My last blog post provided a preliminary overview of the Accounting of Disclosures Notice of Proposed Rulemaking (AD NPRM). I got a lot of questions as a result directly, in addition to the blog comments. When trying to understand regulations, and how to put them into practice within an organization, I’ve found it is best to break them down into bite-sized chunks, starting from the basics and building from there. Today I want to spend a little time looking at what makes up a “designated record set,” or DRS, since the access report requirement is specific to accesses to DRS’s…
What the heck is a DRS?
The HIPAA Privacy Rule defines a DRS as follows:
“Designated record set means:
(1) A group of records maintained by or for a covered entity that is:
(i) The medical records and billing records about individuals maintained by or for a covered health care provider;
(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.
(2) For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.”
As stated within the AD NPRM:
“Designated record sets include the medical and health care payment records maintained by or for a covered entity (CE), and other records used by or for the covered entity to make decisions about individuals. BAs could have such records, and so will also need to know and understand what constitutes a DRS.”
Huh? Give Me Some Examples!
Okay; sure! Here are some really great examples, as provided by the North Carolina Healthcare Information and Communications Alliance, Inc. (NCHICA) within a very nice, free, document they provide on their site, “Guidance for Identifying Designated Record Sets under HIPAA Version 2” (Yes, I know this is from 2003, but they are still good and valid examples.)
“What type of information should be considered as Designated Record Sets?
a) Health information created and/or maintained by a health care provider. The following health information should be considered when specifying health care provider designated record sets:
i) Medical Records –
(1) Specify what constitutes the medical record in your organization (e.g., paper records stored in medical record folders maintained in Health Information Management Department; active medical records utilized by health care staff prior to client discharge).
(2) If your organization utilizes an electronic medical record for all or parts of the medical record, specify if the designated record set is the automated system or a copy produced from the automated system.
(3) Specify if copies of records from other health care providers will be included as part of the medical record designated record set. The following options should be considered.
(a) May want to specify they are part of the designated record set for access only.
(b) Individuals need to go to the source of the information to request amendments.
ii) Financial Records –
For the following, specify if the Designated Record Set is the automated system or a report produced by an automated system.
(1) Remittance advices and records of payments
(2) Patient Statements
(3) Claim Forms
(4) Claims Adjudication records
b) Health information created and/or maintained by a health plan including:
i) Eligibility information
ii) Enrollment records
iii) Record of claims submitted to or received by Health Plans
iv) Case or medical management records
c) Other records used by Health Plans and Health Care Providers to make decisions about individuals such as:
i) Raw test data from psychological tests
ii) Audiotapes (e.g., dictation tapes, taped sessions with patients/family that would not be considered psychotherapy notes)
iii) Psychotherapy notes (as defined)
iv) Videos/photographs of patients used for teaching purposes
v) Telemedicine
vi) Coding Worksheets
vii) Utilization Review Worksheets
viii) X-ray film
ix) Working notes summarized and dictated into the medical record
d) Health information specifically created and/or maintained by Business Associates when acting on behalf of your organization, as specified in a Business Associate Agreement.
i) For example, billing records maintained by a private billing service
ii) Do not include duplicative information that is also maintained by the health plan or health care provider
e) Health information in all types of media when such information is created and/or maintained for the purpose of making decisions about individuals
i) Paper
ii) Oral
iii) Video
iv) Electronic
v) Film
vi) Digital”
What does this have to do with the AD NPRM “Access Report”?
As stated within the AD NPRM:
“The right to an access report would provide information on who has accessed electronic protected health information in a designated record set (including access for purposes of treatment, payment, and health care operations), while the right to an accounting would provide additional information about the disclosure of designated record set information (whether hard-copy or electronic) to persons outside the covered entity and its business associates for certain purposes (e.g., law enforcement, judicial hearings, public health investigations). The intent of the access report is to allow individuals to learn if specific persons have accessed their electronic designated record set information (it will not provide information about the purposes of the person’s access).”
So, to put it simply, if the AD NPRM would become the AD Final Rule you would need to create an access report, specific to the individual making the request and according to any specific individuals or types of entities doing the accessing, that would show:
(a) the date of access to each of the individual’s applicable DRS’s
(b) the time of access;
(c) the name of the natural person doing the access, if available, otherwise the name of the entity accessing the electronic designated record set information;
(d) a description of what information was accessed, if available; and
(e) a description of the action by the user, if available (e.g., “create,” “modify,” “access,” or “delete”).
I’ll provide more on “Access Reports” in a separate blog post.
So, Now What?
Now go document your DRS’s that you’ll use to create your Access Reports. (NOTE: Even if the AD NPRM does not ultimately require these specific type of access reports you STILL need to have your DRS’s documented to be in compliance with the already long-standing HIPAA requirements.)
Again, be sure to note that the Access Report applies to accesses to *electronic* DRS’s. So, it will not need to include information about accesses to hard copy DRSs (this will be part of the “Accounting of Disclosures,” which is a much different type of data log, and something I’ll discuss in a separate blog post).
So, covered entities (CEs) *AND* business associates (BAs) need to…
- Identify and document all their electronic DRSs. Document the storage location as well as the data items within each, and the overall purpose of the DRS.
- Determine current logging that is already being created for the electronic DRSs. Most IT systems are set up to log a wide variety of access activities, many of which are also required under HIPAA under §§ 164.308(a)(1)(ii)(D) and 164.312(b) of the HIPAA Security Rule (another discussion for another blog post). So it is likely your systems are already logging access to DRSs in one way or another. Speak to your IT folks about this! Compliance folks and IT folks need to communicate, regularly, in order to effectively be in compliance with not only HIPAA/HITECH, but also any other legal requirement.
- Determine current reports that are already being generated with information about these DRS accesses. It is possible that such information may already be a subset of a larger report being used by IT for system maintenance activities, or as a result of internal audit requirements, or for some type of business unit activity report, or for some other reason. Don’t recreate the wheel if a wheel already exists.
- From here we will go next time (within another blog post) to the considerations for creating the Access Reports.
Tags: access report, accounting of disclosures, BA, business associates, CE, Compliance Helper, covered entities, designated record set, DRS, herold, HHS, HIPAA, HITECH, Information Security, NCHICA, notice of proposed rule making, NPRM, privacy, privacy rule, security, security rule