The Privacy and Security Tiger Team (“Tiger Team”), a subcommittee of the Office of the National Coordinator for Health IT’s HIT Policy Committee, has recommended that the Office for Civil Rights of U.S. Department of Health and Human Services (“OCR”) abandon its May 2011 proposed rule to require covered entities to provide patients with a list of workforce members who have accessed protected health information (“PHI”) contained in an electronic designated record set (“access reports”). The proposed rule was meant by OCR to implement a provision of the 2009 HITECH Act requiring HHS to expand the existing accounting of disclosures requirement to include disclosures of PHI for treatment, payment and health care operations through an electronic health record.

After months of study and a day-long hearing in September 2013, the Tiger Team concluded that the proposal, which was widely unpopular from its inception, is overbroad and lacks value. In a meeting held December 4, 2013, the Tiger Team stated that it “does not believe the proposed access report meets the requirements of HITECH to take into account the interests of the patient and administration burden on covered entities.”

The Tiger Team proposed an alternative for implementing the HITECH Act’s accounting of disclosure mandate, urging OCR “to pursue a more focused approach that prioritizes quality over quantity, where the scope of disclosures and related details to be reported to patients provide information that is useful to patients, without overwhelming them or placing undue burden on [covered entities].” The Team further recommended that OCR take a “step-wise” approach to implementing the HITECH Act, and focus on data disclosed outside of a covered entity or organized health care arrangement.

In the December 4 meeting, the Tiger Team also recommended that OCR add two new “addressable” standards to the HIPAA Security Rule related to audit controls:

  1. Audit controls must record PHI-access activities to the granularity of (i) the individual user (e.g., human) accessing PHI and (ii) the individual whose PHI is accessed.
  2. Information recorded by the audit controls must be sufficient to support the information system activity review required by section 164.308(a)(1)(ii)(D) and the investigation of potential inappropriate accesses of PHI.

How HHS will respond to the Tiger Team’s recommendations, and when a final rule will be released, remains to be seen.