HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



AHIMA: Proposed HIPAA access requirement a significant burden

Email This Post Print This Post

The proposed new right for patients to request information on who accessed their health record would be costly, time-consuming, and could potentially put healthcare workers in danger from “stalkers” armed with the names of hospital employees, the American Health Information Management Association (AHIMA) says.

Chicago-based AHIMA, the non-profit association for HIM professionals, released today public comments it submitted to the Office for Civil Rights (OCR) regarding the “HIPAA Privacy Rule Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act” proposed rule.

The rule, required by HITECH and published in the Federal Register May 31, updates the HIPAA Privacy Rule accounting of disclosures provision and creates a new “access report” requirement. The new provision includes an accounting of who accessed electronic health information in a designated record set (DRS), for any reason. This includes both uses and disclosures, regardless of the purpose.

All such DRS systems should be capable of logging access, according to the proposed rule. OCR expects covered entities (CE) and business associates (BA) to generate access reports for each electronic DRS and aggregate it into a single electronic access report.

However, that will “cause a significant burden for covered entities and their EHR vendors” because current systems do not support such a requirement. The association suggests CEs and BAs respond to these patient requests on an ad hoc basis “rather than require significant systems and process changes that will raise the cost of healthcare for what appears to be a very limited number of requests.”

Because many entities do not have the ability to meet the technical requirements, OCR should delay its proposed compliance dates, AHIMA says. Currently compliance with the access reports provision is January 1, 2013, for electronic DRS systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic DRS systems acquired prior to 2009.

Further, access reports should carry only identifiers for the work force members rather than actual names, AHIMA says. Patients asking who viewed their medical records often have a specific individual in mind, such as a former spouse, AHIMA says.

HIM professionals have reported to AHIMA several situations where employees have been stalked after their names are released to patients.

“While we fully support the requirement allowing an individual to have knowledge of access, we also want to protect the workplace staff of the covered entity,” AHIMA states in its comments. “AHIMA supports narrowing the requests to specific individuals when possible. In some treatment environments (e.g., emergency departments and psychiatric facilities), providers are permitted to use pseudonyms to avoid patients stalking or contacting them outside the workplace. Access accounting would require facilities to share the legal names of their providers which defeat the protections that have been in place for long periods of time.”

AHIMA concluded its comments by calling for OCR to develop a pilot to test the “assumptions” in the new access report requirement and consumer awareness and education.

“In addition to not knowing the impact on covered entities and business associates, the burdens will not be known if we cannot determine how the average consumer will or will not request an access report,” the organization says.


  1. Stephanie says:

    Most health care systems have 100+ electronic systems that comprise the designated record set. Many of these systems cannot produce a machine readible report for the patient and access to the systems are limited to the department utilizing the system and not the entire workforce. Individuals requesting access reports have someone in mind they feel has violated their privacy rights. There isn’t any reason to pull 100+ access reports when one report would give the patient the information they are seeking.

Leave a Reply