Patients have a right to privacy, security and confidentiality of health information but healthcare providers should be cautious of disclosure reports that exceed the statutory language of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
That is the view of American Health Information Management Association (AHIMA) CEO Lynne Thomas Gordon.
She was speaking at a recent virtual hearing on accounting for disclosures before the Office of the National Coordinator’s (ONC) Health Information Technology Policy Committee (HITPC) Tiger Team. Under the auspices of the Health IT Policy Committee, the Tiger Team focuses on a range of privacy and security issues. The Tiger Team also invited members of Health IT Standards Committee Privacy and Security Workgroup and the National Committee on Vital and Health Statistic’s Subcommittee on Privacy, Confidentiality and Security.
“AHIMA and its members are protectors and stewards of a patient’s health information, and we are strong advocates for their timely and appropriate access to their data,” Thomas Gordon said.
“And while we will always support the right of a patient to ask questions and seek an investigation regarding who has access to their protected health information, it is critical that the investigation must consider the nature of the alleged disclosure, the potential burden of conducting the investigation and the safety of any involved healthcare workforce.”
Thomas Gordon said access reports that exceed language in the HITECH Act would likely be expensive to develop, implement and maintain; would require covered entities (CE) and business associates (BA) to make major information technology and systems modifications and workflow and process changes that will increase the administrative burdens and costs, all for likely a small number of requests; and would present significant technological and work flow challenges to efficiently capture reliable detailed information on every internal exchange of data.
“We believe that it is much more feasible to respond to access requests on an as-needed basis and when there is reasonable indication that inappropriate access occurred,” said Thomas Gordon, who noted that accounting of disclosures and/or access reports should be provided in person so the requesting individual can receive a full explanation.
AHIMA members consistently report that when patients seek answers as to who accessed their health information, they often have a specific individual in mind.
“Identifying specific workforce members in an access report would unnecessarily jeopardize the safety of those persons if the requesting party chose to confront the named workforce member,” Thomas Gordon said.
HITECH, privacy, security, disclosure