May 18, 2010
Georgina Verdugo
Director
Office for Civil Rights
United States Department of Health and Human Services
RE: HIPAA Privacy Rule Accounting of Disclosures Under the Health Information
Technology for Economic and Clinical Health Act; Request for Information (RIN
0991-AB62)
Dear Ms. Verdugo:
The undersigned organizations are members of the Consumer Partnership for e-Health (CPeH),
a coalition of consumer, patient, and labor organizations working on both the national and local
levels that, since 2005, has served as a strong and diverse consumer voice advocating for
patient-centered policies related to health information technology (HIT). We submit these
comments in response to the request for information (RFI) on the implementation of the
modifications to the HIPAA Privacy Rule’s Accounting of Disclosures provisions required by Title
XIII, Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA).
We believe the accounting of disclosure provisions play a critical role in providing individuals
with greater transparency about uses and disclosures of their personal health information.
Survey data show that the public supports movement to electronic health records (EHRs),
health information exchanges (HIEs) and personal health records (PHRs). However, the data
also reflect significant public concerns about the privacy and security of personal health
information online, as well as a recognition that the Federal Government has a role in protecting
privacy.1 As we move forward with initiatives to increase the adoption and meaningful use of
health information technology (health IT), it is critical to provide greater protection for health
information to maintain public trust.
In making modifications to the current HIPAA rule on accounting of disclosures, Congress
clearly recognized the ability of EHRs to provide individuals with greater transparency about
uses and disclosures of their health data than is possible with paper records. Implementation of
these new provisions, as well as others in ARRA, creates opportunities for the US Department
of Health and Human Services (HHS) to harness the power of technology to better protect
health information privacy. Our comments below to some of the questions asked in the RFI are
intended to help HHS maximize this opportunity for patients and health care providers. (We did
1
See summaries of Markle public opinion surveys at the following URL:
http://www.connectingforhealth.org/resources/surveys.html
not address those questions directed at covered entities that have experience in implementing
the current accounting of disclosures provisions.)
In summary, we recommend that HHS:
•
•
•
Focus on what is likely to be most important to individuals.
Allow covered entities with EHRs to initially use audit trails to satisfy an individual’s
request for an accounting.
Phase-in requirements for additional information to be included in the accounting, such
as the purpose of the disclosure and the recipient of the information.
Questions
1. What are the benefits to the individual of an accounting of disclosures,
particularly of disclosures made for treatment, payment, and health care
operations purposes?
Transparency
Providing individuals with transparency about the uses and disclosures of their
identifiable health information is a key component of fair information practices and the
Nationwide Privacy and Security Framework for Electronic Exchange of Individually
Identifiable Health Information.2 The practice provides a deterrent to inappropriate
access, helps in the detection of fraud, and—when combined with other privacyprotective practices of a comprehensive framework—supports public trust.
The HIPAA Privacy Rule includes several provisions designed to provide greater
transparency for patients:
• The right of patients to receive notice of permitted uses of their health
information and their rights with respect to that information;
• The requirement on covered entities to obtain express patient authorization
for certain uses and disclosures; and
• The right of patients to obtain, upon request, a detailed accounting of certain
disclosures.
Under the current HIPAA Privacy Rule, the right to receive an accounting is limited to
only certain non-routine disclosures; however, the accounting must include a fair
amount of detail for each disclosure and cover a period of six years prior to the request.
Individuals can also look to covered entities to provide them with an accounting of such
disclosures made by business associates of the covered entities.
Congress recognized the ability of electronic record systems to automatically detect and
record access to a patient’s electronic health information and directed HHS to make
improvements to the accounting of disclosure provisions. Now, routine disclosures for
2
It is also a key component of the Markle Foundation’s multi-stakeholder Connecting for Health Initiative’s
Common Framework, see www.connectingforhealth.org.
