Department of Health and Human Services’ Office for Civil Rights’ recent notice of proposed rulemaking on accounting of disclosures introduces a valuable privacy tool for individuals—the access report.
The HIPAA Security Rule’s information system activity review specification [164.308(a)(1)] requires organizations to “implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” The rule’s audit controls standard [164.312(b)] requires organizations to “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
First, the proposed rule spells out revised HIPAA requirements to provide patients with an accounting of disclosures of protected health information to outside parties for certain purposes, such as law enforcement and public health.
Second, the proposal requires providing patients, upon request, with “access reports” that summarize who electronically accessed their information. Greene explains the rule attempts to address “What’s the best way to get the information that individuals are most interested in, which is, who has seen their records?” He points out that under the proposed rule, a patient could simply ask whether a specific individual has electronically accessed their records, or they could ask for a complete list of everyone who has accessed them.
Kate Borten, president of The Marblehead Group, a health information privacy and security consulting firm, agrees that the Access Report recommendation deserves industry support.
“Access logs and reports are the primary, if not only, way for organizations and individuals to identify inappropriate electronic snooping by otherwise authorized user—a serious problem wherever many users have access to large electronic databases of personal information.”
Many EHR systems have audit logging capabilities, but are not always implemented to their full capacity. Other systems do not provide easy assess to logs or reporting capability. Designing the functionality shouldn’t be difficult for vendors. But the time and money spent by covered entities and business associates in upgrading or replacing systems will have an impact.