Many industry watchers are more familiar with the proposed changes to the accounting of disclosure requirements, since those changes are spelled out in the HITECH Act (at §13405(c)), which most notably change the time period covered from six years to three and also remove the exception under current HIPAA provisions for disclosures for the purpose of treatment, payment, or health care operations. The NPRM repeats the current (45 CFR §164.528(b)(2)) implementation specifications for the content that must be included for each disclosure in the accounting:
- Date of disclosure
- Name of the entity or person (and their address, if known) receiving the disclosed PHI
- Description of the PHI disclosed
- Purpose for the disclosure
Under the definition used in HIPAA (45 CFR §160.103), a "disclosure" only occurs when information leaves the entity holding it, so the accounting of disclosures only covers release or transfer of PHI from one person or organization to another. The new access report provision has no such limitation, and HHS indicated in its NPRM that it chose to add coverage for access to PHI by members of an entity's workforce as part of an expanded perspective that includes both internal and external access to information in an individual's health record. In contrast to the accounting of disclosures, the access report would apply only to records in electronic form, which might make the provision seem somewhat less comprehensive than the accounting of disclosures, but which – intentionally or not – greatly simplifies the collection and maintenance of record access information. The proposed implementation standard for the content of the access report specifies the following information:
- Date of access
- Time of access
- Name of the person accessing the record (if available, or else the name of the entity)
- What information was accessed, if available
- Action taken by the user (e.g. create, modify, access, delete)
One valid criticism regarding the proposed access record provision is that HHS seems to assume that relevant organizations would have only one electronic record system, but hospitals and large health care entities often have multiple systems, so creating the access report would require an aggregation of audit logs or other data drawn from multiple systems, adding cost and complexity to efforts to comply. Given the nature of the data required the technical barrier to producing an integrated view of audit records may not be too great, particularly for organizations that have implemented standards such as the IHE's Audit Trail and Node Authentication, which include standard formats for audit logs to facilitate integrated audit reporting.
Previous objections to the accounting of disclosure rule often center on covered entities' prior experience with patients and consumers and the apparent lack of interest by individuals in getting accountings, based on the few historical requests they have received. The implication is that there is a lot of administrative overhead to produce a "product" that for which there is little demand. This argument rings a bit hollow when applied to access records. Accounting of disclosures to date exclude many – perhaps most – occurrences, and only cover external exchanges of data. The access report is focused as much or more on access by insiders, to provide some insight into routine authorized accesses and, more importantly, to indicate instances of inappropriate access by authorized users. There is ample anecdotal evidence to suggest that inappropriate insider access is all too common, although the most well publicized incidents tend to involve abuse of privilege to view celebrity medical records. This type of incident is not limited to health care – recall the State Department contractors who improperly accessed the passport records on the candidates in the 2008 presidential election. In government agencies like the IRS there are formal policies against misuse of authorized access privileges to, for instance, browse tax records, such as Internal Revenue Manual 10.8.34.2, which explicitly forbids users from accessing their own accounts or accounts of friends, relatives, coworkers, other IRS employees, or celebrities. Absent access records, discovery of inappropriate user access must rely on technologies like intrusion detection or auditing systems, and if the latter are in place, it seems a short step to leverage the data already being collected through routine user event monitoring. In large organizations where inappropriate use may be a concern, implementing mechanisms to support data collection needed for access reports under the proposed HIPAA rule – and making employees aware of such data collection – may actually serve as a deterrent to inappropriate behavior.