The Expert's View

Do Americans Need an Access Report?

Proposed Accounting of Disclosures Provision Has Limited Benefits

The government recently presented the healthcare industry with a different take on the HITECH Act's accounting of disclosures provision. The Department of Health and Human Services' Office for Civil Rights decided to go beyond the HITECH Act to give Americans more than Congress enacted - a report listing each person who has accessed, meaning seen, their protected health information in an electronic health record or other electronic designated record set system maintained by or for a healthcare provider or health plan that is a HIPAA covered entity.

OCR touts the proposed expansion as "a significant benefit to all individuals" because OCR believes "individuals are interested in learning who has accessed their information." OCR nowhere gives the basis for this belief.

Perhaps Hollywood stars, sports celebrities, politicians and other personalities may want to know who is snooping in their health records. There may be patients and enrollees who want to know if their estranged spouses or next-door neighbors who work for covered entities have been perusing their health records to learn what ails them. Beyond these specialized scenarios, how many patients and enrollees are really interested in knowing the names of strangers who have seen their electronic healthcare or claims records without a word about why those strangers did so? Not many, OCR admits.

Because of the relatively few requests for disclosure accountings under the HIPAA Privacy Rule, the government "anticipate[s] few requests for access reports." Yet, the cost for that rarely used right would be substantial, because every covered entity would need to ensure that it, and its business associates, have sufficient system auditing capabilities and processes to be able to supply an access report - even if nobody ever requests one. So, covered entities - and thus every American - would all pay for something almost nobody wants.

Serve the Purpose?

Consider this as well: Even if there were reasonable expectation that many Americans would request access reports, would access reports do the job that OCR proposes for them?

OCR acknowledges that audit logs may not always capture the name of the person who accesses an electronic designated record set system. In that case, OCR would allow the access report to list the name of the organization (captured by the audit log) that employs or otherwise engages the accessing person.

And access may not always be initiated by a person. Rather, one computer system of a covered entity or its business associate may access a patient's or enrollee's electronic designated record set information maintained in another computer system of the covered entity or its business associate. In those instances, the access report would record only the accessing organization's name.

Even when an access report lists persons, would the report confirm that the accesses were made by those persons? Absent biometric authentication, access to computer systems is typically tracked based on log-in credentials, such as user IDs and passwords. The best those systems can tell is that a particular user ID and a particular password had access. More substantiation would be needed than an electronic audit log to determine the person who actually saw the health record.

What's the Value?

What value does an access report have for an individual? Most people employed or otherwise engaged by covered entities would be strangers to the patients treated or the enrollees insured. Listing persons unknown to a patient or enrollee in an access report says nothing about why those persons were accessing the protected health information.

Wouldn't the interests of government and individual Americans be better served to focus on why access occurs, rather than add more administrative cost to healthcare with an access report right that offers marginal benefit?

Covered entities' "privacy practices notices" are supposed to explain why access occurs. Maybe OCR's and covered entities' resources would be better spent addressing the need for succinct, easy-to-understand, non-legalistic privacy practices notices that meaningfully communicate to patients and enrollees the activities and purposes for which their protected health information may be accessed.

Kathryn Roe is founding principal of The Health Law Consultancy in Chicago. She's a frequent speaker on healthcare regulatory issues.

For a different point of view on the federal proposal for access reports, see: Borten: Access Reports Deserve Support.



About the Author




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.in, you agree to our use of cookies.