August 1, 2011
U.S. Department of Health and Human Services
Office for Civil Rights
Hubert H. Humphrey Building
Room 509F
200 Independence Avenue SW
Washington, DC 20201
Attn: HIPAA Privacy Rule Accounting of Disclosures, RIN 0991-AB62
Dear Secretary Sebelius:
Genetic Alliance appreciates this opportunity to respond to the above-referenced proposed rule. As explained below, while we appreciate the direction of the proposed changes to the accounting of disclosures (164 CFR §164.528(a)), we are troubled by the overwhelming cost and unworkability of the proposed access report (164 CRF §164.528(b)). Despite the Department’s intent to ease some of the existing administrative burdens on biomedical research, the net effect of the proposed rule, unfortunately, would be to magnify those burdens. Unnecessary and inappropriate burdens on biomedical research – even when purportedly imposed to serve patients’ interests – actually are hostile to the interests of patients, for they add needless health care costs that are borne by all and impede breakthrough medical advancements urgently needed by individuals. We urge the Department to withdraw the proposed rule entirely and instead conduct a comprehensive and updated re-examination of the costs and benefits of any version of accounting of disclosure requirements.
Founded in 1986 as the Alliance for Genetic Support Groups, Genetic Alliance has become the world's leading nonprofit health advocacy organization committed to transforming health through genetics. Our open network of over 10,000 organizations connects members of parent and family groups, community organizations, disease-specific advocacy organizations, professional societies, educational institutions, corporations, and government agencies to create novel partnerships. We actively engage in improving access to information for individuals, families, and communities, while supporting the translation of research into services and care. We recognize the promise of modernized health information technology (HIT) to lower healthcare costs, improve quality and coordination of care, and reduce medical errors, and we are committed to HIT advancements accompanied by privacy protections. To that end, Sharon Terry, Genetic Alliance President & CEO, serves on the Health IT Standards Committee, a federal advisory body established by law to provide recommendations to the National Coordinator for Health Information Technology on the advancement of health information technology (HIT) as an integral component of health reform.
Sharon Terry also has personal knowledge of how genetic conditions and the resulting disease issues can disrupt families. Because her children have a genetic condition called pseudoxanthoma elasticum (PXE), she worked intensely to identify and patent the associated gene and serves as CEO of PXE International, a nonprofit advocacy group she founded, which seeks to accelerate tests and treatments for the condition. Her own experience, magnified many thousands of times over by the experiences of individuals and families served by Genetic Alliance, helps fuel our organization’s passion to seek medical advances through research. The guiding principle for our public policy work is to support meaningful, efficacious protections for health information privacy, maximize consumer engagement in healthcare, and seek broader dissemination of knowledge, improved efficiency of health care systems, better health outcomes, and research breakthroughs to ease suffering and improve health.
After a careful review, we have concluded that the proposed access report is fundamentally misguided insofar as its burdensomeness and impracticality vastly outweigh its purported value. We also note that numerous research institutions and health care policy experts, including the Secretary’s Advisory Committee for Human Research Protections (SACHRP) and the Institute of Medicine (IOM), have concluded that even the existing version of the accounting of disclosures rule, which has been in place since 2003, places burdens on research and health care that vastly exceed any potential value to patients. Given the broad expert consensus that this existing accounting right, which is very rarely used by patients, flunks rational cost-benefit analysis, we are troubled that Congress chose in HITECH to expand the requirement by removing exemptions for treatment, payment, and healthcare operations, and we are even more troubled that the Department proposes to go far beyond Congress’s direction by expanding the rule to allow individuals to demand a detailed report about all internal access to and uses of health information. We are shocked that the Department would require Covered Entities (CEs) and certain Business Associates (BAs) to identify the names of all their employees and contractors who have appropriately accessed health data in the course of doing their jobs. We would like to explain our 
reasons as follows:
- The access report proposal rests on a dramatic misjudgment of the capabilities of existing technology available to HIPAA CEs and BAs. Technology systems that comply with the HIPAA Security Rule requirements at 45 CFR §164.308(a)(1(ii)(I) and 164.312(b) are designed to flag and detect anomalies and create persistent internal records that can be used in post-mortem analysis of security issues. Suitable for electronic searching, they are often coded and decipherable only to IT staff. They are not designed to produce voluminous, comprehensive audit logs that would be meaningful to non-IT users.
