Submitted electronically at www.regulations.gov Ms. Susan McAndrew Deputy Director for Health Information Privacy Office for Civil Rights U.S. Department of Health and Human Services Hubert H. Humphrey Building 200 Independence Avenue, S.W. Washington, D.C. 20201 RE: HIPAA Privacy Rule Accounting for Disclosures, RIN 0991-AB62 Dear Ms. McAndrew: The Association of American Medical Colleges (AAMC or the Association) is pleased to have this opportunity to comment on the Office for Civil Rights (OCR or the Agency) proposed rule, HIPAA Privacy Rule Accounting for Disclosures Under the Health Information Technology for Economic and Clinical Health Act, 76 Fed. Reg. 31426 (May 31, 2011). The AAMC represents all 134 accredited U.S. medical schools; approximately 300 acute care hospitals and health systems; and nearly 90 academic and scientific societies. Through these institutions and organizations, the AAMC represents over 100,000 clinical faculty, 75,000 medical students, and 106,000 resident physicians. While the AAMC welcomes the proposed revisions to the accounting for disclosures requirements and generally supports them, the Association is very concerned about the proposed creation of the access report. The creation of a right to an access report will be extremely burdensome to providers in contravention both of Executive Order 13563, Improving Regulation and Regulatory Review, and Congressional intent as expressed throughout the Conference Report to the Health Information Technology for Economic and Clinical Health (HITECH) Act. While AAMC acknowledges the importance of allowing patients to obtain important, relevant information about the use of their medical information, OCR has failed to demonstrate that the access report will meet a need of patients or their representatives. Therefore, as discussed below, the AAMC requests that OCR withdraw all provisions related to the access report. If OCR determines that this necessitates major revisions related to the accounting for disclosures requirements, then the Agency should consider withdrawing the entire rule and developing a new notice of proposed rulemaking.
Page 2 ACCOUNTING FOR DISCLOSURES General Requirements The AAMC supports the more limited accounting for disclosures that OCR has proposed, and agrees with the Agency that most of these changes will provide information of value to individuals while placing a reasonable burden on covered entities and business associates. (76 Fed.Reg. at 31429) Nonetheless, the AAMC suggests the following revisions to the accounting for disclosures requirements: Right to an Accounting: Although OCR has proposed to limit the accounting provision to protected health information in a designated record set, the preamble states that this includes the medical and health care payment records maintained by or for a covered entity, and other records used by or for the covered entity to make decisions about individuals. This is far too broad a definition as it would include information in practice management and other systems that are not part of the electronic health record (EHR) and that are not designed to provide the type of information that is necessary for an accounting. The AAMC requests that OCR limit the accounting to information maintained in an electronic health record. Content of the Accounting: One of the data elements is a brief description of the type of protected health information disclosed. If this requirement is finalized, the AAMC asks that OCR provide simple and flexible guidance about what is meant by type of PHI. Provision of Accounting: The final rule should retain the current 60 day time period for covered entities to respond to a request for an accounting. Although the proposed rule allows for 30 days and a one-time 30 day extension, OCR has produced no evidence to suggest that 60 days is too long and notes that we understand that generating an accounting for disclosures is still a very manual process. (76 Fed. Reg. at 31435) In addition, providers currently are prepared to comply with a 60 day deadline. Therefore, the current response period should be retained. Compliance Enforcement Deadline: To provide adequate time for the development of EHR systems that can more easily produce the information necessary for an accounting of disclosures, the compliance enforcement deadline should be extended to 2016. Requirements Related to Research The AAMC strongly encourages OCR to finalize its proposal to wholly exempt covered entities from having to provide an accounting of disclosures for research conducted under 164.512(i), including through a protocol listing. The AAMC agrees with OCR s proposal that the accounting requirement does not need to be applied when an institutional review board (IRB) or privacy board has granted a waiver from the requirement for individual authorization. As the proposed rule accurately points out, such a waiver is granted only after an IRB or Privacy Board has made a determination that there is no more than a minimal risk to the individual s privacy, in addition to several other criteria designed to protect the research subjects. Such protections, in addition to the responsibilities of individual researchers to protect research
