Proposed changes to HIPAA establish standards that would be difficult for providers to meet and should be scaled back, according to comments filed July 22 by the College of Healthcare Information Management Executives (CHIME).
The Office for Civil Rights in the U.S. Department of Health and Human Services published the notice for proposed rulemaking (NPRM) for Accounting of Disclosures and Access Reports on May 31 and plans to publish the final rule later this year. For accounting of disclosures, the NPRM addressed a statutory requirement under the HITECH Act to extend requirements to electronic health records (EHRs).
“Generating an accounting of disclosures is today largely a manual process for most covered entities, and we believe it will remain so for some time to come,” the six-page comment letter stated. “Producing limited or customized reports of the kind described in this NPRM could be difficult and time-consuming.”
In particular, a provision of the 2002 HIPAA Privacy Rule says that covered entities are responsible for protected health information (PHI) contained within a designated record set (DRS). The current proposed rule would extend that requirement to include a new right to a consolidated access report. However, “CHIME believes the concept of DRSs remain too broadly defined and too variable in today’s health IT environment. Moreover, the ability to aggregate hundreds or even thousands of access events in any automated fashion is not realistic for most covered entities.”
The organization urged rulemakers not to include access report requirements in the final rule.
"CHIME also suggests that the current 60-day timeline for responding to accounting of disclosure requests be retained, not shortened to 30 days as suggested by the proposed rule," the letter stated.
In addition, the group made several recommendations for changes to the proposed rule:
- The OCR should provide more discussion around the “type of protected health information disclosed ” data element in the final rule.
- Require patients to provide a covered entity with specific names for the covered entity to determine whether those individuals have or have not accessed the patient’s information, instead of requiring access reports that include names.
- If the requirement for one consolidated Access Report remains in the rule, the OCR should limit it to data from access logs from certified EHRs, “which have a level of standardization that many ancillary and downstream systems do not.”
Click here to see the complete CHIME letter.