The College of Healthcare Information Management Executives (CHIME) has asked the federal Office of Civil Rights (OCR) to reconsider its proposal for requiring that healthcare providers and insurers supply patients with information about who has accessed their medical records.
The 2002 HIPAA Privacy Rule states that healthcare providers and other covered entities are responsible for protecting the privacy of personal health information. They also must be able to provide an Accounting of Disclosures of that information. OCR, in its May 31 notice of proposed rulemaking, tried to extend that mandate by giving patients the right to obtain an access report on whom has viewed their data.
Providers maintain varying types of access records, CHIME said in a letter to OCR, and it is "not realistic for most covered entities" to collect data on access to patient data in an automated way. As such, the group asked that OCR exclude the access report provision from its final rule.
What's more, CHIME approved of OCR's proposal to reduce the accounting period for disclosures from six years to three years. Even still, it asked that the time for responding to requests for data continue to be 60 days, instead of reducing it to 30 days, as OCR proposed.
CHIME noted that the cost of complying with the new access report mandate would divert scarce resources from more pressing needs, including Meaningful Use and the ICD-10 and HIPAA 5010 implementations. To aggregate information from such an access report, it said it "would require the purchase of new and expensive software tools, additional data storage and multiple FTEs dedicated to pulling and consolidating logs from disparate systems."