- Compliance with the proposed rule would require an expensive revamping of IT systems and processes. In fact, despite some assertions to the contrary, the cost of purchasing compliant new systems or reworking existing systems simply cannot be measured at this time. Presumably, technology vendors could create such systems, given enough financial incentive, but until they produce product prototypes with actual prices attached, estimates of the technology costs are meaningless. Unquestionably, however, the costs would be tremendous, especially when the software and process changes would be required of millions, perhaps tens of millions, of CEs and BAs.
- Even the printing and delivery costs of access reports would be staggering. For example, the access report that one hospital created for one patient for one month for only one of its several dozen EHR systems was almost 800 pages. If that month were representative of the full 36 months that could be required, the total pages would approach 29,000. At a very modest price of $.10/page for printing, printing would cost $2,900; at a more realistic rate of $1.00/page for printing and handling, the cost would be $29,000. Shipping would be over $400 for 20 reams of paper. Printing, handling, and shipping would thus cost between $3,300 and $29,400, and that only includes one EHR system (most hospitals have dozens.) The numbers become astonishingly high when you add the Department’s requirement to produce voluminous printouts from several to hundreds of BAs, depending on how ambiguities in the rule are interpreted. Even the shipping from the BAs to the CE would need be calculated and added. The Department’s cost estimates included nothing for printing and shipping costs. The rule also requires the CE to keep a copy of all access reports provided to patients, so the printing costs would need to be doubled if paper copies are kept. Furthermore, the first report provided to each patient each year would be completely free to patients, placing the entire financial burden on CEs and BAs. These reports are, of course, not actually “free” – to the contrary, all the costs would get passed on to patients and taxpayers in the form of higher prices and taxes, reduced services, and/or lower quality.
- The administrative costs of processing requests and responding to patients’ follow-up inquiries when they cannot decipher or are alarmed by the voluminous reports generated were not taken into account by the Department. These administrative costs, along with foreseeable related legal costs, would be substantial.
- In evaluating the cost-benefit ratio, it is crucial to carefully consider the potential value of the reports to patients. We are convinced that the reports would be of little to no value to patients. Following the example above, it is hard to imagine a patient being pleased when a truck delivers hundreds or thousands of pounds of technical printouts to her doorstep. The reports themselves would show thousands of internal data transfers between systems, as well as the names of numerous employees, contractors, and BAs, as well as employees and contractors of BAs (and their BAs), almost all of which would presumably be meaningless to a patient.
- We see no reason why patients would benefit from, or should have any legally cognizable interest in, knowing the names of individual employees at CEs and BAs who have appropriately accessed data about them. Such staff would include a vast array of individuals ranging from clinical staff, schedulers, clerks, coders, dictation services staff, records staff, billing, financial staff, human resources, food service, information technology, quality and safety reviewers, performance management system staff, auditors, legal counsel, clinical trial recruiters, medical researchers, and many others. No such “interest” in knowing the identity of those who touch one’s information exists in any other context – nor should it. Customers cannot, for example, demand that their bank give them the names of every employee or outside auditor who accessed information about their bank or credit card account.
- In direct contrast to the absence of patient “interest,” we believe that supplying the names of individual employees of CEs and BAs to patients upon request does directly invade the legitimate workplace privacy interests of the employees. Even worse, it is entirely foreseeable that the safety of employees could be put at risk. Even without the proposed opportunity for mass exposure of health workers’ identities, there have been cases of health employees being stalked by patients, and in some treatment environments (e.g., emergency rooms and psychiatric facilities), providers use pseudonyms to avoid patients stalking or contacting them outside the workplace. See, comments to this proposed rule submitted by the American Health Information Management Association on July 29, 2011. Of course, with today’s online search tools, a name is frequently just a few mouse clicks away from a home address and information about members of an individual’s household. Even if the cost of the proposed access report software, implementation, administration, printing, and report delivery were zero – which is obviously counterfactual – we would still urge the Department to withdraw it for this reason alone, because employee privacy and safety should not be put at risk in this manner.
- Patients do, of course, have an entirely legitimate interest in having their information protected, including protected from inappropriate internal viewing by staff who lack a business reason for accessing their records. Clearly, harm to patients could result from inappropriate or unauthorized access. Mechanisms already exist, however, to detect and prevent such, as well as to respond to patients’ apprehension that internal viewing may have occurred. In fact, many of the recent breaches involving inappropriate internal access were detected by automated internal audit controls and information system activity review, as mandated by the HIPAA Security Rule. If a patient has reason to suspect that a particular individual has inappropriately accessed his records (which is the most common justification for the proposed access report), then that patient has – and definitely should have – a right to contact the organization’s Privacy Officer to raise his concerns. The organization must then conduct an investigation. If the patient isn’t satisfied, or if he chooses not to contact the organization directly, he can file a complaint with HHS.
