RE: HIPAA Privacy Rule Accounting for Disclosures, RIN 0991-AB62

Similar documents
May 18, Dear Director Verdugo,

VIA ELCTRONIC March 15, 2010

RE: Proposed Establishment of Certification Programs for Health Information Technology Permanent Certification Program, RIN 0991-AB59

Accounting for Disclosure Requirements Summary of Changes Included in the Proposed Rule 76 Federal Register May 31, 2011

October 22, CFR PARTS 160 and 164

Vendor Perspective, Question #1

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Docket No. OSHA Proposed Rule to Improve Tracking of Workplace Injuries and Illnesses

New Proposed HIPAA Accounting Regulation Adds Up To Big Changes for Health Plans

May 18, Georgina Verdugo Director Office for Civil Rights United States Department of Health and Human Services

FirstCarolinaCare Insurance Company Business Associate Agreement

May 26, Attention: RIN 0991-AB93 Submitted electronically to: Dear Dr. DeSalvo:

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Welcome. This presentation focuses on Business Associates under the Omnibus Rule of 2013.

The ReHabilitation Center Buffalo Street. Olean. NY

Karen DeSalvo, M.D., M.P.H., M.Sc. May 29, 2015 Page 2 of 7

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

April 3, Submitted Electronically Via Federal Rulemaking Portal:

RE: Medicare and Medicaid Programs; Electronic Health Record Incentive Program Stage 2 Notice of Proposed Rulemaking (CMS-0044-P)

April 12, 2011 BY ELECTRONIC SUBMISSION. Elizabeth M. Murphy Secretary Securities and Exchange Commission 100 F Street, NE Washington, DC

May 7, Submitted Electronically

Health Record Banking Alliance

ACTION: Direct final rule with request for comments. SUMMARY: Defense Logistics Agency (DLA) is exempting records

May 4, Dear Dr. Mostashari:

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES

Business Associates under HITECH: A Chain of Trust

SDC-League Health Fund

Connecticut Carpenters Health Fund Privacy Notice

March 15, Dear Dr. Blumenthal:

Isaac Willett April 5, 2011

Re: FINRA Regulatory Notice 13-42: FINRA Requests Comments on a Concept Proposal to Develop the Comprehensive Automated Risk Data System

The undersigned provider groups would like to draw your attention to implementation concerns regarding two administrative simplification issues:

HIPAA and HITECH Compliance for Cloud Applications

Re: HIPAA/HITECH Final Rule Clarification and Guidance Sought on Refill Reminder Programs

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate

COMPLIANCE ALERT 10-12

POLICIES AND PROCEDURES. TOPIC: Patient Accounting of Disclosures DOCUMENT NUMBER: 900. EFFECTIVE DATE: January 30, 2014 I. BACKGROUND AND PURPOSE

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HIPAA Compliance Manual

Disclaimer: Template Business Associate Agreement (45 C.F.R )

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Business Associates, HITECH & the Omnibus HIPAA Final Rule

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

P C R C. Physician Clinical Registry Coalition. July 14, 2015

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

BUSINESS ASSOCIATE AGREEMENT

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Frequently Asked Questions About the Privacy Rule Under HIPAA

Healthcare Practice. Breach Notification Requirements Under HIPAA/HITECH Act and Oregon Consumer Identity Theft Protection Act. Oregon.

Form I: HIPAA Notice of Privacy Practices HIPAA NOTICE OF PRIVACY PRACTICES

On July 14 the U.S. Department of Health and Human Services published a Notice of

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

THE HIPAA PRIVACY RULE AND THE NATIONAL HOSPITAL CARE SURVEY

Community First Health Plans Breach Notification for Unsecured PHI

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July Tex Med. 2012;108(7):33-37.

