Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Monday, August 29, 2011

HIPAA "access report" potentially much simpler to implement, more valuable than accounting of disclosures

Among the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act garnering significant attention are the changes to existing HIPAA requirements for covered entities to produce accounting of disclosures of protected health information and a new proposed requirement that entities and business associates also maintain (and furnish upon request) a record of accesses to individuals' electronic health records. Both of these measures are addressed in a notice of proposed rulemaking (NPRM) published by HHS in the Federal Register in late May, the comment period for which closed August 1. Public objections to the proposed rules emphasize the administrative burden to health care organizations to collect and store the information required for accountings of disclosures and access histories, and the apparent lack of interest among members of the public in requesting this information from health care entities. While the two provisions share obvious functional elements, there are significant differences in both technical feasibility and practical relevance that justify separate consideration of the proposed rules, and in particular suggest that the new access record provision may be more difficult to dismiss using the arguments put forth to date.

Many industry watchers are more familiar with the proposed changes to the accounting of disclosure requirements, since those changes are spelled out in the HITECH Act (at §13405(c)), which most notably change the time period covered from six years to three and also remove the exception under current HIPAA provisions for disclosures for the purpose of treatment, payment, or health care operations. The NPRM repeats the current (45 CFR §164.528(b)(2)) implementation specifications for the content that must be included for each disclosure in the accounting:
  • Date of disclosure
  • Name of the entity or person (and their address, if known) receiving the disclosed PHI
  • Description of the PHI disclosed
  • Purpose for the disclosure
These requirements apply to PHI disclosed in both paper and electronic form, although the objections to the rule seem to focus on electronic disclosure, perhaps due to the inherent limitations of many electronic health record (EHR) systems and other applications to capture the required information. There are valid procedural objections as well, because with the exception of the date of the disclosure, the content required cannot easily be extracted or automatically recorded from EHR systems, and with respect to the purpose for disclosure in particular, it seems likely that the need to capture this information would insert a step in routine business processes where the purpose would need to be recorded before the process could be completed. By applying the accounting of disclosure to the types of disclosure that likely make up the vast majority of purposes for most health care entities, the removal of the exceptions for treatment, payment, and health care operations will unquestionably add to the administrative workload of covered entities and business associates who must comply with the law. Before developing the NPRM, HHS issued a request for information in May 2010 seeking comments on the accounting of disclosure changes in the HITECH Act, in which HHS sought to "better understand the  interests of individuals with respect to learning of such disclosures, the administrative burden on covered entities and business associates of accounting for such disclosures, and other information that may inform the Department’s rulemaking in this area." Many commenters apparently pointed to the lack of consumer demand for accountings of disclosures, with few requests received by entities in the several years since the provision was first enacted. It seems possible however that while health care organizations will undoubtedly need to devote greater resources to complying with the revised rule, by covering a much greater proportion of total disclosures that individuals might find the accounting more valuable than in the past, when those requesting accountings would likely get no information regarding the most common or perhaps consumer-intuitive situations where disclosures had occurred.

Under the definition used in HIPAA (45 CFR §160.103), a "disclosure" only occurs when information leaves the entity holding it, so the accounting of disclosures only covers release or transfer of PHI from one person or organization to another. The new access report provision has no such limitation, and HHS indicated in its NPRM that it chose to add coverage for access to PHI by members of an entity's workforce as part of an expanded perspective that includes both internal and external access to information in an individual's health record. In contrast to the accounting of disclosures, the access report would apply only to records in electronic form, which might make the provision seem somewhat less comprehensive than the accounting of disclosures, but which – intentionally or not – greatly simplifies the collection and maintenance of record access information. The proposed implementation standard for the content of the access report specifies the following information:
  • Date of access
  • Time of access
  • Name of the person accessing the record (if available, or else the name of the entity)
  • What information was accessed, if available
  • Action taken by the user (e.g. create, modify, access, delete)
With the exception of describing what information was accessed, all of the elements proposed in the implementation specification reflect data routinely captured in audit logs that can typically be automatically generated by database-centric computer systems such as those used to manage EHRs. Distinguishing subsets of data contained in a single record accessed by a user would likely require more granular tracking than many audit logs provide, particularly in read-only events where no data is changed. However, the simpler set of content required for the access report makes the technical feasibility of this proposed requirement much greater than for the accounting of disclosures. This is true even without the flexibility afforded to organizations about providing the name of the person accessing the record, although the NPRM acknowledges that producing the first and last name may require mapping the user ID captured in an audit log to a list of full names. According to the NPRM, allowing for entity-level attribution rather than person-level is intended for situations where organizations outside the entity holding the information are provided access; employees or contractors working for the entity cannot share authentication credentials, as unique user identification is required under the technical safeguards specified in the HIPAA Security Rule (45 CFR §164.312).

One valid criticism regarding the proposed access record provision is that HHS seems to assume that relevant organizations would have only one electronic record system, but hospitals and large health care entities often have multiple systems, so creating the access report would require an aggregation of audit logs or other data drawn from multiple systems, adding cost and complexity to efforts to comply. Given the nature of the data required the technical barrier to producing an integrated view of audit records may not be too great, particularly for organizations that have implemented standards such as the IHE's Audit Trail and Node Authentication, which include standard formats for audit logs to facilitate integrated audit reporting.

Previous objections to the accounting of disclosure rule often center on covered entities' prior experience with patients and consumers and the apparent lack of interest by individuals in getting accountings, based on the few historical requests they have received. The implication is that there is a lot of administrative overhead to produce a "product" that for which there is little demand. This argument rings a bit hollow when applied to access records. Accounting of disclosures to date exclude many – perhaps most – occurrences, and only cover external exchanges of data. The access report is focused as much or more on access by insiders, to provide some insight into routine authorized accesses and, more importantly, to indicate instances of inappropriate access by authorized users. There is ample anecdotal evidence to suggest that inappropriate insider access is all too common, although the most well publicized incidents tend to involve abuse of privilege to view celebrity medical records. This type of incident is not limited to health care – recall the State Department contractors who improperly accessed the passport records on the candidates in the 2008 presidential election. In government agencies like the IRS there are formal policies against misuse of authorized access privileges to, for instance, browse tax records, such as Internal Revenue Manual 10.8.34.2, which explicitly forbids users from accessing their own accounts or accounts of friends, relatives, coworkers, other IRS employees, or celebrities. Absent access records, discovery of inappropriate user access must rely on technologies like intrusion detection or auditing systems, and if the latter are in place, it seems a short step to leverage the data already being collected through routine user event monitoring. In large organizations where inappropriate use may be a concern, implementing mechanisms to support data collection needed for access reports under the proposed HIPAA rule – and making employees aware of such data collection – may actually serve as a deterrent to inappropriate behavior.