Page 3 subjects, render the application of the accounting requirement to this research both unnecessary and burdensome. The current Privacy Rule allows a covered entity to provide individuals with a protocol listing, a compilation of research protocol titles for which an individual s PHI may have been disclosed, rather than an individualized accounting, for those studies in which 50 or more subjects are involved. AAMC members report that the burden of compiling such a list is significant and is of little value to an individual, who would not be able to use this information to gain a clearer understanding of whether his or her PHI had been disclosed, and in what context. In addition, it is difficult for institutions to distinguish the protocols that may have disclosed PHI and thus triggered the accounting requirement from the total number of protocols that have been granted waiver of the requirement for individual authorization. An AAMC member reported that such waivers have been granted for approximately 10 percent of all active protocols. The member estimates that under the proposed accounting requirement, the number of protocols that might be included is over 100 protocols targeting enrollment of fewer than 50 subjects, and approximately 375 protocols with a targeted enrollment of over 50, a significant change from the current requirements. Most often PHI is accessed for the purpose of retrospective chart reviews or reviews of large databases, which include information on several thousand or more individuals. Whether PHI related to each of these protocols is used (and thus not subject to the accounting requirement) or disclosed (triggering inclusion in the protocol listing) is burdensome to determine and complicated to explain, resulting in a protocol listing that is likely to be of limited or no value to an individual. ACCESS REPORT The Requirement for a Right to an Access Report Should Be Withdrawn The AAMC strongly urges OCR to withdraw the requirement for the access report because the proposal: 1. Seems to ignore the directive in the HITECH Conference Report that... in developing regulations on the accounting of disclosures through an EHR, the Secretary would be required to take into account an individual s interest in learning when the PHI was disclosed and to whom, as well as the cost of accounting for such disclosures... 2. Appears to be based on the erroneous premise that the right to an access report will be a more automated process that provides valuable information to individuals with less burden to covered entities and business associates. (76 Fed.Reg. at 31429) 3. Underestimates the burden of creating access reports when OCR states that if few individuals request access reports, then covered entities will rarely need to undertake the burden of generating an access report. (76 Fed.Reg. at 31439) This fails to take into account that regardless of the number of requests, covered entities must have in place all the systems, policies, and staff that will be necessary if even one request is received. AAMC members report that patients who have a concern that their protected health information was inappropriately accessed most frequently question whether a particular hospital employee,
Page 4 such as a neighbor, looked at their records. Members already respond to these concerns and are able to work with individual patients, conducting targeted reviews to address specific instances of suspected inappropriate access. Many also engage in frequent monitoring of patient records. If a potentially inappropriate access is detected, they have policies and procedures that require an investigation and impose consequences on any individual who is found to have inappropriately accessed a patient s protected health information. While this is anecdotal evidence, it suggests a framework that OCR can use to craft a requirement that meets the mandate of HITECH, ensures that all patients are able to obtain the information they want, and does not create an unreasonable burden on hospitals, physicians, and others that must comply with HIPAA. Cost of Complying Will Be Large In addition to putting forth no evidence to support the need for the access report, the Agency also underestimates the financial and staff cost that will be needed to ensure that a covered entity is able to produce an access report. It is not uncommon for an organization to have one system for inpatient records, one for outpatient, and separate systems for the operating room, emergency department, radiology, and other ancillaries. One AAMC member estimated the cost of complying with this regulation for 10 systems, not the total number of systems that would fall under the definition of designated record set. Based on the use of Fair Warning, a privacy breach detection software used by many AAMC members, this member has broken out the annual costs for the 10 systems as follows: Capital cost of Fair Warning to monitor 10 systems: $170,900.00 Staff time per system monitored: - Security program manager- 36 hours - Application program- 18 hours - Application Analyst - 54 hours Total man-hours for each system monitored: 108 hours. Total costs for the monitoring of 10 systems are: $170,900.00 + 1080 man-hours This estimate does not include the substantial staff time that also will be needed when a patient is provided with an access report that is difficult, if not impossible, to understand. This will necessitate identifying and training individuals to explain the meaning of the report, determine if a particular individual s access is appropriate, and answer questions. Information Should Be Limited to what is Included in the EHR, Not the Designated Record Set The HITECH requirement that the proposed rule is seeking to implement is limited to a covered entity that uses or maintains an electronic health record with respect to protected health information. (emphasis added; 13405 (c) HITECH) Although there seems to be no regulatory definition of an electronic health record, it might most commonly be considered to be equivalent to a patient s medical record. Nonetheless, rather than define an electronic health record, OCR has proposed that the access report will include everything that is in a designated record set (45 CFR 164.501), resulting in a broad application of the proposal that seems to go
Page 5 far beyond what is required by the law. OCR should ensure that any revisions to the accounting for disclosures requirements are consistent with the law and apply to systems that may reasonably have the capacity to produce the required information. Information Contained in Logs Is Not In A Readily Understandable Format Current electronic health record systems are not designed to provide access information in a format that is understandable to individuals. Below is a one-page sample of a log from an AAMC member s emergency department system: Another member reports that the log for a routine hospital stay is 500 pages in length. System security access logs typically contain the following information: 1. Date time stamp of the log entry 2. User in the system that performed the action. (This user can be presented in a multitude of ways especially if the user is an automated non human account) 3. The action they performed 4. The goal for that action
