There is no way to fully anticipate the potential organizational and financial burdens on providers as a result of the proposed rule on HIPAA from the Department of Health and Human Services (HHS), according to the American Medical Informatics Association (AIMA).
The informatics professional association recently expressed its concerns to HHS on the modification of HIPAA Privacy Rules for accounting of disclosures. In a letter dated July 30, AMIA expressed extensive concerns about the proposed rule, drawing particular attention to the requirement to generate an "access report" that would indicate which individuals have accessed an individual's personal health information (PHI).
“We believe that this report will provide little reasonable benefit to individuals, that the primary interests identified for individuals can be served in much narrower ways, and that the rule—if applied as proposed—would require significant new technology efforts and expenditures from virtually all companies in the healthcare industry, with substantial ongoing burden,” the letter stated.
AMIA also noted the inconsistent application and definitions of the term "access" within the proposed rule and questioned how it might be applied during patient care activities when large numbers of individuals meet to discuss a case, such as grand rounds and tumor boards.
“HHS flatly assumes that all covered entities (CEs) and business associates (BAs), large and small, are today generating detailed, integrated and comprehensive audit trails of individual access to electronic health information systems. This assumption appears to be the basis for the agency’s belief that implementing a new HIPAA right for individuals to know who has viewed their PHI will be an easy and almost cost-free exercise,” the association wrote. “In fact, current EHR systems were not developed with this requirement in mind, and most would be unable to support this new requirement without modification. While it may be possible for internal EHR systems to produce access reports upon request, it would be very difficult and time consuming to gather the same information from BAs.”
AMIA also stated that implementing the proposed rule will require significant organizational resources, both technical and human, and encouraged HHS to withdraw the access report provision of the proposed rule.
According to comments submitted to AMI, what is proposed will be expensive, require extensive changes to current systems and may not mean anything to the patient.
In addition, the association questioned the HHS' assertion that the generation of such an access report will require minimal, if any, changes to existing information systems, and its claim that the significant burden in aggregating data across multiple information systems into a single access report is reasonable.
“Recognizing that the Department has the authority to make significant changes to the HIPAA rules, AMIA believes that the assumptions made by HHS in delineating a new right to an access report are fundamentally incorrect,” the letter concluded. “Congress directed that individuals should have a right to be informed of disclosures of PHI made outside the covered entity for purposes of ‘treatment, payment or healthcare operations’ and AMIA supports the idea that individuals should have an ability to understand the use of health information by covered entities or business associates beyond the CE to which the individual entrusted the PHI in ways that may impact their care or payment for their care or the general quality of care delivered.”
Read AMIA's letter here.