Safeguarding patient health information has always remained one of the top priorities for healthcare. To further this interest, federal advisors have spelled out revisions to the HIPAA Accounting of Disclosures Rule. The Health IT Policy Committee has endorsed the recommendations put forth by its Privacy and Security Tiger Team in its meeting held on December 4th. The advisory committee has laid out guidelines for disclosing access to patients’ electronic health records (EHR), and the Department of Health and Human Services (HHS) has to make several revisions in its long-delayed plan to revamp the rule. The guidelines include:
Taking an Incremental Approach – This would mean conducting tests to prove that healthcare providers can comply with the updated requirements of the rule. This can help determine how transparency of data disclosures can be ensured without overburdening healthcare organizations. Approaching this in a structured fashion and pursuing an implementation method that would be feasible from the perspectives of policy and technology would prove helpful. The HIT Policy Committee urges HHS to take a focused approach that gives priority to quality over quantity, where the scope of disclosures and related details reported to patients contains information that is useful to them while not overwhelming them or putting undue burden on providers.
Focusing on Disclosure of Records to Those Outside the Entity – Providing patients with a report of disclosures made to parties outside of the healthcare entity, should be the first step in taking an incremental approach. So HHS should follow a method wherein disclosure reports are triggered whenever an entity transfers control of information to an external party. While the current HIPAA Privacy Rule requires covered entities to make available, an account of information disclosures of individual Patient Health Information (PHI), on paper or in electronic form, upon request, the HITECH Act calls for revising the disclosure requirement to include those disclosures made for healthcare payment, treatment, or operations made using an EHR.
Scaling Back Plans for Providing Detailed Access Reports – OCR’s notice in May 2011 for carrying out the HITECH Act requisite for revising the disclosure requirements, also included a controversial provision necessitating that, upon a patient’s request, an ‘access report’ should list out everyone, including internal users who have viewed their information. As per this requirement, patients have to be provided details of the date and time of access, name of the person/entity accessing the information, and the action performed, such as creation, modification, or deletion. However, the HIT Policy Committee has now endorsed scaling back on these reports, allowing patients to suspect inappropriate access to their health information and requesting for an investigation inside the entity that controls the information. These recommendations were crafted over several months based on public and industry feedback about the original rule revision that was proposed.
Conducting Technology Pilots – To enable covered entities to conduct investigations of inappropriate access, the HIT Policy committee recommends the addition of the two following implementation specifications to the existing audit control standard in the HIPAA rule: 1. Addressable audit controls must record PHI access activities to the granularity of the individual user and the individual whose PHI is accessed; and 2. Information recorded by the audit controls must be sufficient to support the information system activity review required by the HIPAA Security Rule and the investigation of potential inappropriate access to PHI.
As soon as the pilots are completed, OCR will resume work on a revised rule taking the recommendations and pilot findings into account. However, safeguarding PHI is not just about being transparent in disclosing details of access to patients. It has to begin with ensuring comprehensive security, improving risk assessment capabilities, and building an efficient system of information access management, for which, Aegify Security Posture Management and Aegify SecureGRC can come in handy. These solutions can prove valuable in preventing breaches due to inappropriate access to PHI and other such HIPAA violations.