ONC Committee Makes Accounting of Disclosures Recommendations
The Office of the National Coordinator for Health IT’s Health Information Technology Policy Committee (HITPC) unanimously approved recommendations on accounting of disclosures on December 4, 2013.
The recommendations were developed by the HITPC Privacy and Security Tiger Team, and discussed how to implement the long-awaited ARRA-HITECH requirement for HIPAA covered entities to account for disclosures of personal health information for treatment, payment, and healthcare operations made through an electronic health record (EHR). Currently providers are not required to track disclosures for treatment, payment, or operations.
The recommendations focus on:
- The patient’s right to a report of disclosures outside the entity or organized healthcare arrangement
- The patient’s right to an investigation of accesses inside the entity
Next Steps and History
The HITPC will provide the recommendations to the acting National Coordinator for Health Information Technology for consideration in the development of a final rule on accounting of disclosures being developed by the Department of Health and Human Services’ Office for Civil Rights.
Though the healthcare industry has been waiting for years for final guidance on accounting of disclosures, there has been no timetable set for publication of the accounting of disclosures final rule.
The genesis of these recommendations comes from the May 31, 2011 publication of the Office for Civil Rights Accounting of Disclosures Notice of Proposed Rulemaking, which proposed two right’s for individuals—an accounting of disclosures and an access report.
Recommendations Include Accounting for TPO
Several of the recommendations approved by HITPC were consistent with AHIMA’s recommendations in both the association’s response to the 2011 proposed rule and its September 30 testimony. The HITPC recommendations include (bold statements recommended by AHIMA):
- HHS should proceed in a step-wise fashion, initially pursuing an implementation pathway that is workable from both a policy and technology perspective.
- The Tiger Team does not believe the proposed access report meets the requirements of HITECH to take into account the interests of the patient and administrative burden on covered entities (CEs).
- The Tiger Team urges HHS to pursue a more focused approach that prioritizes quality over quantity, where the scope of disclosures and related details to be reported to patients provide information that is useful to patients, without overwhelming them or placing undue burden on covered entities.
In responding to the HITECH requirement to account for disclosures for treatment, payment, and operational purposes, HITPC recommends that HHS should focus, at least initially, on EHR disclosures outside the covered entity. It said HHS should pursue a “Follow the Data” approach:
- When control of patient data is transferred to another entity, the recipient of the data should be part of an accounting of disclosures report.
- Patients should also be able to obtain an accounting of disclosures report from such recipients if they are (1) business associates, and (2) have further disclosed the data outside of their compliance environments and the subsequent recipient controls and could potentially disclose the data. (Per HITECH, covered entities have the option of gathering and providing this information to patients vs. the obligation being on the business associate to provide information about subsequent disclosures.)
Patients should also be able to obtain an AOD report when:
- EHR data moves from its compliance environment to another environment, where it can be further accessed and/or disclosed
- EHR data is moved to an environment where it can be accessed by individuals not known to the originating EHR
- Data is moved from a provider to an HIE, where access, use and disclosure are determined by HIE policy
- Data is sent to an entity to facilitate e-prescribing
- Data is sent to a health plan for payment, or to an external provider for treatment
- Data is sent to a registry for quality improvement
- Data is disclosed pursuant to stage 2 “meaningful Use” EHR Incentive Program information exchange requirements (for example, using Direct to transmit a CCD to another facility)
- Data is moved from a provider to a recipient who has the independent ability to resell or otherwise monetize the data, disclose the data to other covered entities, use the data for internal purposes other than quality review, create a limited data set (LDS) or de-identify the data for purposes unrelated to the covered entity
HITPC: ONC Should Pilot AOD Changes
The committee recommended that technologies and policies used to accomplish the reporting of an accounting of disclosures should first be piloted by ONC.
HITPC said ONC should:
- Focus first on provider EHRs per HITECH; after pilots and initial implementation, HHS could then determine how to expand the pilot (such as to additional HIPAA covered entities or to electronic data systems that are not EHRs)
- Pilots should focus on technical feasibility of disclosure reports, as well as on feasibility and usability of such reports for patients and implementation burden on providers.
- Pilots will enable ONC to assess readiness for a future stage of EHR certification The accounting of disclosures should require only an entity name rather than the specific individual, as stated in the proposed rule.
- Content of the report should be tested in the pilot; such testing should include the possibility to group similar disclosures together (vs. reporting individually), as permitted by the proposed Accounting of Disclosure rule.
The Tiger Team and HITPC also reinforced the importance of the right of an individual to an investigation of alleged inappropriate access:
- Results of the hearing indicate that an investigation, rather than an accounting, may satisfy many patient concerns.
- Such an investigation should enable patients to ask whether a particular individual inappropriately accessed their records or find out what happened to their records in a particular circumstance.
- The Tiger Team notes the ability of patients, under the Accounting of Disclosures proposed rule, to obtain a report that includes disclosures that would be considered breaches but are not required to be reported to patients
Patient Rights to Investigation Recommended
To improve the ability of covered entities to do investigations of inappropriate access, the Tiger Team recommends that the Office for Civil Rights add two implementation specifications to the current audit control standard in the HIPAA Security Rule (164.312(b)):
- (Addressable) Audit controls must record PHI-access activities to the granularity of the individual user (i.e., human) and the individual whose PHI is accessed.
- (Addressable) Information recorded by the audit controls must be sufficient to support the information system activity review required by §164.308(a)(1)(ii)(D) and the investigation of potential inappropriate accesses of PHI
A final recommendation regarding investigations was added following discussion by the HITPC. They recommend the Office for Civil Rights gather information and/or look at existing data when a patient requests an investigation at a facility, determine whether or not that investigation occurs in a timely fashion, and determine whether or not the conduct and resolution is satisfactory to the patient.