RIN 1210-AB39 Claims Procedure Regulation Amendment for Plans Providing Disability Benefits

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

Re: REG , Additional Requirements for Charitable Hospitals, Proposed Rule

Winthrop-University Hospital

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Memorandum. Factual Background

File No , OMB Control No : Proposed Collection; Comment Request Related to Rule 15c2-12 Dear Ms. Dyson:

Chief Privacy Officer Christian Brothers Services 1205 Windham Parkway Romeoville, IL

JPMorgan Chase & Co. 1 Chase Manhattan Plaza, Floor 25 New York, NY Telephone: (212) Facsimile: (212) Jay.soloway@chase.

August 1, HIPAA Privacy Rule Accounting of Disclosures 45CFR164; RIN0991-AB62

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

2016 OCR AUDIT E-BOOK

NOTICE OF PRIVACY PRACTICES

Response to Revisions to the Permanent Certification Program for Health Information Technology NPRM (RIN 0991-AB82)

June 15, Submitted electronically via

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

BUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS

The Meaningful Use Stage 2 Final Rule: Overview and Outlook

The Proposed Rule of Electronic Health Certification (EHSRT)

Health Insurance Portability and Accountability Act (HIPAA) Compliance Training

B October 29, 2015

May 7, Re: RIN 0991-AB82. Dear Secretary Sebelius:

NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010

Notice of Privacy Practices

HIPAA S BUSINESS ASSOCIATE REQUIREMENTS FOR PATHOLOGISTS AND LABORATORIES

American Bar Association. Technical Session Between the Department of Health and Human Services and the Joint Committee on Employee Benefits

Data Breach, Electronic Health Records and Healthcare Reform

GE Healthcare Healthcare IT

Department of Health and Human Services. No. 17 January 25, Part II

The OCR Audit Protocol a first look

HIPAA Privacy Board Overview

May 7, Dear Dr. Mostashari:

October 27, Docket No. CFPB , RIN 3170-AA10 Home Mortgage Disclosure (Regulation C)

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

In circumstances where an electronic brokerage has made a recommendation, the investment profile information required to be obtained and considered

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

Re: Medicare and Medicaid Programs: Electronic Health Record (EHR) Incentive Program- Stage 3 Proposed Rule, File Code CMS-3310-P

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule

Re: Interim Final Rules Relating to Internal Claims and Appeals and External Review Processes (RIN-0991-AB70)

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

HIPAA NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION

Business Associate Agreement

Transcription:

Submitted electronically at www.regulations.gov Ms. Susan McAndrew Deputy Director for Health Information Privacy Office for Civil Rights U.S. Department of Health and Human Services Hubert H. Humphrey Building 200 Independence Avenue, S.W. Washington, D.C. 20201 RE: HIPAA Privacy Rule Accounting for Disclosures, RIN 0991-AB62 Dear Ms. McAndrew: The Association of American Medical Colleges (AAMC or the Association) is pleased to have this opportunity to comment on the Office for Civil Rights (OCR or the Agency) proposed rule, HIPAA Privacy Rule Accounting for Disclosures Under the Health Information Technology for Economic and Clinical Health Act, 76 Fed. Reg. 31426 (May 31, 2011). The AAMC represents all 134 accredited U.S. medical schools; approximately 300 acute care hospitals and health systems; and nearly 90 academic and scientific societies. Through these institutions and organizations, the AAMC represents over 100,000 clinical faculty, 75,000 medical students, and 106,000 resident physicians. While the AAMC welcomes the proposed revisions to the accounting for disclosures requirements and generally supports them, the Association is very concerned about the proposed creation of the access report. The creation of a right to an access report will be extremely burdensome to providers in contravention both of Executive Order 13563, Improving Regulation and Regulatory Review, and Congressional intent as expressed throughout the Conference Report to the Health Information Technology for Economic and Clinical Health (HITECH) Act. While AAMC acknowledges the importance of allowing patients to obtain important, relevant information about the use of their medical information, OCR has failed to demonstrate that the access report will meet a need of patients or their representatives. Therefore, as discussed below, the AAMC requests that OCR withdraw all provisions related to the access report. If OCR determines that this necessitates major revisions related to the accounting for disclosures requirements, then the Agency should consider withdrawing the entire rule and developing a new notice of proposed rulemaking.

