HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for August, 2011

Margaret Dick Tocknell, for HealthLeaders Media

A proposed HIPAA privacy disclosures rule would be an administrative and financial burden for providers. Furthermore, the rules go beyond the scope of HIPAA, and they could intrude on the privacy of healthcare providers.

Those were the predominant themes among more than 140 public comments received as the comment period drew to a close Monday.

The usual suspects of tech interest groups  such as CHIME and AHIMA filed comments as did a mix of hospitals, government offices, individual physicians, and vendors. Although many comments are generally supportive of the concept of transparency in regard to personal health records, implementation is another matter.

In one of the few complete endorsements of the proposed rule, Sheryl Nicklaus offered her comments from a consumer’s perspective. “I want to know who is accessing my electronic health record…I want to know if my EHR record needs to be accessed for legal purposes, or for audit purposes, that facts in the record are NOT changed by medical staff in any way in the days before I receive the document (which is possible with the paper charts now.) This assures accountability and ethical truthfulness of the medical staff.”

But the prevailing tone of the comments was negative.

Dr. Glen LaBine, a dentist, said simply, “due to the economy, this would put a hardship on my business. The burden of financial costs would cause me to close my practice.”

Dr. Christina Morris, commenting as a family physician, said “I am strongly opposed to this rule…as it will serve only to increase tedious workloads by requiring redundant documentation of the need to view critical patient information to perform clinical duties” She expressed concern that the “issue of necessary practitioner access to medical records will only serve as fodder for the already encumbered medical liability system until appropriate tort reform measures are addressed.”

Here is a sampling of the other comments posted on regulations.gov:

American Health Information Management Association represents 61,000 health information management professionals. Dan Rode, vice president of policy and government relations, wrote “Although we strongly support the right of individuals to ask questions regarding access to their PHI, we are troubled because such rules go outside of the current scope of HIPAA, even with the HITECH amendments… the transition to electronic health record systems did not contemplate the necessity of tracking this level of access or take into consideration the potential administrative costs, and thus, will cause significant burden for covered entities and their EHR vendors.”

“AHIMA queried our HIM professionals on how they currently handle individuals’ concerns about who has accessed their electronic health records. The HIM professionals indicated that they have been able to respond to the queries and satisfy the individuals without providing the details proposed in the access report…AHIMA suggests it would make more sense to require covered entities and business associates to respond to these requests on an ad hoc basis rather than require significant systems and process changes that will raise the cost of healthcare for what appears to be a very limited number of requests.”

Medical Group Management Association’s more than 21,000 members are professional administrators and leaders of medical group practices. Like AHIMA, the MGMA provided information gleaned from a survey of its membership that included a very low demand for the access records. MGMA reported that 65% of the respondents reported they had received less than 1 patient request per FTE physician for disclosure reports in the past 12 months.

“Considering how infrequently physician practices receive these requests from patients, the proposed rule fails to meet the statutory requirement to balance the needs of patients with the burden on providers,” wrote William F. Jessee, MGMA president and CEO. “These reports, which would be required to show all electronic access to a patient’s health information for up to three years, could be hundreds or even thousands of pages long, making them extremely challenging for physician practices to produce and of little practical value to the patient receiving them.”

College of Healthcare Information Management Executives (CHIME) represents more than 1,400 CIO members, healthcare IT vendors and professional services firms. In its comments CHIME notes that the access reports would not differentiate between uses of the information for care delivery and disclosures of the information. “Many legitimate access events could occur across clinical systems that fall outside certified EHRs, complicating any requirement to deliver a consolidated report or allowing for customized views.”

The comment letter takes issue with the release of the names of staff members who have accessed a patient’s information saying the disclosures has the potential to “expose employees to unnecessary scrutiny or other negative consequences. This could be viewed as a violation of employee rights.”