2
treatment, payment, and health care operations must be included in an accounting. In
addition, HHS’ Office of the National Coordinator for Health Information Technology
(ONC) issued draft certification criteria for EHRs that included provisions to enable
greater transparency with respect to record access:
(1) technical requirements to enable EHRs to automatically record information
that could be used to provide an accounting of disclosures,3 and
(2) technical requirements that enable EHRs to record and generate an audit trail
of all access to an EHR.
These provisions together provide the technical building blocks for individuals to receive
greater transparency of uses and disclosures of their health information.
Requiring the use of audit trails and the enhanced accounting provisions combine to
provide more effective tools for detecting potential breaches of health information. Early
detection through audit trail use and monitoring, bolstered by individuals’ viewing audit
trails or an accounting when they suspect inappropriate use of their information,
provides health care providers and institutions with important information about
weaknesses in their privacy and security policies and practices.
Accountability
The current HIPAA Privacy Rule requires covered entities to provide individuals with an
accounting only upon request. In ARRA, Congress retained this as a right that
individuals exercise at their discretion. Consequently, most individuals will seek an
accounting only when they have a need to know who has accessed their record, such
as if they suspect inappropriate access. It is important to structure the new accounting
provisions in a way that most directly responds to this need.
At a minimum, individuals need to know who has accessed information in their record,
when such access occurs, and what was done with that information, per the audit trail
requirements in the proposed certification criteria. Providing individuals with information
about the purpose of the disclosure is also of critical importance to increasing
transparency and understanding about the legitimate uses of health information.
Therefore this should also be required information, once the electronic systems used by
providers are routinely able to collect it. Providing this information in an accounting
serves two critical purposes:
1. Helping consumers determine whether their personal health information was
disclosed inappropriately and
2. Providing information necessary to hold individuals and institutions
accountable in the event of an inappropriate disclosure.
Provisions on accounting of disclosure are just one tool under HIPAA for improving
patient privacy and security. They are not the sole solution for improving transparency
for patients. Nor should they be viewed as the sole mechanism for ensuring
3
ARRA § 13405(c).
3
accountability. In developing an accounting rule that leverages the functionalities of
EHRs, is effective for patients, and does not unreasonably burden providers—HHS
should focus on what accounting can add to a comprehensive framework of protections
that promote greater transparency and accountability.
2. Are individuals aware of their current right to receive an accounting of
disclosures? On what do you base this assessment?
To the best of our knowledge, there is no objective, nationally representative
assessment of the levels of public awareness regarding the right to receive an
accounting of disclosures of personal health information. In practice, providers report
that individuals rarely request an accounting of disclosures under current rules. This low
utilization rate is likely due to individuals not being aware of the right to receive an
accounting.4
We caution HHS not to base policy on anecdotal reports of low rates of individuals
exercising their rights to an accounting of disclosures, as survey data indicates strong
interest by the public in reviewing who has had access to their health information.
Markle Foundation surveys indicate that the public strongly supports the concept of
being able to see who has had access to personal health information. For example, 90
percent of respondents in a 2008 survey said that the ability to review who has had
access to their information would be one factor in their decision to use a PHR, with 53
percent calling this practice “essential.”5 In a 2005 survey on health information
exchange, 81 percent called it an absolute or high priority policy.6
As noted above, survey data also indicate a high degree of concern by individuals about
the privacy of their health information. HHS should assume that in an environment of
greater use of EHRs and electronic health information exchange, patients may take
advantage of the opportunity to learn more about who has accessed their records.
