May 18, 2010 Georgina Verdugo Director Office for Civil Rights United States Department of Health and Human Services RE: HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act; Request for Information (RIN 0991-AB62) Dear Ms. Verdugo: The undersigned organizations are members of the Consumer Partnership for e-health (CPeH), a coalition of consumer, patient, and labor organizations working on both the national and local levels that, since 2005, has served as a strong and diverse consumer voice advocating for patient-centered policies related to health information technology (HIT). We submit these comments in response to the request for information (RFI) on the implementation of the modifications to the HIPAA Privacy Rule s Accounting of Disclosures provisions required by Title XIII, Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA). We believe the accounting of disclosure provisions play a critical role in providing individuals with greater transparency about uses and disclosures of their personal health information. Survey data show that the public supports movement to electronic health records (EHRs), health information exchanges (HIEs) and personal health records (PHRs). However, the data also reflect significant public concerns about the privacy and security of personal health information online, as well as a recognition that the Federal Government has a role in protecting privacy. 1 As we move forward with initiatives to increase the adoption and meaningful use of health information technology (health IT), it is critical to provide greater protection for health information to maintain public trust. In making modifications to the current HIPAA rule on accounting of disclosures, Congress clearly recognized the ability of EHRs to provide individuals with greater transparency about uses and disclosures of their health data than is possible with paper records. Implementation of these new provisions, as well as others in ARRA, creates opportunities for the US Department of Health and Human Services (HHS) to harness the power of technology to better protect health information privacy. Our comments below to some of the questions asked in the RFI are intended to help HHS maximize this opportunity for patients and health care providers. (We did 1 See summaries of Markle public opinion surveys at the following URL: http://www.connectingforhealth.org/resources/surveys.html
not address those questions directed at covered entities that have experience in implementing the current accounting of disclosures provisions.) In summary, we recommend that HHS: Focus on what is likely to be most important to individuals. Allow covered entities with EHRs to initially use audit trails to satisfy an individual s request for an accounting. Phase-in requirements for additional information to be included in the accounting, such as the purpose of the disclosure and the recipient of the information. Questions 1. What are the benefits to the individual of an accounting of disclosures, particularly of disclosures made for treatment, payment, and health care operations purposes? Transparency Providing individuals with transparency about the uses and disclosures of their identifiable health information is a key component of fair information practices and the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. 2 The practice provides a deterrent to inappropriate access, helps in the detection of fraud, and when combined with other privacyprotective practices of a comprehensive framework supports public trust. The HIPAA Privacy Rule includes several provisions designed to provide greater transparency for patients: The right of patients to receive notice of permitted uses of their health information and their rights with respect to that information; The requirement on covered entities to obtain express patient authorization for certain uses and disclosures; and The right of patients to obtain, upon request, a detailed accounting of certain disclosures. Under the current HIPAA Privacy Rule, the right to receive an accounting is limited to only certain non-routine disclosures; however, the accounting must include a fair amount of detail for each disclosure and cover a period of six years prior to the request. Individuals can also look to covered entities to provide them with an accounting of such disclosures made by business associates of the covered entities. Congress recognized the ability of electronic record systems to automatically detect and record access to a patient s electronic health information and directed HHS to make improvements to the accounting of disclosure provisions. Now, routine disclosures for 2 It is also a key component of the Markle Foundation s multi-stakeholder Connecting for Health Initiative s Common Framework, see www.connectingforhealth.org. 2
treatment, payment, and health care operations must be included in an accounting. In addition, HHS Office of the National Coordinator for Health Information Technology (ONC) issued draft certification criteria for EHRs that included provisions to enable greater transparency with respect to record access: (1) technical requirements to enable EHRs to automatically record information that could be used to provide an accounting of disclosures, 3 and (2) technical requirements that enable EHRs to record and generate an audit trail of all access to an EHR. These provisions together provide the technical building blocks for individuals to receive greater transparency of uses and disclosures of their health information. Requiring the use of audit trails and the enhanced accounting provisions combine to provide more effective tools for detecting potential breaches of health information. Early detection through audit trail use and monitoring, bolstered by individuals viewing audit trails or an accounting when they suspect inappropriate use of their information, provides health care providers and institutions with important information about weaknesses in their privacy and security policies and practices. Accountability The current HIPAA Privacy Rule requires covered entities to provide individuals with an accounting only upon request. In ARRA, Congress retained this as a right that individuals exercise at their discretion. Consequently, most individuals will seek an accounting only when they have a need to know who has accessed