The University of California has five medical centers that receive more than 3.9 million patient visits annually. The university echoed other comments that challenged the expansion of the right conferred under HITECH to an access report from the electronic designated record set. John Stobo, senior vice president for health sciences and services at UC, said in a letter that “Covered entities should not be required to provide an access report for anything other than access that would constitute a disclosure of PHI for treatment, payment and operations. If the right to an access report is retained in the regulation then such a right should be limited to the EHR and not expanded to the much broader electronic designated record set. The expansion of the requirement to provide access logs from the electronic designated record set is a much broader requirement than is mandated under the HITECH Act, will impose a significant administrative burden on health care facilities and providers at a time when they are focused on implementation of EHRs to promote the nation’s health, and provides little patient benefit.”

Stobo also cited some special circumstances in recommending that employee names not be included in access reports. He noted that with UC’s public mission its hospitals serve a variety of patient, including prisoners and other criminals. “With these unique patient populations in mind, the disclosure of employee names in an access report presents a significant and real employee safety concern.”

The New York Department of Health made a plea to exclude computer programmers from the access rules. Jason Helgerson, the Medicaid director wrote “…the department’s Medicaid data warehouse will be accessed by scores of individuals on an hourly basis as they write computer programs. All of these queries will be accessing thousands and in many cases millions of claims records. While keeping track of these inquiries can be done technologically, we question whether an access report listing the names of anyone who wrote a program that used claims data to create a report will provide any useful information.”

Page, Wolfberg & Wirth is a law firm that represents more than 1,000 ambulance services and emergency medical services agencies. “HHS believes that covered entities are already tracking every instance when electronic PHI is accessed under the HIPAA security rule. The rule does not mandate constant access tracking not does it provide specific details on the technology or methods that must be used to monitor access to ePHIs. Current systems are geared to track only a limited number of disclosures to comply with the current accounting standard. The proposed rule would require upgrading and/or reconfiguration of most current software systems.”

IMS Health provides information services for the healthcare industry. In its comment letter IMS expressed concerns about the access report concept. “While the access report may satisfy patient curiosity regarding who might have touched his or her medical records, it’s certainly not the best means for a patient to determine if someone inappropriately accessed his or her records. Many covered entities put alerts on patient files when there is some suspicion of inappropriate access, and this would seem to satisfy any requisite investigational needs and remediation efforts. Further, regulations that specifically address the particular issue of suspected inappropriate access would be more appropriate than what is proposed.”

Brigham and Women’s Hospital in Boston is a major medical research facility. In its comment letter the hospital voiced support for excluding research from the required access disclosures citing the difficulty of collecting that information because “unlike other types of institutional records, research records often are not maintained in a central, electronic system. Typically they are maintained by individual investigators in a manner specific to the nature and requirements of the protocol.”

Comments (0)

American Hospital Association calls access report provision in the OCR proposed HIPAA Privacy Rule disclosure rule “misguided.”

We Tweeted the highlights Monday night. Stay tuned for blog updates.

Straight from the AHA’s comments submitted to OCR, whose deadline is today at midnight to make official comments:

  • While the AHA generally supports HHS’s efforts to implement changes to the existing accounting of disclosures requirements, we request that HHS clarify the discussion of designated record sets, adopt its proposed exclusions to the accounting requirement and maintain existing exclusions. We urge HHS to maintain a 60-day response requirement and limit an accounting to three years.
  • Instead of moving forward to establish the new individual right to an access report, HHS should reissue a request for information aimed at better reflecting the statutory requirements, the technological realities, and better alignment of the regulation’s effectiveness with the compliance burdens.
  • The AHA is concerned about the assumptions HHS makes regarding the HIPAA Security Rule in its preamble commentary and asks HHS to retract the preamble discussion in order to reflect longstanding department guidance.
  • In the event HHS declines our request to abandon the access report, we urge HHS to adopt a number of changes, including extending the compliance date and removing the requirement to name employees. We also request that HHS reflect the statutory requirement that covered entities be permitted to direct individuals to a business associate. In addition, we ask that HHS make clear that a covered entity is not liable for unsecure transmissions requested by a patient. Finally, we request that HHS provide at least 60 days for the provision of an access report.
Categories : Uncategorized
Comments (0)

Cheryl Clark, for HealthLeaders Media

Just days before the close of the comment period on the proposed “accounting of disclosures” HIPAA privacy rule, providers are cranking up the volume to get the rule changed or thrown out and rewritten from scratch.