5. With respect to treatment, payment, and health care operations disclosures, 45
CFR 170.210(e) currently provides the standard that an electronic health record
system record the date, time, patient identification, user identification, and a
description of the disclosure. In response to its interim final rule, the Office of the
National Coordinator for Health Information Technology received comments on
4
Research has demonstrated that HIPAA privacy notices are often difficult to read and understand. See
Mark Hochhauser, Readability of HIPAA Privacy Notices, pp. 5-6, March 12, 2003,
http://benefitslink.com/articles/hipaareadability.pdf; Mark Hochhauser, Why Patients Won’t Understand
Their HIPAA Privacy Notices, April 10, 2003, http://www.privacyrights.org/ar/HIPAA-Readability.htm; and
Marie Pollio, The Inadequacy of HIPAA’s Privacy Rule: The Plain Language Notice of Privacy Practices
and Patient Understanding, 60 N,Y.U. Ann. Surv. Am. L. 579 (2005),
http://www1.law.nyu.edu/pubs/annualsurvey/documents/60%20N.Y.U.%20Ann.%20Surv.%20Am.%20L.
%20579%20(2005).pdf.
5
Markle Foundation, "Americans Overwhelmingly Believe Electronic Personal Health Records Could
Improve Their Health" June 2008, http://www.connectingforhealth.org/resources/ResearchBrief200806.pdf
6
http://www.markle.org/news/press_releases/2005/press_release_10112005.php.
4
this standard and the corresponding certification criterion suggesting that the
standard also include to whom a disclosure was made (i.e., recipient) and the
reason or purpose for the disclosure.
Should an accounting for treatment, payment, and health care operations
disclosures include these or other elements and, if so, why?
How important is it to individuals to know the specific purpose of a disclosure—
i.e., would it be sufficient to describe the purpose generally (e.g., for ‘‘for
treatment,’’ ‘‘for payment,’’ or ‘‘for health care operations purposes’’), or is more
detail necessary for the accounting to be of value?
To what extent are individuals familiar with the different activities that may
constitute ‘‘health care operations?’’ On what do you base this assessment?
As noted above, patients who request an accounting will most likely be doing so
because they suspect that someone has inappropriately accessed their record,
therefore it is essential that the disclosure information they receive include information
they need to determine if their information has been used inappropriately. Knowing who
received the information that was disclosed and for what purpose are vital to being able
to make these determinations, especially given the fact that at the current time the
general public has limited knowledge and understanding of the legitimate ways in which
their health information is used. Providing some degree of specificity regarding purpose
of disclosure, as opposed to simply stating “treatment,” “payment,” or “operations,”
would also be advisable, given this general lack of understanding. Providing more
detailed description of operations activities would be particularly important, given that
there is even less understanding about this particular purpose. Increased transparency
about how personal health information is used in provider operations would go a long
way toward building trust.
Ideally patients would be able to see an accounting not just of external disclosures, but
also instances of internal access to the record. Such comprehensive accounting is
necessary to provide adequate accountability for inappropriate access and disclosures
of information. The increasing number of reports of employee “snooping” and
inappropriate use of information7 serve to erode consumer trust, even as they readily
understand and want the benefits HIT can bring to the quality of their health care.
In making decisions about how to meet patients’ needs for information about the
disclosures of their health information, HHS should focus on information that is likely to
be most relevant to patients, as well as what is possible to be automatically generated
today. This will pave the way for additional useful information to be automatically
generated about EHR access and disclosure in the future. Audit trails typically produce
7
Hospital: Radiologist used other employees’ passwords
http://blogs.hcpro.com/hipaa/2010/03/hospital-radiologist-used-other-employeespasswords/; accessed 5/17/10.
5
a record of all access to a patient’s record and are therefore a great starting place for
meeting patients’ needs. Additionally, audit trails can be automatically generated by
EHRs that will be adopted by providers in Stage 1 of meaningful use, a critical feature
that will minimize provider burden.
As noted above, HHS has already issued two proposed certification criteria that are
relevant to updating the current accounting rule: specifically, those for an audit trail and
those specifically designed to address the ARRA accounting provisions.
HHS should consider deeming an electronic audit trail of all access to the EHR to satisfy
the accounting of disclosures requirement. Patients requesting an accounting would be
provided with a copy of the audit trail of their record, which, based on the proposed
certification criteria, includes the following information: the date, time, patient
identification (name or number), and user identification (name or number), which is
recorded when electronic health information is created, modified, deleted, or printed,
and an indication of which action(s) occurred.
