CHIME: Disclosure Proposed Rule Goes Too Far

The College of Healthcare Information Management Executives is calling on the HHS Office for Civil Rights to tone down its requirements on the information that should be available to consumers in access reports under a final rule to account for disclosures of protected health information.


The College of Healthcare Information Management Executives is calling on the HHS Office for Civil Rights to tone down its requirements on the information that should be available to consumers in access reports under a final rule to account for disclosures of protected health information.

OCR's proposed rule includes a new right to a consolidated access report, which goes beyond the HIPAA privacy rule's requirement for a designated record set, or DRS, the association of health CIOs and other information technology leaders says. Further, the information required in a DRS is not standardized, and it is not yet technically feasible to pull the data necessary for a consolidated report from many information systems, according to CHIME.

"DRSs remain too broadly defined and too variable in today's Health I.T. environment," according to a CHIME comment letter. "Moreover, the ability to aggregate hundreds or even thousands of access events in any automated fashion is not realistic for most covered entities--never mind across covered entities and their numerous business associates." For these and other reasons, CHIME urges that the access report requirements be left out of a final rule.

"If OCR wishes to pursue the concept of access reports further, we would instead recommend that stakeholders be convened to better assess what is technically feasible in the short-term, long-term and during the transition across the full range of covered entities. On the other hand, if OCR elects to retain requirements for access reports, CHIME firmly believes that only data gathered from certified EHRs, not the full array of designated record sets, should be expected to populate such access reports. We believe the access logs, report filters and other technical specifications needed to generate an access report would be inconsistent or nonexistent across many clinical data sources that might be considered part of a DRS."

For a recent Health Data Management commentary that questions if enhancements to the privacy rule will really stop those who shouldn't have access to PHI from getting it, click here.

 

More for you

Loading data for hdm_tax_topic #better-outcomes...