their record, such as if they suspect inappropriate access. It is important to structure the new accounting provisions in a way that most directly responds to this need. At a minimum, individuals need to know who has accessed information in their record, when such access occurs, and what was done with that information, per the audit trail requirements in the proposed certification criteria. Providing individuals with information about the purpose of the disclosure is also of critical importance to increasing transparency and understanding about the legitimate uses of health information. Therefore this should also be required information, once the electronic systems used by providers are routinely able to collect it. Providing this information in an accounting serves two critical purposes: 1. Helping consumers determine whether their personal health information was disclosed inappropriately and 2. Providing information necessary to hold individuals and institutions accountable in the event of an inappropriate disclosure. Provisions on accounting of disclosure are just one tool under HIPAA for improving patient privacy and security. They are not the sole solution for improving transparency for patients. Nor should they be viewed as the sole mechanism for ensuring 3 ARRA 13405(c). 3
accountability. In developing an accounting rule that leverages the functionalities of EHRs, is effective for patients, and does not unreasonably burden providers HHS should focus on what accounting can add to a comprehensive framework of protections that promote greater transparency and accountability. 2. Are individuals aware of their current right to receive an accounting of disclosures? On what do you base this assessment? To the best of our knowledge, there is no objective, nationally representative assessment of the levels of public awareness regarding the right to receive an accounting of disclosures of personal health information. In practice, providers report that individuals rarely request an accounting of disclosures under current rules. This low utilization rate is likely due to individuals not being aware of the right to receive an accounting. 4 We caution HHS not to base policy on anecdotal reports of low rates of individuals exercising their rights to an accounting of disclosures, as survey data indicates strong interest by the public in reviewing who has had access to their health information. Markle Foundation surveys indicate that the public strongly supports the concept of being able to see who has had access to personal health information. For example, 90 percent of respondents in a 2008 survey said that the ability to review who has had access to their information would be one factor in their decision to use a PHR, with 53 percent calling this practice essential. 5 In a 2005 survey on health information exchange, 81 percent called it an absolute or high priority policy. 6 As noted above, survey data also indicate a high degree of concern by individuals about the privacy of their health information. HHS should assume that in an environment of greater use of EHRs and electronic health information exchange, patients may take advantage of the opportunity to learn more about who has accessed their records. 5. With respect to treatment, payment, and health care operations disclosures, 45 CFR 170.210(e) currently provides the standard that an electronic health record system record the date, time, patient identification, user identification, and a description of the disclosure. In response to its interim final rule, the Office of the National Coordinator for Health Information Technology received comments on 4 Research has demonstrated that HIPAA privacy notices are often difficult to read and understand. See Mark Hochhauser, Readability of HIPAA Privacy Notices, pp. 5-6, March 12, 2003, http://benefitslink.com/articles/hipaareadability.pdf; Mark Hochhauser, Why Patients Won t Understand Their HIPAA Privacy Notices, April 10, 2003, http://www.privacyrights.org/ar/hipaa-readability.htm; and Marie Pollio, The Inadequacy of HIPAA s Privacy Rule: The Plain Language Notice of Privacy Practices and Patient Understanding, 60 N,Y.U. Ann. Surv. Am. L. 579 (2005), http://www1.law.nyu.edu/pubs/annualsurvey/documents/60%20n.y.u.%20ann.%20surv.%20am.%20l. %20579%20(2005).pdf. 5 Markle Foundation, "Americans Overwhelmingly Believe Electronic Personal Health Records Could Improve Their Health" June 2008, http://www.connectingforhealth.org/resources/researchbrief- 200806.pdf 6 http://www.markle.org/news/press_releases/2005/press_release_10112005.php. 4
this standard and the corresponding certification criterion suggesting that the standard also include to whom a disclosure was made (i.e., recipient) and the reason or purpose for the disclosure. Should an accounting for treatment, payment, and health care operations disclosures include these or other elements and, if so, why? How important is it to individuals to know the specific purpose of a disclosure i.e., would it be sufficient to describe the purpose generally (e.g., for for treatment, for payment, or for health care operations purposes ), or is more detail necessary for the accounting to be of value? To what extent are individuals familiar with the different activities that may constitute health care operations? On what do you base this assessment? As noted above, patients who request an accounting will most likely be doing so because they suspect that someone has inappropriately accessed their record, therefore it is essential that the disclosure information they receive include information they need to determine if their information has been used inappropriately. Knowing who received the information that was disclosed and for what purpose are vital to being able to make these determinations, especially given the fact that at the current time the general public has limited knowledge and understanding of the legitimate ways in which their health information is used. Providing some degree of specificity regarding purpose of disclosure, as opposed to simply stating treatment, payment, or operations, would also be advisable, given this general lack of understanding. Providing more detailed description of operations activities would be particularly important, given that there is even less understanding about this particular purpose. Increased