This is likely to satisfy the needs of many patients in seeking an accounting, who are
looking for unexpected or “suspicious” activity in the record. Auditing all record access
goes beyond an accounting of just disclosures, but the likelihood that EHRs will possess
audit trail functionality in time for Stage 1 of meaningful use and the requirement of audit
trail standards under the voluntary Certification Commission for Health IT Standards for
ambulatory and inpatient EHRs makes this an attractive initial approach. Allowing
covered entities to use an audit trail to respond to individual requests for an accounting
under the new ARRA provisions leverages technology that is currently available and
takes an initial step toward creating greater transparency with respect to uses and
disclosures of health information.
We recognize that such audit logs will be difficult for individuals to comprehend,
particularly if they are from larger provider organizations or institutions where the record
access on a routine basis could be quite extensive. To address this, covered entities
could choose to filter the audit log so that it just includes “disclosures,” or entities could
sit down with the patient to answer any questions.
It is likely that patients will have additional questions after viewing their audit logs. The
ability of an audit log to provide additional information, such as the purpose of the
access or disclosure or a brief description, would alleviate the burden on covered
entities to make staff available to explain the audit log to the patient. However, it may
not be feasible for many EHRs today to generate an audit trail or an accounting that
automatically includes purpose or a description of each access or disclosure. Such a
requirement should be phased in over time, to allow the technology to develop this
capability. HHS should also consider providing incentives or otherwise encouraging
vendors to release new EHRs (or upgrades) that allow users to select from a list of
common disclosure purposes or that otherwise allow for the disclosure purpose to be
logged without the need to manually input text. An increase in patients seeking a copy
of the audit trail could stimulate demand for greater functionality to serve the needs of
both covered entities and patients.
6
It is critical to consider what can be automatically generated by EHRs that exist today,
as well as what is possible in the coming years. Providers should not be required to
manually input additional information in the course of using the EHR in order to ensure
that additional information is in the accounting. HHS should capitalize on what can be
automatically generated today, and provide incentives for vendors to develop greater
accounting functionality over time.
6. For existing electronic health record systems:
(e) Is there a single, centralized electronic health record system? Or is it a
decentralized system (e.g., different departments maintain different electronic
health record systems and an accounting of disclosures for treatment, payment,
and health care operations would need to be tracked for each system)?
Since the purpose of the ARRA revisions to the accounting rule was to increase the
scope of disclosures and not necessarily to give individuals access to records that they
do not have the right to access today, HHS should consider clarifying the definition to
make it clear that the accounting addresses only those portions of the record that
individuals have the right to access under C.F.R. 164.524. Patients will want an
accounting of access to and disclosures from the clinical portions of the EHR, and HHS
should clarify that the definition of EHR does not extend to portions of an entity’s
electronic recordkeeping systems that do not involve patient clinical data.
To the extent that the clinical EHR is decentralized, allowing entities to use an audit trail
to respond to patient accounting requests should help entities comply, as all parts of the
entities overall EHR system should have audit trail functionality.
7. The HITECH Act provides that a covered entity that has acquired an electronic
health record after January 1, 2009 must comply with the new accounting
requirement beginning January 1, 2011 (or anytime after that date when it
acquires an electronic health record), unless we extend this compliance deadline
to no later than 2013.
Will covered entities be able to begin accounting for disclosures through an
electronic health record to carry out treatment, payment, and health care
operations by January 1, 2011? If not, how much time would it take vendors of
electronic health record systems to design and implement such a feature?
Once such a feature is available, how much time would it take for a covered entity
to install an updated electronic health record system with this feature?
If covered entities are permitted to use an audit trail to respond to patient requests for
an accounting, there is no reason why compliance could not begin by January 1, 2011
because EHRs are required by have this functionality for Stage 1 of meaningful use,
and EHRs certified voluntarily by CCHIT already have this capability. HHS should stage
requirements for an accounting to include additional information such as the recipients
7
of and purpose for any disclosures based on developing EHR capabilities.
