CHIME, AHA challenge reporting requirements for accessing patient information

Tools

CHIME and the American Hospital Association are among groups challenging sections of a proposed rule governing mandatory disclosures to patients about how data from their health records is being used, Healthcare IT News reports.

A privacy and security "tiger team" convened by the Office of the National Coordinator's Health IT Policy Committee is developing recommendations on the rule, which relates to compliance of the HITECH Act, the article notes.

The comments came in response to a Sept. 23 blog post by tiger team chair Deven McGraw, J.D., M.P.H., L.L.M., seeking feedback.

The College of Health Information Management Executives (CHIME) expressed concern  that "all audit logs are not created equal. Despite having common data elements recorded across different solutions, there are few, if any, standard ways to generate reports," according to the article.

Aggregating the audit logs from different systems into a single report is challenging, CHIME said in its response. In addition, the technology to generate the required reports is immature, the organization said. "(C)urrent market solutions do not capture information or do not display information in ways that would provide patients with greater transparency about the uses and disclosure of their digital, identifiable health information."

CHIME told the tiger team in its online response that current practices and processes are sufficient because patients rarely request the information. "We do not believe there to be systemic abuse of (personal health information) by the nation's providers, therefore we do not believe that industry-wide regulations need to correct a problem that can be addressed under current policy."

The American Hospital Association criticized a requirement to compile all occasions when patient records were accessed and how they were used as "misguided." The rule "does not appropriately balance the relevant privacy interests of individuals with the substantial burdens (to) hospitals," according to the letter.

The AHA suggested several exclusions, including for research and for generating population health trend data, and that disclosure reporting go back no more than three years, with a 60-day response requirement.

For more information:
- see the AHA letter
- check out the blog post and comments
- read the article in Healthcare IT News

Related Articles:
Tools designed to protect PHI in multi-site research
Algorithm to redact PHI takes opposite track
5 common myths about HIPAA debunked
HIPAA compliance: Questions linger about liability