transparency about how personal health information is used in provider operations would go a long way toward building trust. Ideally patients would be able to see an accounting not just of external disclosures, but also instances of internal access to the record. Such comprehensive accounting is necessary to provide adequate accountability for inappropriate access and disclosures of information. The increasing number of reports of employee snooping and inappropriate use of information 7 serve to erode consumer trust, even as they readily understand and want the benefits HIT can bring to the quality of their health care. In making decisions about how to meet patients needs for information about the disclosures of their health information, HHS should focus on information that is likely to be most relevant to patients, as well as what is possible to be automatically generated today. This will pave the way for additional useful information to be automatically generated about EHR access and disclosure in the future. Audit trails typically produce 7 Hospital: Radiologist used other employees passwords http://blogs.hcpro.com/hipaa/2010/03/hospital-radiologist-used-other-employeespasswords/; accessed 5/17/10. 5
a record of all access to a patient s record and are therefore a great starting place for meeting patients needs. Additionally, audit trails can be automatically generated by EHRs that will be adopted by providers in Stage 1 of meaningful use, a critical feature that will minimize provider burden. As noted above, HHS has already issued two proposed certification criteria that are relevant to updating the current accounting rule: specifically, those for an audit trail and those specifically designed to address the ARRA accounting provisions. HHS should consider deeming an electronic audit trail of all access to the EHR to satisfy the accounting of disclosures requirement. Patients requesting an accounting would be provided with a copy of the audit trail of their record, which, based on the proposed certification criteria, includes the following information: the date, time, patient identification (name or number), and user identification (name or number), which is recorded when electronic health information is created, modified, deleted, or printed, and an indication of which action(s) occurred. This is likely to satisfy the needs of many patients in seeking an accounting, who are looking for unexpected or suspicious activity in the record. Auditing all record access goes beyond an accounting of just disclosures, but the likelihood that EHRs will possess audit trail functionality in time for Stage 1 of meaningful use and the requirement of audit trail standards under the voluntary Certification Commission for Health IT Standards for ambulatory and inpatient EHRs makes this an attractive initial approach. Allowing covered entities to use an audit trail to respond to individual requests for an accounting under the new ARRA provisions leverages technology that is currently available and takes an initial step toward creating greater transparency with respect to uses and disclosures of health information. We recognize that such audit logs will be difficult for individuals to comprehend, particularly if they are from larger provider organizations or institutions where the record access on a routine basis could be quite extensive. To address this, covered entities could choose to filter the audit log so that it just includes disclosures, or entities could sit down with the patient to answer any questions. It is likely that patients will have additional questions after viewing their audit logs. The ability of an audit log to provide additional information, such as the purpose of the access or disclosure or a brief description, would alleviate the burden on covered entities to make staff available to explain the audit log to the patient. However, it may not be feasible for many EHRs today to generate an audit trail or an accounting that automatically includes purpose or a description of each access or disclosure. Such a requirement should be phased in over time, to allow the technology to develop this capability. HHS should also consider providing incentives or otherwise encouraging vendors to release new EHRs (or upgrades) that allow users to select from a list of common disclosure purposes or that otherwise allow for the disclosure purpose to be logged without the need to manually input text. An increase in patients seeking a copy of the audit trail could stimulate demand for greater functionality to serve the needs of both covered entities and patients. 6
It is critical to consider what can be automatically generated by EHRs that exist today, as well as what is possible in the coming years. Providers should not be required to manually input additional information in the course of using the EHR in order to ensure that additional information is in the accounting. HHS should capitalize on what can be automatically generated today, and provide incentives for vendors to develop greater accounting functionality over time. 6. For existing electronic health record systems: (e) Is there a single, centralized electronic health record system? Or is it a decentralized system (e.g., different departments maintain different electronic health record systems and an accounting of disclosures for treatment, payment, and health care operations would need to be tracked for each system)? Since the purpose of the ARRA revisions to the accounting rule was to increase the scope of disclosures and not necessarily to give individuals access to records that they do not have the right to access today, HHS should consider clarifying the definition to make it clear that the accounting addresses only those portions of the record that individuals have the right to access under C.F.R. 164.524. Patients will want an accounting of access to and disclosures from the clinical portions of the EHR, and HHS should clarify that the definition of EHR does not extend to portions of an entity s electronic recordkeeping systems that do not involve patient clinical data. To the extent that the clinical EHR is decentralized, allowing entities to use an audit trail to respond to patient accounting requests should help entities comply, as all parts of the entities overall EHR system should have audit trail functionality. 