AMIA cites concerns to HHS on HIPAA NPRM
Although the American Medical Informatics Association (AMIA) supports a time requirement of less than 30 days for a patient to receive access to or copies of their individual electronic PHI, the healthcare organization cautioned Department of Health and Human Services (HHS) Secretary Kathleen Sebelius to adopt a reasonable timeline so as not to negatively affect or divert healthcare provider resources to address such requests.

AMIA issued its comments to HHS related to the notice of proposed rulemaking (NPRM) on proposed modification to HIPAA privacy and enforcement rules.

The Bethesda, Md.-based organization of 4,000 informatics professionals supports the NPRM in extending requirements of the privacy and security rules for business associates (BAs) to their subcontractors. It also supports the extension of HIPAA rule compliance obligations to specific types of BAs, including health information exchanges (HIEs), regional health information organizations (RHIOs) and personal health record (PHR) vendors as stipulated by HITECH.

However, the nonprofit stated concerns about operational and financial challenges of extending and executing agreements related to the use and disclosure of protected health information downstream. AMIA suggested that HHS consider the development of model BA contract language in the final rule.

AMIA opposed a change in the current definition for limited data sets (LDSs) from "not fully identifiable" PHI to "fully identifiable" PHI, “which would prohibit the sale of LDSs, and provide little incentive for covered entities to create, maintain, use and make available very large electronic data sets.”

AMIA suggested modified language which would make an exception for research purposes, cost restrictions for PHI exchanged in the form of limited data sets. AMIA urged the HHS to consider including all costs related to aggregating electronic PHI in general, or LDSs in particular, and not limiting costs to "staff time."

To facilitate health research, HHS should provide strong guidance and clear expectations to internal review boards (IRB) regarding HIPAA, perhaps through the development of FAQs that illuminate IRB policies for reviewing and approving, or justification for not approving health information use for information-based research projects, AMIA stated.

The nonprofit also opposed the NPRM stipulation that covered entities must permit the individual to restrict disclosure of any part or all healthcare items and services if the individual chooses to self-pay. AMIA expressed concern that adoption of this stipulation “will foster negative policy implications to a legislatively-required restriction, encourage individuals to ‘buy privacy’ by not using insurance and create operational difficulties in trying to ensure that information systems can segregate and restrict data flow to payors.”

AMIA's comments to HHS are online here.