Page 6 5. Details about the action itself 6. In some cases, multiple actions may constitute a flow and end up as one log entry Generally, a log also includes information about records activity occurring due to automated functions in between different clinical systems. In addition the presence of codes and acronyms in logs make the presentation of the data challenging and lengthy, and provides no information about whether access by a particular individual is appropriate. OCR seems to recognize that the complete logs may be extremely lengthy and encourage[s] covered entities to create forms for individuals to request an access report that provides information about the information the individual will receive and allows the individual to narrow the request based on the individual s interests. However, a narrow request is not mandatory so a covered entity must be fully prepared to respond to any patient request of any size. Names of Employees Should Not Be Provided AAMC members have expressed significant safety concerns about releasing the names of their employees as part of the access report. For example, many AAMC members treat criminals and mentally ill patients who, once they know the names of employees, may pose a danger to them. Some members have expressed concerns that in some circumstances the requirement for providing names may compromise patient care. Knowing that their name may be released to a patient who is seen as potentially dangerous may make some providers reluctant to access that patient s medical record, even when doing so is appropriate. The Access Report and Research To advance research and improve health for patients and populations, researchers, with appropriate ethical oversight, routinely access subjects electronic health records. The AAMC is concerned that the proposed requirement to provide requesting individuals with comprehensive access reports not only greatly increases the burdens on researchers and institutions but would provide individuals with no greater protections than are currently required through the oversight of research protocols. While not explicitly required by the proposed rule, an institution must be prepared to provide information about the identities of the individuals listed in an access report and the purpose for which the PHI was accessed, in response to questions from a recipient of an access report. As is true on the clinical side, AAMC members also have concerns about providing individuals with the names of members of a research team. Particularly when a medical record is accessed for research purposes pursuant to a waiver of individual authorization from an IRB or Privacy Board, research team members may not be prepared to answer questions about a particular protocol. This raises potential ethical concerns, as such contact between a potential subject and researcher had been neither contemplated nor approved by an IRB. Research subjects who have given individual authorization for the use and disclosure of PHI for research are already provided with contact information for the research team, where they can direct any specific privacy concerns or questions.
Page 7 Given the potentially staggering number of times that electronic health records may be accessed in a single study, research-related contact events could significantly increase the burden on institutions when an access report is requested. AAMC members have reported that the number of unique contact events for research purposes alone is in the millions and predicted that the cost of collecting this data and responding to subsequent inquiries about research access could be substantial. One member reported that the number of such contact events from a subset of the databases that would need to be queried to create such an event exceeded 2.9 million in 2010 and was expected to exceed 4.5 million research-related contact events in 2011. Identification of all appropriate designated records sets could extend, under the proposed rule, to electronic case report forms and research databases, increasing the burden of compliance, the data generated, and the potentially for including confusing or redundant information. If OCR finalizes the proposed right to an access report, the AAMC urges the Agency to provide a broad exemption related to PHI that is accessed for research purposes. However, the AAMC recognizes that even the creation of such an exemption will be of limited value because very few institutions have the ability to distinguish access for research purposes from access for other purposes. This underscores the need to withdraw the access report requirement entirely. If the Rule is Adopted the Compliance Date Should Be Delayed At a time when hospitals and physicians are struggling to implement EHRs, imposing a requirement that none are able to meet is unreasonable. If OCR decides to finalize the proposed right to an access report, there must be a significant delay in the compliance date, until at least 2016. This will provide time for vendors to make the needed changes to electronic systems and will avoid imposing a distraction on hospitals and physicians at a time when they are working hard to adopt EHRs and to meet the Medicare program s meaningful use requirements. * * * * * * * * * * If you have questions about these comments, please direct them to Ivy Baer, J.D., M.P.H. (ibaer@aamc.org or 202-828-0499) or Heather Pierce, J.D., M.P.H. (hpierce@aamc.org or 202-478-9926). Sincerely, Darrell G. Kirch, M.D. President and CEO cc: Ivy Baer, J.D. Heather Pierce, J.D.