Page 2 ACCOUNTING FOR DISCLOSURES General Requirements The AAMC supports the more limited accounting for disclosures that OCR has proposed, and agrees with the Agency that most of these changes will provide information of value to individuals while placing a reasonable burden on covered entities and business associates. (76 Fed.Reg. at 31429) Nonetheless, the AAMC suggests the following revisions to the accounting for disclosures requirements: Right to an Accounting: Although OCR has proposed to limit the accounting provision to protected health information in a designated record set, the preamble states that this includes the medical and health care payment records maintained by or for a covered entity, and other records used by or for the covered entity to make decisions about individuals. This is far too broad a definition as it would include information in practice management and other systems that are not part of the electronic health record (EHR) and that are not designed to provide the type of information that is necessary for an accounting. The AAMC requests that OCR limit the accounting to information maintained in an electronic health record. Content of the Accounting: One of the data elements is a brief description of the type of protected health information disclosed. If this requirement is finalized, the AAMC asks that OCR provide simple and flexible guidance about what is meant by type of PHI. Provision of Accounting: The final rule should retain the current 60 day time period for covered entities to respond to a request for an accounting. Although the proposed rule allows for 30 days and a one-time 30 day extension, OCR has produced no evidence to suggest that 60 days is too long and notes that we understand that generating an accounting for disclosures is still a very manual process. (76 Fed. Reg. at 31435) In addition, providers currently are prepared to comply with a 60 day deadline. Therefore, the current response period should be retained. Compliance Enforcement Deadline: To provide adequate time for the development of EHR systems that can more easily produce the information necessary for an accounting of disclosures, the compliance enforcement deadline should be extended to 2016. Requirements Related to Research The AAMC strongly encourages OCR to finalize its proposal to wholly exempt covered entities from having to provide an accounting of disclosures for research conducted under 164.512(i), including through a protocol listing. The AAMC agrees with OCR s proposal that the accounting requirement does not need to be applied when an institutional review board (IRB) or privacy board has granted a waiver from the requirement for individual authorization. As the proposed rule accurately points out, such a waiver is granted only after an IRB or Privacy Board has made a determination that there is no more than a minimal risk to the individual s privacy, in addition to several other criteria designed to protect the research subjects. Such protections, in addition to the responsibilities of individual researchers to protect research

Page 3 subjects, render the application of the accounting requirement to this research both unnecessary and burdensome. The current Privacy Rule allows a covered entity to provide individuals with a protocol listing, a compilation of research protocol titles for which an individual s PHI may have been disclosed, rather than an individualized accounting, for those studies in which 50 or more subjects are involved. AAMC members report that the burden of compiling such a list is significant and is of little value to an individual, who would not be able to use this information to gain a clearer understanding of whether his or her PHI had been disclosed, and in what context. In addition, it is difficult for institutions to distinguish the protocols that may have disclosed PHI and thus triggered the accounting requirement from the total number of protocols that have been granted waiver of the requirement for individual authorization. An AAMC member reported that such waivers have been granted for approximately 10 percent of all active protocols. The member estimates that under the proposed accounting requirement, the number of protocols that might be included is over 100 protocols targeting enrollment of fewer than 50 subjects, and approximately 375 protocols with a targeted enrollment of over 50, a significant change from the current requirements. Most often PHI is accessed for the purpose of retrospective chart reviews or reviews of large databases, which include information on several thousand or more individuals. Whether PHI related to each of these protocols is used (and thus not subject to the accounting requirement) or disclosed (triggering inclusion in the protocol listing) is burdensome to determine and complicated to explain, resulting in a protocol listing that is likely to be of limited or no value to an individual. ACCESS REPORT The Requirement for a Right to an Access Report Should Be Withdrawn The AAMC strongly urges OCR to withdraw the requirement for the access report because the proposal: 1. Seems to ignore the directive in the HITECH Conference Report that... in developing regulations on the accounting of disclosures through an EHR, the Secretary would be required to take into account an individual s interest in learning when the PHI was disclosed and to whom, as well as the cost of accounting for such disclosures... 2. Appears to be based on the erroneous premise that the right to an access report will be a more automated process that provides valuable information to individuals with less burden to covered entities and business associates. (76 Fed.Reg. at 31429) 3. Underestimates the burden of creating access reports when OCR states that if few individuals request access reports, then covered entities will rarely need to undertake the burden of generating an access report. (76 Fed.Reg. at 31439) This fails to take into account that regardless of the number of requests, covered entities must have in place all the systems, policies, and staff that will be necessary if even one request is received. AAMC members report that patients who have a concern that their protected health information was inappropriately accessed most frequently question whether a particular hospital employee,

