The Health IT Policy Committee, part of the Office of the National Coordinator for Health IT, held a hearing Monday on implementation of HIPAA's requirements that patients be informed of how and when their information is disclosed. Representatives from Epic, Cerner and athenahealth all contested the access report requirements proposed by the ONC.
Following a May request for information, HHS' Office for Civil Rights released a notice of proposed rulemaking, providing a list of the types of personal health information disclosures that must be included in a patient's access report upon his or her request. For vendors, accounting of disclosures is an optional 2014 certification criterion, and the intent is for vendors to innovate in this area to provide customers with the best solution for providing these reports to patients.
In testimony during the hearing, Eric Cooper, group lead of software development at Epic, said while Epic's electronic health record system is capable of providing the report documentation required, conversations with clients suggest the requirements may place too much pressure on providers. Explaining that an EHR system is designed to encompass many aspects of patient care and is therefore accessed by a large and varied group of people, Mr. Cooper said, "We are concerned that these requirements would make it exceedingly difficult for a covered entity to be compliant with HIPAA and also use an EHR. The level of difficulty would be so high as to provide a disincentive to further adoption of EHRs and a challenge for covered entities currently using an EHR."
Jeremy Delinsky, CTO of athenahealth, explained that in addition to being a burden on providers, this exhaustive list of times a patient's record was viewed would be an overwhelming and ultimately useless report. "It is extremely important to understand the volume of information that would be included if an accounting of disclosures report for a typical patient contained every access, use, or disclosure of protected health information," he said.
"The volume of information is staggering, and the resources needed to produce such a report are prohibitive. We estimate that a typical patient will generate between 500 and 1000 unique 'touch points' where PHI is accessed per encounter … In order to achieve worthwhile and meaningful transparency, accounting of disclosures must be meaningful to patients. This objective cannot be met if they are provided with indecipherable audit logs of thousands minor demographic edits, claim follow-ups, provider reviews, and similar routine, necessary and proper instances of data access," he said.
Cerner maintains providing patients with this exhaustive list would only create more questions. "A patient would need a significant amount of help understanding and interpreting what they are looking at," according to Cerner's written testimony.
"A more usable way of presenting the data may include collapsing down the report to eliminate redundancy such as to show a row for each unique individual user acting in a given role who accessed the patient's record on a given day, and educating the patient about their options for receiving the report in a manner that answers their main interest in requesting it."
More Articles on HIPAA:
OCR Clarifies HIPAA’s Refill Reminder Exception
HHS Delays HIPAA Enforcement for Certain Laboratories
New HHS Website Explains, Advocates for "Meaningful" Patient Consent for Data Exchange