Model Comment Letter re Proposed HIPAA Accounting Rule by lanyuehua


									                              [Insert Organization Letterhead]
[If no formal letterhead, insert: Name, Address, Telephone Number and Email Address of
                                     Your Organization]

[Insert Date]

VIA [Insert Method of Submission (Mail, Electronic, Overnight Delivery)]

U.S. Department of Health and Human Services
Office for Civil Rights
[Insert appropriate address depending on method of submission]

Re: HIPAA Privacy Rule Accounting of Disclosures under the Health Information
Technology for Economic and Clinical Health Act

Ladies and Gentlemen:

      Thank you for the opportunity to submit comments regarding the above-referenced
Proposed Rule.

       We strongly oppose the introduction of the access report requirement for several key
reasons. First, the requirement would unnecessarily impose a heavy administrative and financial
burden on our organization. Second, introduction of this new right goes well beyond the
Congressional intent expressed in the HITECH Act. Third, the new requirement could deter the
adoption of electronic health records (EHRs). Finally, it intrudes into the privacy rights of our
workforce members who access patient records for legitimate reasons.

       For these reasons (outlined more fully below), we respectfully request that HHS not
implement the access report requirement. HHS should issue a Final Rule that comports with the
language of the HITECH Act.

Brief Overview of Our Organization

[Briefly describe your organization, including: name, primary place of business, type of
organization, types of services you provide, the individuals you serve, etc. If you are an ambulance
or fire service association representing a group of providers of ambulance services, please include a
statement that you are submitting comments on behalf of your members and include a brief
description of the members you serve and the types of services they provide.]
Comments on the Proposed Rule

   1. The Proposed Rule Poses Significant and Unreasonable Burdens

        Tracking and subsequently generating a detailed report of all access activity related to
electronic designated records sets (DRS) will pose substantial and unreasonable burdens for our

       HHS believes that covered entities are already tracking every instance when electronic
PHI (ePHI) is accessed under the HIPAA Security Rule. However, the Security Rule does not
mandate constant access tracking. Rather, most ambulance providers conduct periodic checks to
determine, for example, if unauthorized staff members are accessing records. Current systems
are geared to track only a limited number of disclosures to comply with the current accounting
standard, rather than every access attempt. [Describe how your organization tracks access to
electronic patient records and what upgrades your organization would be required to make
to comply with the Proposed Rule.]

        Patient records are sometimes accessed numerous times on a daily basis for a host of
legitimate reasons. For example, EMTs and paramedics may create an electronic patient care
report (ePCR) in the field and then subsequently access that report several times to complete it.
This is because there is often limited time to record all of the necessary information at the time of
service. Many times, there are other providers on a call and those other providers may need to
access the ePCR to review or amend the information as well. Further, supervisors will
frequently review ePCRs for quality assurance and other purposes. Information contained in
ePCRs is also needed to bill for those services – which may require numerous access attempts to
ePCRs as billing and other information is collected. Under the Rule, software would now have
to track all of these activities and then generate a detailed and potentially lengthy report on that

        The Rule would also require our organization to purchase and implement programs
capable of generating detailed, comprehensive access reports. Under the Proposed Rule, access
reports have to be in some “understandable format” and they must contain all instances of access
to a DRS during the past three years (unless the requestor specifies a shorter time period).

        The Rule would impose a burden on our organization to aggregate all instances of DRS
access including: (1) access occurring in our different data systems; (2) access occurring in our
business associates’ systems; and (3) access by other third parties. [Describe how patient data
is stored at your organization, how it is uploaded to different systems, and how your
business associates upload and store that information. It the data is kept different
locations, point this out and discuss how difficult it would be to aggregate this data for an
access report request.]

        We would also incur costs for training individuals on how to comply with access report
requests, and the costs (time and labor) of creating the reports. Upon receipt of a request, our
staff would have to aggregate the data from disparate systems and then create a report in an
“understandable format.” This may involve contacting various business associates, querying
through numerous databases, and running several different applications. This may also involve
matching a user name to a specific provider (as the Rule would require the disclosure of the full
name of the person who accessed the record). We would also have to evaluate the capabilities
of our systems and determine whether our business associates are capable complying with the
proposed access report requirement.

         Requiring providers to furnish an accounting with the level of detail this Proposed Rule
calls for, and to expend the resources necessary to provide these reports, is unreasonable and
unnecessary. Very few patients request an accounting of disclosures and HHS recognizes this
fact in its commentary to this Rule. [If your organization has had very few, or no accounting
requests, mention this fact.] This Rule is overly broad and burdensome in light of this reality.

   2. The Proposed Rule Disregards the Intent Expressed by Congress

        The Proposed Rule goes far beyond what Congress intended by the already burdensome
expansion of the HIPAA accounting rule. The HITECH Act intended to eliminate the exception
for tracking treatment, payment, and healthcare operations disclosures when such disclosures are
made through an EHR. Under HIPAA, disclosure means releasing information outside of the
organization. But, HHS is now proposing a rule that would require covered entities to account
for not only instances where PHI is disclosed outside the entity, but also when it has merely
been accessed internally, by our own workforce members.

        The access report requirement was not mentioned or even referenced in the HITECH
Act. In fact, the HITECH Act states that HHS should issue a rule that takes into account the
administrative burden of accounting for such disclosures. Here, the intent of Congress was clear
that any rule issued was only to apply to “disclosures” of PHI, as that term is defined under
HIPAA. A rule that would require covered entities to track all access, internal and external,
clearly goes against Congressional intent.

   3. The Proposed Rule May Discourage the Adoption of EHRs

        We believe that some providers may make the choice to forgo the adoption of EHRs in
order to avoid the high costs and excessive burdens of compliance with this Proposed Rule. [If
your service does not currently utilize electronic health records, mention this.]
Unfortunately, the financial incentives included in HITECH Act through the Medicare and
Medicaid programs are not available to most of the ambulance suppliers. [If you are an
ambulance supplier, .i.e., not a facility-based ambulance service that use to bill a Medicare
Fiscal Intermediary, make mention of that fact.] This Proposed Rule may serve as a
significant impediment to the adoption of important technology for ambulance services given the
burdens detailed above. Providers may seek to avoid the high costs associated with complying
with this Proposed Rule by continuing to utilize paper records.

   4. The Proposed Rule Intrudes Into the Privacy of our Workforce Members

       Because the Proposed Rule would require us to divulge the name of the person who
accessed the information, it represents a serious intrusion into the privacy rights of individuals
who work for our organization. The access reports that HHS is proposing would have to
document the first and last name of anyone who electronically accessed a patients’ electronic
DRS. Our workforce members might be apprehensive about accessing records, even for
legitimate purposes, if they know that patients have the right to find out about it. [If you serve a
small community, include the following sentence: In addition, in our small community,
patients may personally know those who have accessed their records and may take exception
to this, even when the access was warranted and reasonable.] This could lead to unwarranted
complaints and accusations against our workforce members and could erode our patients’ trust in
our providers if they believe their records are being improperly accessed.


        We hope that HHS will appreciate the significant financial and administrative burdens
that this Proposed Rule would impose on our organization. We also trust that HHS will consider
the potential deterrent effect that this Rule could have on the adoption of new electronic
technology. For these reasons, HHS should not implement the access report requirement.

       We appreciate the opportunity to offer our comments on the Proposed Rule.

                                              Very truly yours,

                                              [Name of Organization]

To top