Page 4 such as a neighbor, looked at their records. Members already respond to these concerns and are able to work with individual patients, conducting targeted reviews to address specific instances of suspected inappropriate access. Many also engage in frequent monitoring of patient records. If a potentially inappropriate access is detected, they have policies and procedures that require an investigation and impose consequences on any individual who is found to have inappropriately accessed a patient s protected health information. While this is anecdotal evidence, it suggests a framework that OCR can use to craft a requirement that meets the mandate of HITECH, ensures that all patients are able to obtain the information they want, and does not create an unreasonable burden on hospitals, physicians, and others that must comply with HIPAA. Cost of Complying Will Be Large In addition to putting forth no evidence to support the need for the access report, the Agency also underestimates the financial and staff cost that will be needed to ensure that a covered entity is able to produce an access report. It is not uncommon for an organization to have one system for inpatient records, one for outpatient, and separate systems for the operating room, emergency department, radiology, and other ancillaries. One AAMC member estimated the cost of complying with this regulation for 10 systems, not the total number of systems that would fall under the definition of designated record set. Based on the use of Fair Warning, a privacy breach detection software used by many AAMC members, this member has broken out the annual costs for the 10 systems as follows: Capital cost of Fair Warning to monitor 10 systems: $170,900.00 Staff time per system monitored: - Security program manager- 36 hours - Application program- 18 hours - Application Analyst - 54 hours Total man-hours for each system monitored: 108 hours. Total costs for the monitoring of 10 systems are: $170,900.00 + 1080 man-hours This estimate does not include the substantial staff time that also will be needed when a patient is provided with an access report that is difficult, if not impossible, to understand. This will necessitate identifying and training individuals to explain the meaning of the report, determine if a particular individual s access is appropriate, and answer questions. Information Should Be Limited to what is Included in the EHR, Not the Designated Record Set The HITECH requirement that the proposed rule is seeking to implement is limited to a covered entity that uses or maintains an electronic health record with respect to protected health information. (emphasis added; 13405 (c) HITECH) Although there seems to be no regulatory definition of an electronic health record, it might most commonly be considered to be equivalent to a patient s medical record. Nonetheless, rather than define an electronic health record, OCR has proposed that the access report will include everything that is in a designated record set (45 CFR 164.501), resulting in a broad application of the proposal that seems to go

Page 5 far beyond what is required by the law. OCR should ensure that any revisions to the accounting for disclosures requirements are consistent with the law and apply to systems that may reasonably have the capacity to produce the required information. Information Contained in Logs Is Not In A Readily Understandable Format Current electronic health record systems are not designed to provide access information in a format that is understandable to individuals. Below is a one-page sample of a log from an AAMC member s emergency department system: Another member reports that the log for a routine hospital stay is 500 pages in length. System security access logs typically contain the following information: 1. Date time stamp of the log entry 2. User in the system that performed the action. (This user can be presented in a multitude of ways especially if the user is an automated non human account) 3. The action they performed 4. The goal for that action

