Federal regulators are “misguided ” in their proposed HIPAA disclosures rule, disregarding what Congress intended through HITECH and failing to balance patient privacy rights with the technological capabilities of providers, the American Hospital Association (AHA) says in a letter released Monday.
The letter , submitted to Kathleen Sebelius, secretary of the Department of Health and Human Services (HHS), calls on the federal regulators to “significantly alter” their approach in the “HIPAA Privacy Rule Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act.” The proposed rule was published in the Federal Register May 31.
Chiefly, AHA wants the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules under HHS, to withdraw from the rule its new “access report” provision; through the proposed provision, patients can request an accounting of who accessed their electronic health information in a designated record set, for any reason. It covers both uses and disclosures.
As the government tries to reduce administrative costs in healthcare—through health reform and new financial incentives to become a “meaningful user” of electronic health records (EHR)—the access report right is a step back, AHA says.
“The proposal … is misguided and does not appropriately balance the relevant privacy interests of individuals with the burdens that will be imposed on covered entities, including hospitals,” the AHA writes in the letter. “The proposal is based on a fundamental misunderstanding of the value to individuals of receiving the particular information that the access report would capture, as well as a misunderstanding about the capabilities of technologies available to and used by covered entities.”
AHA’s letter represented its official comment to OCR regarding the proposed rule; the comment period ended Monday. After OCR considers the comments, it is expected to issue a final rule.
Instead, OCR should first seek more information from the industry in order to determine “the needs of patients who seek to understand how their PHI is disclosed, while simultaneously ensuring that covered entities are technically capable of providing such information without incurring unreasonable burdens to do so,” AHA writes.
- Clarify the discussion of designated record sets, adopt its proposed exclusions to the accounting requirement and maintain existing exclusions.
- Maintain a 60-day response requirement and limit an accounting to three years.
- Retract its HIPAA Security Rule preamble commentary in order to reflect longstanding department guidance.
- Extend the access report compliance date and remove the requirement to name employees.
- Reflect the statutory requirement that covered entities be permitted to direct individuals to a business associate
- Make clear that a covered entity is not liable for unsecure transmissions requested by a patient
- Provide at least 60 days for the provision of an access report