Due to the shutdown, there may not be any ONC federal advisory committee meetings in the near future. But there was one meeting held this week before the shutdown began. The HIT Policy Committee's Privacy and Security Tiger Team held a virtual, public hearing on Sept. 30 to address the rule proposed by Health & Human Services in 2011 about accounting of disclosures.
As I wrote last week, the proposal suggested that beyond an accounting of disclosures of their information outside the areas of treatment, payment and health care operations (acronym is TPO), patients also have an expanded right to an “access report,” detailing every single access of their health information, for instance by hospital employees. This access report proposal has been widely criticized as unworkable.
I wasn’t able to attend the Monday virtual hearing because I was traveling all day. But the written testimony available on ONC’s web site contains some real eye-openers.
Perhaps the most revealing comments came from Scott Morgan, executive director and national privacy & security officer on behalf of the Kaiser Permanente Medical Care Program.
He said Kaiser has determined that the cost of system upgrades alone (not including labor and tech support) to support both the new accounting of disclosure requirements and the access report for only one of its eight regions would exceed Health & Human Services’ published estimates of the total cost across all covered entities in all states.
Morgan also noted that creating an access report would require capturing and translating very granular data recorded in the normal course of care delivery and reimbursement, and also would require building the capability to record the purpose of each access. “Access reports would likely be enormous, resulting in less, not more, transparency, because critical information would be buried within large amounts of data,” he wrote
In Kaiser’s experience, access logs run 60-100 pages, but for inpatient logs, reports can run 1,000 pages or more. In a specific example that involved a two- to three-week hospitalization, the access report was over 2,000 pages long. As a test, Kaiser ran a series of random access reports based on just one year of data from the EHR alone. The average report size was about 500 pages. “We have found that providing this information to patients tends to create confusion, even when supplemented by resource-intensive one-on-one review of the log,” Morgan wrote.
He added that giving patients a list of names and dates in lieu of conducting and summarizing a targeted investigation raises a new set of issues related to employee privacy. “Providing the names of individuals who access PHI may subject those individuals to privacy intrusions and safety concerns (and potential liability issues when employees of business associates are involved),” he wrote.
In her written testimony, Jutta Williams, chief privacy officer for Utah-based Intermountain Healthcare, noted that it is challenging to develop systems that can convert security logs into a readable report. “It requires integrations between user identity management systems, patient indexing services and the systems performing access logging,” she wrote. “No system we have evaluated can add contextual information like the purpose for the access today.
She added that in Intermountain’s experience, patients don’t seek a list of employees who have accessed their record. Rather, patients want to be able to understand if a specific, unauthorized access occurred. “A patient reading such a report will not be able to derive context or purpose for access even if a human resources title were to be included.”
She estimated that to upgrade all systems considered part of Intermountain’s “Designated Record Set” to comply with the proposed rule would cost Intermountain upwards of $100M to complete.
Kaiser’s recommendations to HHS?
• Provisions for accounting of disclosures should be revised to meet the balancing test (between cost and benefits) in the HITECH Act;
• Exempt disclosures between integrated covered entities within organized health care arrangements from the accounting requirement; and
• The access report requirement should be dropped.
It seems that HHS really should go back to the drawing board on this one. What do readers think?