9. Is there any other information that would be helpful to the Department
regarding accounting for disclosures through an electronic health record to carry
out treatment, payment, and health care operations?
Compliance by HIPAA Business Associates
Under ARRA, business associates are required to comply with the privacy provisions
that apply to covered entities;8 thus, the new accounting requirements are made
applicable to business associates. Covered entities are required to provide an
accounting of disclosures made by business associates. In the alternative, they can
provide individuals with a list of their business associates, and the individuals can then
contact those business associates to receive an accounting.
We acknowledge that business associates now have independent obligations to comply
with the HIPAA privacy and security rules. But placing the burden on patients to seek
data directly from business associates is an inefficient (and largely ineffective) way to
achieve greater transparency about uses and disclosures of health information.
Instead, we suggest that covered entities have the primary obligation to produce an
accounting of access to and disclosures from their EHR system. If the patient needs
more information about a particular access or disclosure that involves a business
associate, the covered entity can contact the particular business associate for further
information (which is consistent with how the breach notification rules treat the
obligation to notify the patient in the case of inappropriate record access), or, less
optimally, provide information to help the patient make the request directly from the
relevant business associate(s). This is much more effective than giving the patient a list
of all of the entities business associates and requiring the patient to go on a fishing
expedition to find his or her data.
We note that the ARRA accounting rule modifications apply to covered entities using
EHRs and their business associates. This does not require that a business associate
be using an “EHR” in order to be covered by the rule, but the new accounting provisions
in ARRA should apply to those business associates using electronic systems that have
(or should have) audit trail or other access tracking functionality. Such functionality
should be required for business associates keeping electronic records.
ARRA also makes clear that entities like Health Information Exchanges and Regional
Health Information Organizations (collectively, HIEs) will be business associates, and
thus have some obligations for complying with the new accounting provisions.9 How
HIEs comply with these new obligations should depend on how they are structured. For
example, a federated exchange that merely facilitates the exchange of information by
EHRs may not be able to easily account for disclosures of an individual patient’s
information (although the edge systems should be fully accountable for accounting for
8
9
ARRA Section 13404(a).
ARRA Section 13408.
8
disclosures through the network). However, HIEs that operate database or even hybrid
federated/database models may face no more challenges to accounting for disclosures
than a large provider using an EHR.
Costs of Compliance
We have heard from covered entities that they estimate compliance with the ARRA
accounting modifications could cost millions (an estimate from one health care system
submitted to OMB was approximately $250 million over three years) [Intermountain].
We assume that such calculations are based on applying the provisions of the current
accounting rule, which requires that patients be provided with a fair degree of detail for
a smaller scope of disclosures, to disclosures for treatment, payment and operations
from an EHR.
However, if HHS leverages existing EHR capabilities – such as the audit trail
functionality – and expands the amount of information provided to patients using these
automated functions over a period of time, there is less reason to believe that this will
impose significantly greater costs on covered entities. If HHS focuses on what can be
automatically generated, even small providers should easily be able to comply with the
expanded accounting provisions.
Cost to Individuals
Under existing accounting of disclosure provisions, individuals may receive one free
copy per year of an accounting. Because the new accounting provisions should be
structured in a way that leverages the automating capabilities of EHRs, individuals
should continue to be able to receive these at no charge – particularly when they are
asking for the accounting because they have reason to suspect unauthorized or
unlawful access to their personal health information.
We appreciate the opportunity to submit these comments.
Sincerely,
Members of the Consumer Partnership for eHealth
AARP
American Association of People with Disabilities
Childbirth Connection
Consumers Union
Family Violence Prevention Fund
Mental Health America
National Health Law Program
The Center for Democracy & Technology
The National Partnership for Women & Families
9