“This proposed rule is just too onerous,” says Robert Tennant, senior policy adviser for the Medical Group Management Association, whose members include practices with 275,000 physicians in the U.S.

Results from an MGMA survey released this week indicate that passage of the rule in its proposed form would be a strong or a complete disincentive to install an electronic health record system for 568 of the 1,340 respondents. Another 169 said it would be a moderate disincentive.

This proposed rule, called for by the Health Information Technology and Clinical Health Act of 2009 (HITECH), and written by the Office for Civil Rights is intended to give patients the ability to learn who viewed any medical information, even that related to treatment, payment, and health operations.

It would require physician practices with electronic health records to produce an “accounting of disclosures” and an “access report for treatment, payment and healthcare operations.”

That could mean producing documents that are 2,000 pages long, Tennant said. Also, the proposed rule would require that practices keep this information for three years.

The information provided would include the date, the time the information was accessed, and what information was accessed, as well as the name of the person who accessed it, “which raises other issues such as the privacy of the employee,” Tennant explained in a telephone interview.

He noted that the issue could become a problematic one for physician practices as well as health plan officials. “Let’s say God forbid you had a child who died of a disease, and a health plan had denied a healthcare claim. (Under this rule), now you (would) have access to the name of the person who denied that claim.”

“The Office for Civil Rights went far, far beyond the scope of the statute with this proposed rule,” he said. “It’s incumbent on them to circle back, and really craft a regulation that’s going to be workable.”

Other groups, such as the College of Healthcare Information Management Executives (CHIME), have expressed concerns. Public comments about the proposed rule are largely negative.

Tennant added that some serious unintended consequences could result if the Department of Health and Human Services does not step back and redraft the regulation. First, he said, it would discourage many physicians from purchasing electronic health records, despite the incentive payments provided by the same HITECH Act.

Second, it may spur some providers to decline to bill payers, requiring the patient to pay the bill in full at the time of the visit or within 30 days, and recapture the money from the health plan or government payer, Tennant said.

“I have not heard of anyone who is in support of this, including the privacy advocates. It’s unworkable for anybody.”

Another element revealed by the MGMA survey is that patients apparently aren’t clamoring to get information of this kind all that often. When asked how many patient requests for disclosure they received in the last 12 months, 65% said zero to 1 per physician.

Indeed, hospitals have echoed their concerns. For example, Paula A. Bussard, Senior Vice President for Policy & Regulatory Services for the Hospital and Healthsystem Association of Pennsylvania wrote:

“To comply with specific obligations for providing an access report, hospitals would need, for example, to disclose the identity of employees who are acting in perfectly appropriate ways—doing exactly what they are supposed to be doing—to any patient who makes a request. It is difficult to understand exactly what privacy benefit to patients supplying employees’ names in these circumstances serves.”

The American College of Physicians, whose members include 132,000 internists, also called the proposal “onerous.”

“We believe the proposed rules as written will have the unintended negative consequence of reducing the clinically appropriate and necessary sharing of PHI with adverse impact on patient care quality and safety,” wrote Michael H. Zaroukian, MD, Chairman of the ACP’s Medical Informatics Committee.

“Providers will likely resort to printing and handing records to patients for them to deliver to other providers rather than having to explain cryptic listings of record accesses in a log file.”

Chad Carr, medical records manager for MedStar Emergency Medical Services of Fort Worth, said in its letter to the federal health agency that “tracking and subsequently generating a detailed report of all access activity related to electronic designated records sets (DRS) will pose substantial and unreasonable burdens for our organization.”

Carr added, “Patient records are sometimes accessed numerous times on a daily basis for a host of legitimate reasons. For example, EMTs and paramedics may create an electronic patient care report (ePCR) in the field and then subsequently access that report several times to complete it. This is because there is often limited time to record all of the necessary information at the time of service.”

Comments (2)