Archive for July, 2011
The right to request an “access report” as outlined in the Office for Civil Rights’ (OCR) proposed HIPAA accounting of disclosures rule could be an asset to attorneys in HIPAA civil suits and malpractice cases, experts say.
In the “HIPAA Privacy Rule Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act” proposed rule, published in the Federal Register May 31, patients can request an accounting of who accessed their electronic health information in a designated record set, for any reason. It covers both uses and disclosures.
That could help the case of a malpractice lawyer and others, says Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP and author of HIPAA Blog.
“And it doesn’t even have to be a HIPAA or data breach or confidentiality case,” Drummond says. “In a medical malpractice case, the plaintiff’s lawyer can say, ‘X looked at the file and didn’t say anything.’ ”
Through the new provision, patients would be able to obtain access reports for the purpose of sharing the report with their malpractice attorney.
“In practice, I think that these reports will be useful to malpractice attorneys, but not necessarily serve as a smoking gun,” says Adam Greene, JD, MPH, a lawyer in the Washington, DC, office of Davis Wright Tremaine LLP and the former OCR senior health information technology and privacy specialist. “This is because the access report will not provide the purpose of the access; so much of the access that a malpractice attorney suspects to be impermissible may prove to be for a valid purpose, such as for a valid administrative of quality improvement purpose.”
So could a lawyer use the following argument?
Dr. Smith only accessed Jane Doe’s record once prior to her damaging surgery. That is not enough time spent researching the patient’s condition before operation.
“I suppose that it’s possible,” Greene says. “It may depend on whether the access log tracks the user action.”
For instance, Green presents the following scenario:
Dr. Smith only accessed the record once, but what the access report does not reflect is that he downloaded the file to his encrypted portable device and then spent a substantial amount of time reviewing it.
Covered entities (CE) should reasonably limit access to electronic PHI, Greene says, and would be well served to maintain documentation of why particular persons and positions have access.
John Doe accessed your record, but he is permitted to do so because his position requires him to access patient records to ensure that they are receiving high quality services.
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA College in Casa Grande, AZ, says the access reports could detect patterns of inappropriate access.
The new provision does not include a requirement to show how long a person viewed a medical record. However, the date and time must be noted, which can be problematic, according to Ruelas. “If [a staff member] works from 8 to 5, and there are access report entries before 8 or after 5, this might be worth more investigation.”
Ruelas says this could boost a lawyer’s argument because if the CE does not have an adequate monitoring or auditing process, “a lawyer seeing that [the staff member] is repeatedly looking at records before 8 a.m. can invite some very interesting questions.”
“If someone is listed on the report as ‘viewed’ under ‘action’ over and over again, and this has gone undetected, this can also be a problem,” Ruelas adds.
The new requirement not only provides easier access for patients concerning who accessed their record, but also, according to Ruelas:
- What systems were queried to get the data
- Whether the organization is fulfilling its commitment to safeguarding user access to ePHI (e.g., access IDs, unique IDs, etc.)
- Whether the CE reviews reports indicating unusual access patterns
Ruelas calls finding culprits accessing records inappropriately a “very laborious task with an element of luck.”
The proposed new right for patients to request information on who accessed their health record would be costly, time-consuming, and could potentially put healthcare workers in danger from “stalkers” armed with the names of hospital employees, the American Health Information Management Association (AHIMA) says.
Chicago-based AHIMA, the non-profit association for HIM professionals, released today public comments it submitted to the Office for Civil Rights (OCR) regarding the “HIPAA Privacy Rule Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act” proposed rule.
The rule, required by HITECH and published in the Federal Register May 31, updates the HIPAA Privacy Rule accounting of disclosures provision and creates a new “access report” requirement. The new provision includes an accounting of who accessed electronic health information in a designated record set (DRS), for any reason. This includes both uses and disclosures, regardless of the purpose.
All such DRS systems should be capable of logging access, according to the proposed rule. OCR expects covered entities (CE) and business associates (BA) to generate access reports for each electronic DRS and aggregate it into a single electronic access report.
However, that will “cause a significant burden for covered entities and their EHR vendors” because current systems do not support such a requirement. The association suggests CEs and BAs respond to these patient requests on an ad hoc basis “rather than require significant systems and process changes that will raise the cost of healthcare for what appears to be a very limited number of requests.”
Because many entities do not have the ability to meet the technical requirements, OCR should delay its proposed compliance dates, AHIMA says. Currently compliance with the access reports provision is January 1, 2013, for electronic DRS systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic DRS systems acquired prior to 2009.
Further, access reports should carry only identifiers for the work force members rather than actual names, AHIMA says. Patients asking who viewed their medical records often have a specific individual in mind, such as a former spouse, AHIMA says.
HIM professionals have reported to AHIMA several situations where employees have been stalked after their names are released to patients.
“While we fully support the requirement allowing an individual to have knowledge of access, we also want to protect the workplace staff of the covered entity,” AHIMA states in its comments. “AHIMA supports narrowing the requests to specific individuals when possible. In some treatment environments (e.g., emergency departments and psychiatric facilities), providers are permitted to use pseudonyms to avoid patients stalking or contacting them outside the workplace. Access accounting would require facilities to share the legal names of their providers which defeat the protections that have been in place for long periods of time.”
AHIMA concluded its comments by calling for OCR to develop a pilot to test the “assumptions” in the new access report requirement and consumer awareness and education.
“In addition to not knowing the impact on covered entities and business associates, the burdens will not be known if we cannot determine how the average consumer will or will not request an access report,” the organization says.
We are a Continuing Care Retirement Community. All residents give us the name, address and phone numbers of an emergency contact. In some cases the contact manages the resident’s affairs. In other cases the resident is independent (some even still working), and they manage all their own affairs.
Most Residents get medications through a local pharmacy, and we have a HIPAA business affiliate agreement with that pharmacy. Recently the pharmacy sent an independent resident a bill and a copy of the bill to her daughter. The resident was upset because she felt there was no reason for her daughter to be involved and, further, wants to know why we even provide her daughter’s name and address to the pharmacy.
In principle, we think she is correct, but did we actually violate HIPAA?
If a patient signed an authorization form 2/2012, and the attorney is now calling for her medical records, I must get the patient to sign another authorization form? There is no notation for this authorization to be used after 90 days.
Happy July. As we steam through the third quarter of 2011, we’d like to give you and your staff the opportunity to share your success stories regarding HIPAA compliance.
Survive a recent audit? Handle a breach effectively and efficiently? Avoid a breach or two in the last year?
We’d love to hear about it – and so would your colleagues. Send your stories to Senior Managing Editor Dom Nicastro at email@example.com. And you could be featured on this blog or perhaps in this e-newsletter or our Briefings on HIPAA newsletter.
Good luck and have a great rest of the year!