the report to meet the proposed rule’s specifications, to consolidate content from multiple systems, to customize the report to meet requested limitations and/or to re-format the report.
For example, programming skills will be needed to create an Access Report from a typical EHR that produces an automated audit log that only shows the User’s ID when a record is accessed, but not the individual’s name as required for the Access Report. In that case the report must be re-configured to map the actual name of the individual in place of the recorded User ID. As we know, when one change is made in an electronic report, other changes may be needed to accommodate the change. In this example, mapping content from the NAME field to the USER ID field might also require the report writer to increase a character limit in the USER ID field so as to not cut off long names. This second change could cause the report to extend beyond the set margins of the report’s design, therefore requiring the report writer to change the design of the report. A small practice will not typically have someone with the expertise to program such a report and will therefore have to hire an IT consultant.
Covered Entities must utilize the time and effort people who have the needed technical skills to meet the proposed rule’s reporting requirements. The difference between small practices and large providers is the availability of technical expertise to do this manual work. Most large healthcare systems and some large physician practices have an IT Department or employ IT personnel who have the expertise and skills needed to design, configure and format reports. For large entities, the Access Report does not create a significant new burden because they already have the expertise to produce their reports. But very few small physician practices have the resources necessary to do this. So in order to produce an Access Report, a small practice will have to hire outside resources to design, configure and format the reports at variable costs. The actual cost will be dependent on the complexity of each report and the IT consultant’s hourly rates ($100-$250/hour). As the proposed rule is currently written, a small practice will typically have to hire external resources, at their own expense, to write the report and then be required to provide the report at no cost to the requesting individual.
As acknowledged in the proposed rule, the Accounting of Disclosure is recognized by HHS to be more complex and will require a “manual, expensive, and time consuming process for Covered Entities and Business Associates.” One purpose of the new Access Report is to be an alternative to Accounting of Disclosures in order to mitigate this known burden of disclosures. Nevertheless, the Access Reports will still require “manual” work that involves technical skills and will be a significant burden on small practices. Also, since the Accounting of Disclosure reports are more complex they will require more manual work and technical skill than Access Reports. The burden of disclosures on small practices will therefore be much greater than for large systems that already employ the technical expertise to design, configure and format the reports.
- The proposed rule requires small practices to provide requesting individuals with a new Access Report which places excessive burden on small practices at an unreasonable cost. The burden of producing an Access Report should be on the vendor’s EHR product and not on the physician. The proposed rule should be modified to require small practices to provide the system’s automated audit log, as configured by the vendor, if available, from any of their systems that store PHI. The burden should be placed on the vendors to configure their products to produce automated reports that meet the specifications and requirements. If a small practice has to hire IT consultants to design and configure or modify an Access Report, they should be allowed to charge the individual for the actual costs incurred.
- This proposed rule also requires small practices to provide requesting individuals with an Accounting of Disclosure which also places excessive burden on small practices at an unreasonable cost. The burden of producing Disclosure reports should be on the vendor’s EHR product and not on the physician. The burden should be placed on the vendors to configure their products to produce automated reports that meet the specifications and requirements. If a small practice has to hire IT consultants to design and configure or modify an Accounting of Disclosure report, they should be allowed to charge the individual for the actual costs incurred.