The American Health Information Management Association (AHIMA) and the Medical Group Management Association (MGMA) recently commented on the Department of Health and Human Services (HHS)’ notice of proposed rulemaking (NPRM) regarding HIPAA Privacy Rule accounting of disclosures. The disparate organizations had very different opinions on the subject.
MGMA, an Englewood, Colo.-based association for professional administrators and leaders of medical group practices, stated in a release that the NPRM is unworkable and should be withdrawn.
MGMA conducted a Legislative and Executive Advocacy Response Network (LEARN) study to gauge the impact of this proposed rule on physician group practices. The study received one of the largest responses in LEARN history, with more than 1,400 participants. The vast majority condemned the rule as burdensome and unnecessary. More than 90 percent said it would be “very” or “extremely” burdensome to produce a report upon a patient’s request that would meet the strict government requirements. When asked how many patient requests for disclosure reports they had received in the past 12 months, 65.1 percent responded “0 or 1 per [full-time-equivalent] physician,” MGMA stated.
In addition to withdrawing the proposed NPRM, HHS should engage medical groups and other stakeholders to develop a consensus-driven solution before moving forward with the regulation, MGMA added.
The accounting of disclosures regulation was mandated as part of the Health Information Technology and Clinical Health Act of 2009 (HITECH). If enacted as proposed, the rule would require medical practices that maintain electronic patient information to have the capability to produce a detailed report of every instance a patient’s information was accessed by any staff member for any reason, including submitting claims for payment, the association stated.
A 'significant burden'
AHIMA, while applauding HHS’ efforts overall, described a quandary in regard to the accounting of access rules.
“Although we strongly support the right of individuals to ask questions regarding access to their personal health information, we are troubled because such rules go outside of the current scope of HIPAA, even with the HITECH amendments. Additionally, the transition to EHR systems did not contemplate the necessity of tracking this level of access (beyond the existing privacy and security rule compliance obligations of covered entities) or take into consideration the potential administrative costs, and thus, will cause a significant burden for covered entities and their EHR vendors.”
Access-related requests are not uncommon to covered entities, AHIMA stated, although the number of requests has been significantly low. "Requests for an access or disclosure report have been limited to a particular party and [there haven't been requests] for all who may have accessed the health record.
“For this reason, we believe it is appropriate to require covered entities and business associates to respond to concerns; however, we believe this requirement could be minimized in a fashion to respect the individual’s rights and limit the organizational expense the OCR NPRM would suggest,” the organization stated in a letter to Georgina Verdugo, JD, MPA, director of HHS Office for Civil Rights.