Federal Register

An example of an access report record from the proposed rule.

Ever wonder if someone at the doctor’s office or hospital has been snooping through your health care records? A new federal health care rule could tell you.

Health care patients will have a broad new tool to keep their personal information under wraps if a proposed Department of Health and Human Services rule is adopted.  The update to federal health care privacy laws proposed on Tuesday by the Department of Health and Human Services would give patients the right to see the name of any person who accessed their electronic health records, and what he or she did with them. The so-called "access report" would be available from some health care providers as soon as Jan. 1, 2013.  It would function much like a free credit report -- consumers would have the right to ask for one such report for free every year.

 The change comes as scrutiny over hackers and data leaks is at an all-time high, following high-profile electronic attacks on Lockheed Martin, Sony and the security firm RSA. 

Protection of health care information is seen as particularly critical, but efforts to keep it safe have often fallen short. In the past two years, health care providers have leaked personal information belonging to nearly 8 million patients; many of the leaks are listed on this government Web site.

Earlier this year, Massachusetts General Hospital was fined $1 million for a serious data leak. Meanwhile, the inspector general for the Department of Health and Human Services issued a report this month detailing dozens of security vulnerabilities at large hospitals around the country.

The proposed new "access report" right stems from a provision included in the 2009 stimulus package passed by Congress in an attempt to jump start the economy. That legislation included $30 billion to encourage development of electronic health care records, a provision called the Health Information Technology for Economic and Clinical Health (HITECH). To alleviate concerns about the security of online health records, Congress instructed the Health and Human Services Office of Civil Rights (OCR) to beef up consumer disclosure rights included in the Health Information Portability and Accountability Act (HIPAA).

Access report requests would apply to electronic records only; paper records would be excluded.

“This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information,” OCR Director Georgina Verdugo said in a statement. “We need to protect peoples’ rights so that they know how their health information has been used or disclosed.”

It's unclear how industry groups will react to the change. A spokeswoman for the American Hospitals Association said the organization did not have a comment "since we are still in the process of reviewing the changes."

In the proposed rule, however, the Health and Human Services Department said most providers opposed the change, saying it would be costly to implement and provide little consumer benefit.

Tena Friery, a HIPAA expert with the Privacy Rights Clearinghouse advocacy organization, disagreed. She said the potential to identify a specific person who accessed a health record would be a tremendous deterrent to would-be snoops. 

"It's a good thing because there have been a lot of problems with access to health care records. … That kind of thing really has to stop," Friery said. "Anything that sheds light on these practices is going to make hospitals more aware and make them take security more seriously than they have so far."

The law might be particularly welcomed by celebrities trying to keep their hospital visits out of the news. It could also be warmly received by those trying hard to persuade skeptical health consumers that electronic health records are safe. 

"Electronic records are much more vulnerable to widespread access than paper locked in a cabinet,” Friery said.  “There needs to be confidence in the system for it to work," Giving consumers the right to know precisely who accessed their personal information could help win them over, she said.

The rule won't help in that regard, however, if consumers don't know about it -- and there's obvious precedent for that. HIPAA's privacy and security rules already grant consumers a more narrow "accounting of disclosures," which essentially gives them the right to know when their information is shared with third parties.  The trouble is, virtually no one has exercised that right, according to health care providers who offered comments to the Department of Health and Human Services about the new rule.  About 90 providers said they had received fewer than 20 requests since the initial HIPAA "Privacy Rule" took effect in 2003, and another 30 told the agency they'd never received a request. (The accounting of disclosures right will remain in place with minor adjustments.)

Still, the existence of a process for getting a detailed access report is fundamental to preserving patient rights -- and Friery said it might inspire similar changes in other privacy-related industries.

"Credit reports are a good example of where things don't work well.  They are full of all kinds of vague statements about who accessed your information.  We really do need to know more," she said.

The Department of Health and Human Services will accept comments on the proposed rule through August 1, and then consider its permanent adoption.

The full text of the proposed rule can be read here.

Follow Bob Sullivan on Facebook by clicking here.