New HIPAA Access Report: Proceed with Caution
We previously reported on the HIPAA Proposed Rule on Accounting of Disclosures and the new Access Report requirements. Further analysis of the proposed rule raises additional concerns for healthcare entities and providers. As a reminder, the Access Report requirements will mandate that, upon a patient’s request, a covered entity or business associate must provide an accounting of all individuals who accessed the electronic health record in a designated record set, for any reason. This includes both uses and disclosures, regardless of the purpose.
Caution: Many electronic records are not equipped to automatically generate the list of all individuals that access a patient’s electronic health record. The Proposed Rule implicates not only those individuals caring for the patient, but those in the billing department processing the payments, and others who access the designated record set during the course of “operations.” The electronic record will not differentiate between the types of activities an individual does while accessing the patient’s designated record set. As a result, the Access Report while creating a great deal of transparency as to who has accessed a patient’s record, may generate a lot of confusion and unnecessary concern due to the sheer volume of people who access a patient’s medical record as part of treatment, payment and operations during a single hospitalization or complex outpatient visit.
The Proposed Rule does not specifically exclude activities that healthcare providers may consider privileged under various legal privileges, such as peer review, hospital committee, attorney-client, attorney work product or performance improvement privileges. Activities, such as root cause analyses, adverse patient event investigations, physician peer review, or even in-house attorney review of a designated record set, may be included as part of the access report when individuals conducting those activities access a designated record set to accomplish those duties. Importantly, those individuals who access the designated record set may become unwitting witnesses in a subsequent malpractice action. The information contained within an Access Report could provide the basis for determining when a provider anticipated litigation and/or a spoliation claim. An enterprising plaintiff’s attorney may have his/her client request an Access Report from the healthcare provider prior to filing suit to obtain such information. Health Information Management, Risk Management, Privacy/Compliance, Information Technology and the Legal departments should develop a coordinated process to ensure appropriate handling and notification when such requests are made and to evaluate potential litigation implications.