- We are unaware of evidence of widespread problems with these existing methods and IT systems for detecting, investigating, and responding to complaints. In fact, providers report that the most common reason patients request an accounting of disclosures today is that they have suspicions about whether a particular individual has improperly accessed their information, and that sometimes the patient prefers to have the provider conduct a targeted investigation related to their suspicion rather than give them an accounting of all disclosures. However, if there is evidence of widespread inadequacy of either automated system activity security controls or institutional unresponsiveness to complaints, we would encourage HHS to evaluate whether any carefully tailored approaches are needed to address that specific concern. However, generating vast audit logs at vast expense and shipping enormous reports to individual patients, so they can conduct their own “investigations” of what they deem appropriate (and then perhaps pursue their own vigilante justice) is entirely inappropriate.
- The proposed rule is predicated on an explicit assumption that audit logs of the type mandated by the rule are already mandated by the HIPAA Security Rule. We disagree with this interpretation, and we believe it is contrary to HHS’s long-standing previous interpretations of the Security Rule. The two relevant Security Rule requirements are for “audit controls” and “information system activity review,” neither of which specifically mandates audit logs, let alone audit logs that could be decipherable by non-IT staff. Moreover, this rigid, one-size-fits-all interpretation of a specific security requirement is inconsistent with the flexible approach HHS has, until now, applied to the Security Rule, appropriately making the requirements “scalable” and “technology neutral.”
- The scope of the proposed rule is ambiguous, which creates serious compliance problems. The rule uses a variety of terms to define the scope of the regulation – the “designated record set,” “designated record set information,” and “designated record set systems.” The databases encompassed by these three terms seem be widely divergent. However, if the Department proceeds with accounting of disclosures requirements, we would strongly urge you to confine the scope to a single designated record set, not to include copies of information that originated in designated record sets. Expanding any requirements (even a simple “accounting,” much less an entirely inappropriate access report) beyond the narrow designated record set would not only greatly magnify the burdensomeness of the regulation, but also would impose a serious chilling effect on the numerous quality and safety initiatives involving health care operations that are essential for achieving the goals of meaningful health care reform.
- Regarding research, we appreciate that the Department took note of widespread criticism by public policy experts, including the SACHRP and the IOM, that the existing accounting rule imposes expensive and needless bureaucratic burdens on research today. We applaud the Department’s efforts to make the impact of the accounting requirements more workable. Specifically, we strongly support the provisions that limit the accounting right to three years, specify which disclosures are included rather than listing those that are excluded, exclude research disclosures made pursuant to an Institutional Review Board (IRB) waiver, exclude disclosures made under conditions prescribed by HIPAA for activities preparatory to research, exclude certain health care oversight disclosures, exclude disclosures of Limited Data Sets, and exclude disclosures pursuant to authorizations. We still have concerns about some remaining details in the accounting requirement at section 164.528(a), such as including the description of the Protected Health Information and the purpose of the disclosure, in any case such information is not available on an automated basis. We are also concerned about the additional expense of providing an accounting in “the form and format requested,” if readily producible in such, or in such other form as agreed to by the CE and the patient, which seems to invite burdensome disputes about format.
hide
But as to the proposed rule’s effect on research as a whole, we conclude that what the Department has given with one hand – an easing of undue administrative burdens on research vis-à-vis the accounting requirement – it has more than taken away with the other hand, by requiring inclusion in the access report of all uses and electronic disclosures of Protected Health Information (PHI). The appropriate exceptions listed above would not apply in the context of the access report; even uses approved by an IRB or Privacy Board that concluded the study was of “minimal risk” to patient privacy, tightly controlled access preparatory to research, and arguably even uses in which PHI use was confined to a Limited Data Set (with 16 identifiers removed) would have to be identified and reported.
To give a practical example of the role of just one employee in the overall clinical research environment, consider the activities of a research monitor. To protect the rights and welfare of a research participant and as part of the oversight of a clinical trial required of the trial’s sponsor, a research monitor regularly reviews the clinical trial record, assessing compliance with the trial protocol and ensuring accurate and complete informed consent. Today that clinical trial documentation is frequently maintained electronically, often as part of the clinician’s electronic health record. The monitor accesses the EHR – most often in-person, but increasingly by way of electronic access – pursuant to a HIPAA Authorization provided by the trial participant, and that disclosure to a person outside of the clinician’s workforce is excluded from the accounting of disclosures requirement, both currently and under the proposed rule. However, the proposed rule would require the monitor’s access to electronic designated record set information to be included in an access report, notwithstanding the HIPAA Authorization. Similarly, if the monitor engaged in activities preparatory to research, such as by screening EHRs without recording any information or having any PHI leave the covered entity, but only informing the clinician of potential clinical trial participants in his/her practice, that also would be included in an access report. At the extreme, Genetic Alliance is concerned that even electronic access to thousands or millions of subjects within a Limited Data Set, which is defined as PHI and is clearly comprised of electronic designated record set information, would have to be included in an access report. Failing to exempt Limited Data Set information would create the nonsensical – but troubling - problem of having to re-identify an entire data set of individuals, thereby defeating the very purpose of using a Limited Data Set to protect privacy, just in order to fulfill the request of a single person.
We are doubtful that the electronic health systems (EHRs) used by the physicians and hospitals today could accurately and completely capture these disparate research activities. Even more to the point, as an advocacy organization committed to accelerating biomedical research, we are astonished that by including research uses and disclosures of electronic designated record set information in the access report requirement, HHS has proposed not a reduction in the burden on research, but a significant increase – and we are hard-pressed to understand what the benefit of this requirement would be to an individual who has provided an Authorization or whose information has been accessed legitimately under §164.512(i) or §164.514(e), activities that the Department has previously, and in our opinion appropriately, decided need not be included in an accounting of disclosures.
Summary and Recommendations
For all the reasons explained above, we urge the withdrawal of the proposed rule entirely. The access report right is unduly expensive and burdensome, unworkable, invasive of the privacy and safety interests of employees, unnecessary to protect patients’ interests, and ultimately harmful to patients. It would also serve as a disincentive to HIT adoption and innovation; we have heard anecdotally of physicians in small practices who are stunned at the idea of adding to the expense of their EHRs and are shocked at the idea of disclosing the identities of all their staff to inquiring patients. Opposition to this ill-advised accounting rule could serve to stir up opposition to HIT as a whole, which would be highly unfortunate, given that sophisticated HIT is essential for modernizing health care and achieving the Administration’s goals underlying health care reform. As to the accounting provisions per se, while we appreciate the Department’s efforts to make the rule more workable and slightly shift the existing unfavorable cost-benefit ratio, especially with respect to research, we consider that ratio to be still well short of any reasonable balancing. Even with the Department’s proposed changes, and even if the access report right were withdrawn, the justification for the accounting of disclosures right seems inadequate to support the substantial cost that it imposes on health care systems and ultimately on patients.
Patients do have a legitimate interest in understanding – indeed, improving their understanding of – how patient data is routinely used to inform not just their own personal treatment but also to further societal goals. Robust analysis of patient data is critical for improving public health, quality, safety, research into innovative medicines, techniques, and practices, and bending the cost curve downward. The Department could perform a meaningful service in advancing public understanding by producing simple fact sheets explaining how patient data is used in these settings to benefit all of us. Hospitals and medical providers could make these fact sheets readily available to patients and could also customize them as appropriate to their particular circumstances. Accurate and current information about how patient data is used to improve medical progress and advance societal benefits, while remaining subject to robust privacy protections, could be very helpful in creating more trust and support for data usage outside the immediate treatment setting. In contrast, it is not clear how patients’ interests are served by an accounting of disclosures that even simply lists BAs and the services they perform (let alone reveals the identity of employees at those BAs.) Any such “right” in a context outside health care would be unthinkable; no one would mandate that a bank give its vendor list to each bank customer who demands it. Even the duty to keep a constantly updated list of all vendors with whom personal data is shared would be a major challenge for any large business (or government agency.) And inadvertently producing an incomplete or out-of-date list of BAs to whom relevant data had been disclosed would constitute a HIPAA violation, needlessly exposing a CE to liability and fines for a trivial misstep that in no way harmed patients – hardly a wise public policy result.
Within this context, we are unclear as to how even providing a simplified accounting of disclosures requirement advances meaningful and legitimate patient interests at a level that approaches the cost that such requirements impose on health care entities (and thus indirectly on patients and taxpayers). We thus would urge the Department to not only withdraw this proposed rule but also to use its general regulatory powers to take a fresh look at the entire concept of giving patients an accounting of disclosures related to their specific health records, which may well be, frankly, antiquated and ill-advised in an age where cutting-edge, data-driven analytical tools are vitally needed to analyze health data and furnish crucial research insights on a level never done before. We would urge you to examine costs and benefits carefully and comprehensively as you proceed to determine what is most in patients’ interests, both individually and collectively.
hide
We thank you for this opportunity to submit our comments, and we would be happy to provide additional information if that would be useful to the Department.
