Many health care groups are responding to an HHS proposed rule that aims to expand patients' rights to obtain a list of those who have viewed their electronic health data, HealthLeaders Media reports (Nicastro, HealthLeaders Media, 8/3).
A provision of the HIPAA Privacy Rule states that health care providers and entities are responsible for the protected health information contained in a designated record set.
On May 31, HHS' Office of Civil Rights published a notice of proposed rulemaking that would extend that requirement by providing patients with the right to obtain a consolidated access report on who has viewed their health data.
The public comment period on the proposed rule ended on Aug. 1 (iHealthBeat, 7/28).
American Hospital Association
In a letter to OCR, the American Hospital Association wrote that the proposed rule is "misguided and does not appropriately balance the relevant privacy interests of individuals with the burdens that will be imposed on covered entities, including hospitals" (HealthLeaders Media, 8/3).
AHA called for federal officials to withdraw the proposal and "reissue a request for information better reflecting the statutory requirements, the technological realities, and better alignment of the regulation's effectiveness with the compliance burdens" (AHA News, 8/1).
The association also recommended that OCR:
- Clarify the discussion of designated record sets;
- Extend the access report compliance date and remove a requirement to name employees;
- Maintain a 60-day response requirement and limit accounting of disclosures to three years; and
- Stipulate that a covered entity is not liable for unsecure transmissions requested by a patient (HealthLeaders Media, 8/3).
Association of American Medical Colleges
The Association of American Medical Colleges also sent a letter asking OCR to withdraw all provisions of the proposed rule related to the access report requirement.
AAMC wrote, "If OCR determines that this necessitates major revisions related to the accounting for disclosures requirements, then the agency should consider withdrawing the entire rule and developing a new notice of proposed rulemaking" (Conn, Modern Healthcare, 8/2).
Center for Democracy and Technology, Consumer Groups
In addition, the Center for Democracy and Technology and other consumer groups sent a letter to OCR expressing concern that most health care facilities do not have the technology infrastructure necessary to comply with the access report requirement.
The consumer groups recommended that OCR revise the proposed rule to focus on short-term goals, while starting to develop a long-term proposal on access report requirements that would not overburden health care providers (Geiger, "CDT Blog," Center for Democracy and Technology, 8/2).
Federation of American Hospitals
Meanwhile, the Federation of American Hospitals sent a comment letter to OCR stating, "The proposed new right to an access report detailing all uses by covered entities is an undesirable, costly and administratively burdensome expansion of policy in an area where there has been virtually no patient interest or activity."
FAH recommended that the federal government withdraw the proposed rule to allow for further study about whether the benefits of the access report requirement would outweigh the burdens such a requirement would impose on health care providers (Modern Healthcare, 8/2).
Healthcare Billing & Management Association
The Healthcare Billing & Management Association sent a letter asking OCR to withdraw the access report requirement, contending that health care providers currently do not have the capacity to comply with the proposed mandate.
HBMA wrote, "Perhaps in five years, after practice management and [electronic health record] systems have evolved further and affordable, more sophisticated capabilities can be incorporated into these systems, the proposed capabilities may begin to appear and/or have a likely chance of being successfully developed and delivered." If OCR decides to move forward with the proposed rule, HBMA recommended that the access report requirement be deferred until 2015 or later (Goedert, Health Data Management, 8/3).
North Carolina Healthcare Information and Communications Alliance
The North Carolina Healthcare Information and Communications Alliance also sent a letter to OCR stating that the proposed access report requirement "goes well beyond HIPAA's intent and does not materially add to HIPAA's already strong protections for protected health information."
NCHICA argued that OCR does not have the authority to establish the right to an access report. However, if the proposed requirement is affirmed, NCHICA recommended that OCR clarify the definition of a designated record set and offer further guidance on what constitutes "access" to a patient's record (Goedert, Health Data Management, 8/1).