7. The HITECH Act provides that a covered entity that has acquired an electronic health record after January 1, 2009 must comply with the new accounting requirement beginning January 1, 2011 (or anytime after that date when it acquires an electronic health record), unless we extend this compliance deadline to no later than 2013. Will covered entities be able to begin accounting for disclosures through an electronic health record to carry out treatment, payment, and health care operations by January 1, 2011? If not, how much time would it take vendors of electronic health record systems to design and implement such a feature? Once such a feature is available, how much time would it take for a covered entity to install an updated electronic health record system with this feature? If covered entities are permitted to use an audit trail to respond to patient requests for an accounting, there is no reason why compliance could not begin by January 1, 2011 because EHRs are required by have this functionality for Stage 1 of meaningful use, and EHRs certified voluntarily by CCHIT already have this capability. HHS should stage requirements for an accounting to include additional information such as the recipients 7
of and purpose for any disclosures based on developing EHR capabilities. 9. Is there any other information that would be helpful to the Department regarding accounting for disclosures through an electronic health record to carry out treatment, payment, and health care operations? Compliance by HIPAA Business Associates Under ARRA, business associates are required to comply with the privacy provisions that apply to covered entities; 8 thus, the new accounting requirements are made applicable to business associates. Covered entities are required to provide an accounting of disclosures made by business associates. In the alternative, they can provide individuals with a list of their business associates, and the individuals can then contact those business associates to receive an accounting. We acknowledge that business associates now have independent obligations to comply with the HIPAA privacy and security rules. But placing the burden on patients to seek data directly from business associates is an inefficient (and largely ineffective) way to achieve greater transparency about uses and disclosures of health information. Instead, we suggest that covered entities have the primary obligation to produce an accounting of access to and disclosures from their EHR system. If the patient needs more information about a particular access or disclosure that involves a business associate, the covered entity can contact the particular business associate for further information (which is consistent with how the breach notification rules treat the obligation to notify the patient in the case of inappropriate record access), or, less optimally, provide information to help the patient make the request directly from the relevant business associate(s). This is much more effective than giving the patient a list of all of the entities business associates and requiring the patient to go on a fishing expedition to find his or her data. We note that the ARRA accounting rule modifications apply to covered entities using EHRs and their business associates. This does not require that a business associate be using an EHR in order to be covered by the rule, but the new accounting provisions in ARRA should apply to those business associates using electronic systems that have (or should have) audit trail or other access tracking functionality. Such functionality should be required for business associates keeping electronic records. ARRA also makes clear that entities like Health Information Exchanges and Regional Health Information Organizations (collectively, HIEs) will be business associates, and thus have some obligations for complying with the new accounting provisions. 9 How HIEs comply with these new obligations should depend on how they are structured. For example, a federated exchange that merely facilitates the exchange of information by EHRs may not be able to easily account for disclosures of an individual patient s information (although the edge systems should be fully accountable for accounting for 8 ARRA Section 13404(a). 9 ARRA Section 13408. 8
disclosures through the network). However, HIEs that operate database or even hybrid federated/database models may face no more challenges to accounting for disclosures than a large provider using an EHR. Costs of Compliance We have heard from covered entities that they estimate compliance with the ARRA accounting modifications could cost millions (an estimate from one health care system submitted to OMB was approximately $250 million over three years) [Intermountain]. We assume that such calculations are based on applying the provisions of the current accounting rule, which requires that patients be provided with a fair degree of detail for a smaller scope of disclosures, to disclosures for treatment, payment and operations from an EHR. However, if HHS leverages existing EHR capabilities such as the audit trail functionality and expands the amount of information provided to patients using these automated functions over a period of time, there is less reason to believe that this will impose significantly greater costs on covered entities. If HHS focuses on what can be automatically generated, even small providers should easily be able to comply with the expanded accounting provisions. Cost to Individuals Under existing accounting of disclosure provisions, individuals may receive one free copy per year of an accounting. Because the new accounting provisions should be structured in a way that leverages the automating capabilities of EHRs, individuals should continue to be able to receive these at no charge particularly when they are asking for the accounting because they have reason to suspect unauthorized or unlawful access to their personal health information. We appreciate the opportunity to submit these comments. Sincerely, Members of the Consumer Partnership for ehealth AARP American Association of People with Disabilities Childbirth Connection Consumers Union Family Violence Prevention Fund Mental Health America National Health Law Program The Center for Democracy & Technology The National Partnership for Women & Families 9