Wednesday, June 1, 2011

Huge impact on the Security/Privacy Audit Log - unless you are organizationally fully ATNA compliant

There is a new Notice of Proposed Rulemaking (NPRM) out this week, formally published today. Robin Raiford (Allscripts) has inserted bookmarks into the NPRM text from the Register. It is available from google docs at:


I have not yet fully read it, but what I have seems to coincidence with what others are picking out as the important changes. I will be reviewing this and preparing comments. Until then, read:

Of concern is that this NPRM proposes to create a new report that the Patient can get that has all USES and DISCLOSURES that the EHR is involved in. First, the old rule gave the right to an ‘accounting of disclosures’ which had a huge list of exceptions, so much so that it really was rather useless. This new change removes these exceptions. It is not clear just how many exceptions will still exist, for example required government reporting, this use to be an exception under ‘normal operations’, but does beg the question of 'who' is reported for this one.

Also of concern is the use of the term ‘EHR’ which HHS/ONC expanded the definition late last year to basically include any medical record with interoperability. It is not clear what the boundaries of the new definition of EHR is. As Wes points out this could include all of the departmental IT, and possibly all the medical devices that feed those.

If the EHR, that is all systems involved in the new definition of EHR, were using the IHE ATNA profile fully; then this report would be a simple report from the Audit Record Repository. The ATNA Profile can inform an Accounting of Disclosures. This would mean that each access to data was fully described using IHE ATNA, something the standard does support. Including who, what, where, when, and WHY (purposeOfUse).  See also: Accountability using ATNA Audit Controls


The original Press Release: HHS announces proposed changes to the HIPAA Privacy Rule