Skip to content Skip to navigation

HIT Policy Committee: Substitute Investigation Requests for Unworkable EHR Access Report Proposal

December 4, 2013
by David Raths
| Reprints
OCR: two-thirds of entities audited for HIPAA did not complete an accurate risk assessment

The Dec. 4 Health IT Policy Committee meeting featured two significant presentations with privacy and security implications. Most significantly, the committee approved the recommendations of its Privacy and Security Tiger Team that ONC should pilot technologies and policies related to accounting of disclosures before CMS actually does any further rulemaking on the issue.

First, some background: A proposed rule published in 2011 stated that besides having a right to an accounting of disclosures of their information outside the areas of treatment, payment and health care operations, patients also have the right to an “access report” detailing every single access of their health information, for instance by hospital employees. This access report proposal has been widely criticized as unworkable.

Deven McGraw, a co-chair of the Tiger Team, summarized an ONC hearing it held earlier this fall:

• No testimony supported that the proposed access report was doable, at least with current technologies. Audit trail technologies are frequently mentioned as a tool for offering greater transparency to individuals, but audit logs, when they are deployed, are designed to track security-relevant system events, not user activity, and do not easily produce reports designed to be understandable to individuals.

• No one at the hearing offered a specific technical path forward toward accomplishing the scope of what was proposed in the Notice of Proposed Rulemaking (NPRM) access report.

• Questions were raised about the potentially significant costs of the NPRM access report.

• It's not clear that patients want, or would find value in, the deluge of information likely to be produced by the NPRM access report. Today, patients rarely ask for these, she noted.

The Tiger Team recommends that ONC work on pilot projects that would allow patients to request a report about external disclosures from an EHR, with some examples of how to define external disclosures. But the recommendation stresses that any potential solutions must make it technically feasible for this type of report generation to be automated, so it is not a huge time and cost burden on providers, McGraw said.

Additionally, McGraw and co-chair Paul Egerman described an alternative to the concept of an access report listing every employee who has accessed data. The Tiger Team suggested bolstering the right of an individual to an investigation of alleged inappropriate access. The hearing indicated that an investigation, rather than an accounting, might satisfy many patient concerns, they said. Such an investigation should enable patients to ask whether a particular individual inappropriately accessed their records or find out what happened to their records in a particular circumstance. The full Policy Committee endorsed their recommendations, which likely means that there will be further research before any rulemaking is undertaken.

In a separate presentation, Susan McAndrew, senior policy specialist in the HHS Office for Civil Rights, gave an update about progress on compliance and enforcement. First, she said that HHS is in the final stages of rulemaking about changes to CLIA (Clinical Laboratory Improvement Amendments) regulations that will allow lab vendors to send results directly to patients at their request.

McAndrew also updated the committee on OCR’s audit program. It is currently evaluating the audit program and preparing for permanent integration of the audit function in its work portfolio. “I do think that for security rule compliance, audit is a significant tool, and more valuable than the complaint-driven processes,” she said. “While we can follow up on breaches, that comes far too late in the process.”

She shared some details from the audit pilot, including the fact that 58 of 59 providers had at least one security finding or observation.

There was no complete and accurate risk assessment in two-thirds of entities audited. The most common cause identified was that the entity was unaware of the requirement, which is cause for even greater outreach and education, she said.