Uncertain Benefits, Certain Difficulties Inform Disclosure Rule
Within the recently proposed rule on accounting of disclosure, the Office for Civil Rights summarizes a 2010 request for information it issued to the providers, payers, and consumer groups. The feedback it received offers an insight into provider and consumer experience with accountings to date, and it is reflected in the proposed rule, which seeks to both ease the burden on providers and improve the information for individuals. In at least one instance, it also previews provisions of the proposed rule that may run into controversy.
In May 2010 OCR published a request for information on the existing accounting of disclosure requirements under HIPAA and the HITECH modifications that would expand them. OCR asked nine questions related to the public’s interest in accountings of disclosures, the burdens they place on covered entities, and the capabilities of current IT systems to support them. These are issues that HIM professionals and others have raised since the privacy rule first took effect in 2003.
A year went past, but when OCR published the proposed rule last month, it was clear that the office had listened. Several aspects of the proposed rule—such as reductions in the information that covered entities would be required to maintain for an accounting and the introduction of an alternate report that tracked access—are intended to lessen the burden on providers in light of the challenges to tracking disclosure and the indication that the accountings do not seem to provide the kind of information that individuals want.
Little Perceived Benefit
OCR received approximately 170 comments from health plans, providers, privacy advocates, and other noncovered entities. Its first question asked about the value of an accounting of disclosures to individuals, particularly the expanded HITECH modification that includes disclosures for treatment, payment, and healthcare operations (TPO).
Respondents did not perceive much value. Approximately 10 respondents representing both consumers and covered entities noted that accountings foster transparency and patient trust and discourage inappropriate behavior. Approximately 10 more commenters representing covered entities also saw potential benefits of transparency but questioned whether accountings of disclosure would provide the type of information that individuals usually seek.
The majority of comments, contributed mostly by covered entities, indicated that providing an accounting of disclosures for TPO would provide little to no benefit to individuals (more than 80 respondents) while incurring substantial administrative burdens (more than 120 respondents).
Surprisingly, OCR’s proposed rule does not extend HITECH’s TPO provisions to accountings. Instead, it creates the access report, which is intended to meet the act’s requirements with less administrative burden.
Few Requests Received
Most covered entities reported that individuals are aware of their right from the notices of privacy practices they receive; however, they noted that few have shown interest. Nearly 30 respondents reported having received no requests for an accounting of disclosure, and more than 90 replied that they had received fewer than 20 since the privacy rule’s compliance date in 2003.
As low as those numbers are, results of a Journal of AHIMA survey conducted in December 2009 were lower. Among 153 HIM professionals responding, 90 (or 59 percent) reported that their facilities had never received a request for an accounting. Another 51 (33 percent) had received 10 requests or fewer in more than six years.
Uncertain Consumer Satisfaction
Few respondents knew with certainty why individuals had requested accountings of disclosure and whether they have been satisfied with them. Some reported receiving requests prompted by the individual’s concern over a specific situation or a person who may have accessed their records.
The same uncertainty was reflected in the Journal’s 2009 survey. Respondents whose facilities had fulfilled requests estimated that—in approximately equal share—individuals sought improper disclosures only, disclosures to a specific person, or were just generally reviewing their records. Approximately one-third of respondents did not know why the accountings had been requested.
Scant evidence of consumer interest in disclosures seems to have confirmed to OCR that a different direction—reporting on access—would be more helpful to both individuals and covered entities.
HITECH tasked the secretary of Health and Human Services with determining what information would be included in an accounting, and OCR accordingly sought input through the request for information. Specifically it asked commenters whether an accounting encompassing TPO should include to whom a disclosure was made and the purpose of the disclosure.
Approximately 60 percent of commenters, representing covered entities and the industry, responded that recipient information should not be included. In a few cases respondents expressed concerns about employee privacy and safety. The remaining 40 percent of commenters, representing consumers, covered entities, and industry, believed that information about the recipient would be essential in identifying inappropriate disclosure.
OCR’s rule would require covered entities report the names of persons who accessed an individual’s information. Given the split in opinion reflected in the response to information request, OCR can expect opposition to the provision.
More than 60 percent of respondents indicated that the purpose of the disclosure should not be included. Current IT systems have difficulty capturing this information, they noted, and the information would provide minimal benefit to individuals. However, nearly 20 percent of commenters responded that an accounting would be useless to individuals without a description of the purpose of each disclosure.
Capabilities of Current Systems
One of the industry’s greatest concerns over accounting of disclosures has been the administrative effort required to track them. Almost all comments noted that current EHR systems are unable to distinguish between a ‘‘use’’ and a ‘‘disclosure.’’ Further, disclosures occur from multiple decentralized systems, and facilities cannot generate reports automatically, requiring manual effort to assemble a report for each requested accounting.
These comments closely mirrored the Journal’s 2009 survey, in which nearly all respondents described tracking disclosures as a frustrating challenge and a near impossibility. Most reported that the way their organizations disclose information—from multiple departments through disparate IT systems—makes it difficult to compile a complete and accurate accounting.
OCR asked if an EHR module dedicated to accounting for disclosures would be helpful. Commenters were lukewarm to the idea. Nearly 90 percent of those who answered the question believed the time and expense needed to develop the module would not be warranted by the low number of requests for accountings received to date.
The comments received on audit logs varied greatly. Most respondents noted that their current systems retain at minimum the name or other identification of the individual who accessed the record; the name or other identification of the record that was accessed; the date and the time; and the area, module, or screen of the EHR that was accessed.
OCR reflects this information in its proposal, creating the access report as a report that most covered entities are in a position to produce currently, and modeling the requirements on common current capacities: name of individual, date, and time. OCR did not propose that the purpose of access be provided.
HITECH required covered entities that acquire an EHR after January 1, 2009, comply with the new accounting of disclosure requirement by January 2, 2011. “Almost all comments received on this topic indicated that the January 1, 2011, deadline would be impossible to meet,” OCR writes in the proposed rule.
The HITECH authors seemed to have expected such a response, because they included a provision for extending the deadline up to two years as necessary. Many commenters to OCR expected they would need at least that much time to become compliant.
Covered entities that have acquired their systems before January 1, 2009, have until January 2014 to comply with the HITECH modifications. OCR writes that it received fewer than 10 responses from this group, but the comments indicated generally that they could not meet the deadline. They also noted they will be dependent on vendors developing the system upgrades or modifications.
OCR’s final question was a general request for other comments, and it noted in the proposed rule that a large percentage of the comments expressed concerns with the burdens that the expanded accounting would create in both time and money. Some commenters noted the requirement would discourage adoption of EHR systems, particularly among small providers who would not be willing to take on the accounting responsibilities.