IT Leaders Fight New HIPAA Rule

CHIME and MGMA take exception to a proposed requirement to produce access reports within 30 days after a patient's request.

Neil Versel, Contributor

July 27, 2011

4 Min Read

12 Innovative Mobile Healthcare Apps

12 Innovative Mobile Healthcare Apps

(click image for larger view)
Slideshow: 12 Innovative Mobile Healthcare Apps

Organizations representing hospital CIOs and managers of group physician practices have serious reservations with a proposed HIPAA regulation that would give patients the right to see a report of who has viewed their medical records and other health data.

Both the College of Healthcare Information Management Executives (CHIME) and the Medical Group Management Association (MGMA) said the "accounting for disclosures" rule asks too much of healthcare providers already grappling with implementing electronic health records and preparing to convert to with ANSI X-12 5010 transactions and ICD-10 coding.

"CHIME believes the administrative burdens and related costs needed to compile, transmit, and then explain the proposed … access reports would divert the same resources needed to accomplish other important initiatives, including EHR Meaningful Use, and ICD-10 and HIPAA 5010 implementation, while providing very little value to patients," according to comments the Ann Arbor, Mich.-based organization submitted to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

OCR on May 31 published a proposal that would modify the HIPAA privacy rule to require "covered entities" to produce disclosure reports within 30 days of a patient's request, down from the current 60 days. OCR, which enforces the HIPAA privacy and security regulations, is taking comments on the proposed change through Aug. 1.

CHIME also called the proposed 30-day period "totally insufficient" to produce an access report. "Generating an accounting of disclosures is today largely a manual process for most covered entities and we believe it will remain so for some time to come," according to the organization's comments.

"The proposed 30-day time frame is simply too short, especially since information would need to be gathered from a variety of sources, including business associates (whose agreements will need to be revised), and may require legacy system access for organizations that are transitioning to EHR systems or a niche vendor handling the disclosure system tracking," CHIME continued.

In expressing its displeasure with the OCR proposal, the MGMA went a step further, citing numbers from a membership survey. The poll found that 90% of respondents thought it would be "very" or "extremely" burdensome for their practices to produce a report according to the proposed rule's specifications. And nearly two-thirds said that they had received less than one patient request per full-time-equivalent physician in the last 12 months for such an accounting.

"Considering how infrequently physician practices receive these requests from patients, the proposed rule fails to meet the statutory requirement to balance the needs of patients with the burden on providers," MGMA President and CEO Dr. William F. Jessee said in a statement. "These reports, which would be required to show all electronic access to a patient's health information for up to three years, could be hundreds or even thousands of pages long, making them extremely challenging for physician practices to produce and of little practical value to the patient receiving them."

CHIME further noted that the "designated record set" healthcare organizations would have to account for is not well defined, and does not mesh with regulations for the "Meaningful Use" EHR incentive program. "One of the goals behind Meaningful Use is to eliminate inconsistency and variability long since built into healthcare information technology systems," the CHIME statement said. "But many technologies beyond the scope of EHR incentive payments remain splintered and variable--the same as before Meaningful Use."

CHIME said the designated record sets "remain too broadly defined and too variable in today's health IT environment. Moreover, the ability to aggregate hundreds or even thousands of access events in any automated fashion is not realistic for most covered entities--never mind across covered entities and their numerous business associates."

The CIO group suggested that the burden should be shifted to the patient to limit the size of access reports. "Instead of requiring access reports that include names, CHIME believes that a safer alternative would be to require patients to provide a covered entity with specific names for the covered entity to determine whether those individuals have or have not accessed the patient's information. The covered entity would then report back to the patient and also be in a position to take disciplinary action, if warranted," CHIME said, noting that many providers already have this process in place.

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)

About the Author(s)

Neil Versel


Neil Versel is a journalist specializing in health IT, mobile health, patient safety, quality of care & the business of healthcare. He’s also a board member of @HealtheVillages.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights