Accounting of disclosures rule must balance 'wants' and 'needs'

It's heartening that the ONC Health IT Policy Committee's Tiger Team is reevaluating the controversial accounting of disclosures proposed rule, having held a virtual hearing Monday to look for "realistic" ways to provide patients with greater transparency about how their electronic health information is used and disclosed.

The proposed rule, published in May 2011, expands the existing accounting of disclosures requirements to all disclosures--including those related to payment, treatment and operations--when the patient records are in electronic format. The rule created a furor among stakeholders, with many claiming it was overreaching, burdensome and technologically impossible.   

But one of the biggest problems, readily apparent at this week's hearing, is ascertaining what patients really want when they ask for an accounting of disclosures. Most of them, according to some surveys, don't even want their records to be in electronic format. Do they really want an "access report," which was not included in the HITECH Act, but created in the proposed rule? Do they really want to know the names of every nurse who views the digital chart?

That certainly was the argument of many industry representatives who testified at the hearing.

"Based on our experience responding to patients inquiries about access to health information, we believe that patients do not want, nor are they well-served by, an exhaustive accounting of all access, uses, or disclosures of their health information," Jeremy Delinsky, chief technical officer for Watertown, Mass.-based electronic health record vendor athenahealth, said at the hearing, noting that "transparency for transparency's sake" is not necessarily desirable and that accounting needs to be "meaningful."

Jutta Williams, chief privacy officer for Salt Lake City-based Intermountain Healthcare, testified that patients are more interested in whether access is appropriate. That sentiment was echoed by Lynne Thomas Gordon, CEO of the American Health Information Management Association, who testified that it would be more feasible to provide such reports on an as-needed basis and when there was a "reasonable indication" that inappropriate access occurred. She also noted that providing the names of all healthcare employees who access data in the course of their duties would jeopardize their safety. Others testified that providing automatic access to all of the information would actually make it harder for patients to determine which access was inappropriate.

Patient advocate Deborah Peel, founder and chair of Patient Privacy Rights, disagreed, suggesting that people will understand at some point that their health information is their most valuable asset in the digital world and needs to be protected. She also testified that "Unless AODs are automated and include all the detailed information about all TPO uses and disclosures, individuals literally have no way to know to whom their PHI goes, or what was disclosed or used."

The problem is that patients themselves may not know what they want. Many of them still don't know that they have the right to an accounting due to HIPAA.

But that doesn't mean that they don't need to have this access. Clearly they need it. But how much of it, and in what way?  What is the right balance between what's wanted and what's needed in the accounting of electronic disclosures?

To paraphrase the Rolling Stones, who understood this conundrum years ago, you can't always get what you want, but you might find you get what you need.

The question becomes, then, what is a want and what is a need.

Good luck Tiger Team. Seems like you get to decide. You have your work cut out for you. When you get back from furlough, of course. - Marla (@MarlaHirsch)