A step closer toward finalizing recommendations for presentation to the December 4 HIT Policy Committee meeting, the Privacy & Security Tiger Team again discussed accounting of disclosures and continued to work through policy recommendations yesterday.
Though the Tiger Team has a December 2 meeting to hash out any lingering issues just prior to the presentation, Chair Deven McGraw of the Center for Democracy and Technology (CDT) wanted to review accounting of disclosures talks and a couple of follow-up questions for the committee. Here are the recommendations that the Tiger Team took another look at yesterday:
- Given the uncertainties and complexities involved in implementing the HITECH requirements, HHS should approach this in a step-wise fashion, initially pursuing an implementation pathway that is workable from both a policy and technology perspective.
- In approaching these issues, the Tiger Team endorses an philosophy of a “less is more,” (or value over volume, quality over quantity) in which the scope of disclosures and related details to be reported to patients provide information that is useful to patients, without overwhelming them or placing undue burden on covered entities (CE).
- “Less is more” means “In responding to the HITECH requirement to account for disclosures for treatment, payment, and healthcare operations (TPO), HHS should focus, at least initially, on disclosures outside the CE or Organized Health Care Arrangement (OHCA)”
- Technologies to accomplish this should first be piloted by ONC
* Focus first on provider EHRs per HITECH; after pilots and initial implementation, HHS could then determine how to expand to additional HIPAA covered entities
* Pilots should focus on technical feasibility of disclosure reports, as well as on feasibility and usability of such reports for patients and implementation burden on providers.
* Pilots will enable ONC to assess readiness for a future stage of EHR certification.
- Regarding content of the report:
* The accounting of disclosures should require only an entity name rather than the specific individual as proposed (Testifiers at the hearing stated that this proposed requirement may subject employees to privacy intrusions and create safety concerns)
* Content of the report should be tested in the pilot such testing should include the possibility to group similar disclosures together (vs. reporting individually), as permitted by the proposed Accounting of Disclosure rule.
- The Tiger Team also reinforces the importance of the right of an individual to an investigation of any alleged inappropriate access
* Results of the hearing indicate that an investigation, rather than an accounting, may satisfy many patient concerns
* The Tiger Team notes the ability of patients, under the accounting of disclosures proposed rule, to obtain a report that includes disclosures that would be considered breaches but are not required to be reported to patients
- To improve the ability of covered entities to do investigations of inappropriate access, the Tiger Team recommends the Office for Civil Rights clarify the auditing provisions* of the Security Rule
* Specifically, implementation specifications for this provision should be clear that information collected in the audit trail must be sufficient to support the detection and investigation of potential inappropriate accesses and/or uses of PHI.
“We are trying to be clear in that we’re suggesting to HHS that it should, for HITECH implementation purposes, focus on disclosures that are external to the covered entity,” McGraw said.
Though the team said that this message didn’t come through as clearly on the slides, the group has seemingly agreed on accounting of disclosures policies from a conceptual standpoint.
Outstanding Issues discussed
The Tiger Team also reviewed a “follow the data” approach for when the provider loses control over the data, the recipient of the data should be part of an Accounting of Disclosure report. McGraw referenced 2010 meaningful choice recommendations and added that she agrees with the over-arching themes, but is still trying to work through the logistics.
Trigger for the reporting requirement is in the right place conceptually because it focuses on data that leaves a trusted environment where the provider is the steward of protected data; we’ve moved into an area where the provider isn’t in control of those decisions anymore.
Only challenge is teaching a computer to distinguish when there’s this loss of control. Because the data may in fact pass through an HIE in a circumstance where the provider does have control is some HIE arrangements but not others. I’m just trying to wrap my head around how the computer figures that out.
McGraw also asked whether the team’s recommendations help remove the HIPAA Accounting TPO Exemption for disclosures “through an EHR.”
We’re trying to give recommendations on how [the policy committee] can, in a step-wise manner, implement the TPO exception for disclosures, at least initially through an EHR (following what HITECH says). And also what they should focus on with these disclosures.