Disclosure Accounting: Comments Submitted to the U.S. Department of Health and Human Services, Office for Civil Rights
Georgina Verdugo, DirectorOffice for Civil Rights
U.S. Department of Health and Human Services
ATTN: HITECH Accounting of Disclosures
Hubert H. Humphrey Building, Room 509F
200 Independence Avenue, SW
Washington, DC 20201
Dear Director Verdugo:
The Privacy Rights Clearinghouse (PRC) welcomes the opportunity to respond to the Office for Civil Rights (OCR) request for information regarding accounting for disclosures required by the Health Information Technology for Economic and Clinical Health Act (HITECH).
The PRC is a nonprofit consumer education and advocacy organization based in San Diego, CA, and established in 1992. The PRC advises consumers on a variety of informational privacy issues, including finanal privacy, medical privacy and online privacy, through a series of fact sheets as well as individual counseling available via telephone and email. It represents consumers’ interests in legislative and regulatory proceedings on the state and federal levels.
We direct our comments as follows:
- Benefits to the individual of accounting disclosures
- Individuals’ knowledge of accounting rights
- Information to be included in a meaningful accounting
- Recommendations and conclusion
In adopting the final HIPAA Privacy Rule (Privacy Rule) in 2003, OCR included a section outlining a patient’s right to receive an accounting of protected health information (PHI) disclosures. As adopted, however, the Privacy Rule includes many exceptions to the kinds of data that must be included in an accounting, one of which is that an accounting need not tell patients about disclosures made for treatment, payment, and healthcare operations.
Section 13405(c) of the HITECH Act has now closed a gap left by the Privacy Rule by requiring that an accounting include disclosures for treatment, payment, and health care operations when made through an electronic health record (EHR). Imperfect as it is, since HITECH does not also require an accounting for internal uses, the new law is nonetheless one step forward in giving patients information about the flow of highly sensitive health data.
We note that most of the RFI questions focus on the capability of EHR systems. Privacy, data integrity, and transparency as seen by the consumer are the PRC’s focal points. Thus, we limit our comments to those questions that incorporate the consumer’s point of view. However, as new systems are developed to meet the demand for a comprehensive EHR scheme, we are confident that systems either exist or can be developed which will meet the requirements of OCR’s final rules.
OCR’s Question Number 1 asks: “What are the benefits to the individual of an accounting of disclosures, particularly of disclosures made for treatment, payment, and health care operations purposes?”
An individual’s right to know who sees their personal data is a fundamental element of privacy. Indeed, most versions of the Fair Information Practices (FIPs) incorporate principles of openness, transparency, and accountability. (See PRC's A Review of the Fair Information Principles)
Accountings are essential if consumers are to have any confidence in the entity that collects, stores, uses, and discloses personal information, particularly in the highly confidential setting of health care. Not only does the consumer gain confidence from the ability to know who has accessed personal information, but it also signals to the consumer that the entity responsible for assuring privacy will itself be held accountable for unauthorized disclosures.
Pertaining particularly to disclosures for treatment, payment, and health care operations, presumably a covered entity would now document such disclosures to ensure compliance with the Privacy Rule’s definitions of these activities. An accounting of such disclosures, like all other disclosures, not only instills confidence in individuals but also ensures that covered entities will take care to make disclosures that are within the framework allowed by law and agency rules.
OCR’s Question Number 2 asks: “Are individuals aware of their current right to receive an accounting of disclosures?”
After many years of responding personally to thousands of consumer questions, the PRC has learned that most consumers investigate their rights when a problem or question arises. The legal landscape for privacy in the U.S. is too complex and fractured for most individuals to fully comprehend. Even when consumers have basic knowledge of their rights, few may know about the limitations on those rights imposed by a multitude of laws and agency rules.
This certainly is the case for HIPAA. The Privacy Rule says a covered entity’s notice of privacy practices must tell consumers, among other things, about their individual rights (see 45 CFR 164.520 (b) (iv)). The right to an accounting of disclosures is one of those rights that must be included in the covered entity’s privacy notice.
HIPAA Privacy Rules do not require patients to read and fully digest the content of the notice, but only require that the covered entity make a good faith effort to get acknowledgement that the patient has received the notice. Frankly, it is doubtful that a majority of patients give more than a cursory look at privacy notices when they visit their provider’s office for treatment.
We are not aware of any surveys that have explored consumers’ awareness of their right to an accounting. However, in our experience, as mentioned earlier, individuals will educate themselves about their privacy rights as the need arises. Typically, a consumer who suspects an unauthorized disclosure would inquire about how to find out who has received their information.
In our opinion, the number of individuals who have asked a covered entity for an accounting is of little consequence. (See: OCR's Question Number 3 posed to HIPAA covered entites.) Few requests for an accounting does not mean that individuals are unaware of their right to an accounting. Nor does it mean that individuals are indifferent when it comes to knowing who has received disclosures of their personal health information. Even the most privacy-conscious individuals are unlikely to seek an accounting in numbers equal to those who exercise their right to receive medical records.
OCR’s Question 5 explores various data elements that should be included in an accounting in addition to date, time, patient identification number, user identification, and a description of the disclosure. OCR asks whether other data elements such as recipient and purpose of the disclosure should be included or, in the alternative, whether a simple notation that the disclosure is for treatment, payment or health care operations is sufficient.
We note that the HIPAA Privacy Rule currently requires that an accounting include:
- The name of the entity who received the information.
- A description of the information.
- A statement of the purpose of the disclosure that “reasonably informs the individual of the basis for the disclosure”, or
- A copy of a written request for disclosure.
An accounting that includes only a notation that a disclosure is for treatment, payment or health care operations does not reasonably inform the individual of the basis of the disclosure. In our opinion, given the many types of disclosures that are allowed for treatment, payment, or health care operations, a generic notation that lacks the appropriate details is simply inadequate.
Allowable disclosures for payment activities, for example, may be as diverse as determining coverage, submitting insurance claims, billing, collections, or reports to a credit bureau. A notation that tells the individual only that the disclosure was for “payment,” would not reasonably inform the individual about the reason for the disclosure. In this situation, individuals should know, or at least be able to find out, whether their information has been disclosed to an insurance provider or a credit bureau.
In adopting rules that set the standard for accounting of treatment, payment, and health care operations disclosures, we urge OCR to:
- Require an accounting that includes as a minimum the elements now required by the HIPAA Privacy Rule.
- Give individuals the opportunity, if full disclosure is not required by OCR’s rules, to obtain addition information upon request.
We appreciate the opportunity to provide the above comments.
Beth Givens, Director
Privacy Rights Clearinghouse
3100 - 5th Ave., Suite B
Email: bethg ( at ) privacyrights.org
San Diego, CA 92103