Privacy & Cybersecurity Law Blog

Several health care industry groups requested that the Department of Health and Human Services (“HHS”) either remove or significantly revise a proposed “access report” requirement in its recent notice of proposed rulemaking (the “Proposed Rule”) for the accounting of disclosures of protected health information (“PHI”).  As we reported in May, HHS issued the Proposed Rule that revises existing HIPAA Privacy Rule provisions regarding accounting of disclosures and gives individuals a new right to obtain an “access report” that would list the specific persons who have accessed a patient’s PHI, and describe any actions taken by those persons with respect to the PHI (e.g., create, modify, access or delete).

In a comment letter sent to HHS, the American Hospital Association (“AHA”), which represents more than 5,000 member hospitals, health systems and other health care organizations, criticized the access report provision in the Proposed Rule.  AHA characterized the access report provision as “based on a fundamental misunderstanding of the value to individuals of receiving the particular information that the access report would capture, as well as a misunderstanding about the capabilities of technologies available to and used by covered entities.”  AHA went on to state that “[g]enerating an access report involves a complex and time-consuming process to analyze large volumes of data” and that “[i]t is not necessary to create an over-broad access report requirement to capture the specific issues for the few patients who have individual access concerns...[T]his currently cannot be accomplished without human intervention.”  If HHS decides to adopt the access report provision, AHA recommended numerous revisions, such as clarifying that the information in the access report applies only to designated record sets and not requiring covered entities to name the specific employees who accessed the PHI of the individual requesting the report.

The Federation of American Hospitals (“FAH”), which represents approximately 1,000 investor-owned or managed community hospitals or health systems, also urged HHS to remove the access report provision from the Proposed Rule.  FAH called the access report provision “misguided” and “meaningless to patients” and noted the substantial and costly technological burden the access report requirement would impose on hospitals.

The Medical Group Management Association (“MGMA”), a membership association for professional administrators and leaders of medical group practices with more than 21,500 members who lead 13,700 health care organizations nationwide, urged HHS to withdraw the Proposed Rule.  William F. Jessee, MGMA’s President and Chief Executive Officer, stated the access reports “could be hundreds or even thousands of pages long, making them extremely challenging for physician practices to produce and of little practical value to the patient receiving them.”  As an alternative, MGMA encouraged HHS to “engage medical groups and other stakeholders to develop a consensus-driven solution before moving forward with the regulation.”  The American Medical Informatics Association and the American Health Information Management Association also weighed in strongly against the Proposed Rule.