Page 6 5. Details about the action itself 6. In some cases, multiple actions may constitute a flow and end up as one log entry Generally, a log also includes information about records activity occurring due to automated functions in between different clinical systems. In addition the presence of codes and acronyms in logs make the presentation of the data challenging and lengthy, and provides no information about whether access by a particular individual is appropriate. OCR seems to recognize that the complete logs may be extremely lengthy and encourage[s] covered entities to create forms for individuals to request an access report that provides information about the information the individual will receive and allows the individual to narrow the request based on the individual s interests. However, a narrow request is not mandatory so a covered entity must be fully prepared to respond to any patient request of any size. Names of Employees Should Not Be Provided AAMC members have expressed significant safety concerns about releasing the names of their employees as part of the access report. For example, many AAMC members treat criminals and mentally ill patients who, once they know the names of employees, may pose a danger to them. Some members have expressed concerns that in some circumstances the requirement for providing names may compromise patient care. Knowing that their name may be released to a patient who is seen as potentially dangerous may make some providers reluctant to access that patient s medical record, even when doing so is appropriate. The Access Report and Research To advance research and improve health for patients and populations, researchers, with appropriate ethical oversight, routinely access subjects electronic health records. The AAMC is concerned that the proposed requirement to provide requesting individuals with comprehensive access reports not only greatly increases the burdens on researchers and institutions but would provide individuals with no greater protections than are currently required through the oversight of research protocols. While not explicitly required by the proposed rule, an institution must be prepared to provide information about the identities of the individuals listed in an access report and the purpose for which the PHI was accessed, in response to questions from a recipient of an access report. As is true on the clinical side, AAMC members also have concerns about providing individuals with the names of members of a research team. Particularly when a medical record is accessed for research purposes pursuant to a waiver of individual authorization from an IRB or Privacy Board, research team members may not be prepared to answer questions about a particular protocol. This raises potential ethical concerns, as such contact between a potential subject and researcher had been neither contemplated nor approved by an IRB. Research subjects who have given individual authorization for the use and disclosure of PHI for research are already provided with contact information for the research team, where they can direct any specific privacy concerns or questions.

Page 7 Given the potentially staggering number of times that electronic health records may be accessed in a single study, research-related contact events could significantly increase the burden on institutions when an access report is requested. AAMC members have reported that the number of unique contact events for research purposes alone is in the millions and predicted that the cost of collecting this data and responding to subsequent inquiries about research access could be substantial. One member reported that the number of such contact events from a subset of the databases that would need to be queried to create such an event exceeded 2.9 million in 2010 and was expected to exceed 4.5 million research-related contact events in 2011. Identification of all appropriate designated records sets could extend, under the proposed rule, to electronic case report forms and research databases, increasing the burden of compliance, the data generated, and the potentially for including confusing or redundant information. If OCR finalizes the proposed right to an access report, the AAMC urges the Agency to provide a broad exemption related to PHI that is accessed for research purposes. However, the AAMC recognizes that even the creation of such an exemption will be of limited value because very few institutions have the ability to distinguish access for research purposes from access for other purposes. This underscores the need to withdraw the access report requirement entirely. If the Rule is Adopted the Compliance Date Should Be Delayed At a time when hospitals and physicians are struggling to implement EHRs, imposing a requirement that none are able to meet is unreasonable. If OCR decides to finalize the proposed right to an access report, there must be a significant delay in the compliance date, until at least 2016. This will provide time for vendors to make the needed changes to electronic systems and will avoid imposing a distraction on hospitals and physicians at a time when they are working hard to adopt EHRs and to meet the Medicare program s meaningful use requirements. * * * * * * * * * * If you have questions about these comments, please direct them to Ivy Baer, J.D., M.P.H. (ibaer@aamc.org or 202-828-0499) or Heather Pierce, J.D., M.P.H. (hpierce@aamc.org or 202-478-9926). Sincerely, Darrell G. Kirch, M.D. President and CEO cc: Ivy Baer, J.D. Heather Pierce, J.D.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information