AMIA, the association for informatics professionals in biomedicine and health care, expressed its concerns to the U.S. Department of Health and Human Services (HHS) about a proposed rule that would modify the HIPAA Privacy Rules for accounting of disclosures. AMIA expressed extensive concerns about the proposed rule, drawing particular attention to the requirement to generate an “access report” that would indicate which individuals have accessed an individual’s personal health information. Furthermore, AMIA noted the inconsistent application and definitions of the term “access” within the proposed rule and questioned how it might be applied during patient care activities when large numbers of individuals meet to discuss a case, such as grand rounds and tumor boards.
AMIA asserts that there is no way to fully anticipate the potential organizational and financial burdens that this requirement will have on providers. AMIA also notes that implementing the proposed rule will require significant organizational resources—both technical and human– and encouraged HHS to withdraw the access report provision of the proposed rule.
AMIA President and CEO Edward H. Shortliffe, MD, PhD, says, “AMIA believes that the access report requirement is misguided. Although our association is committed to responsible uses of health data and protection of patient privacy, AMIA is hard-pressed to understand what benefit the proposed requirement would render to individual patients or to society as a whole.” The access report requirement, he continued, “reflects a policy that would go beyond the mandates of the HIPAA Security Rule, and represents a dramatic misjudgment of the capabilities of the currently implemented or easily developed technology and processes.”
AMIA Board Chair Nancy Lorenzi, PhD, Vanderbilt University Medical Center, underscores the fact that AMIA understands individuals should be able to learn whether specific persons have accessed their electronic health information. However, she states, “The proposed rule requires every person who accesses such information be identified, regardless of whether they work for the health system or for one of its business associates. Hospitals have multiple systems and during a patient’s hospitalization many people must view a chart as part of their work on behalf of the patient. A single-access report will be extremely difficult to create, as system audit trails do not capture all user access points and are distributed across multiple systems.”
According to the AMIA comments submitted to Secretary Sebelius on Aug. 1, what is proposed will be expensive, will require extensive changes to current systems, and may not mean anything to the patient. AMIA questions the HHS assertion that the generation of such an access report will require minimal, if any, changes to existing information systems, and its claim that the significant burden in aggregating data across multiple information systems into a single access report is reasonable.