Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

ONC Tiger Team Takes a Bite Out of the Proposed Access Report Rule

By Jennifer Pike & Brad Rostolsky on January 28, 2014
Email this postTweet this postLike this postShare this post on LinkedIn

The Privacy and Security Tiger Team (“Tiger Team”), a subcommittee of the Office of the National Coordinator for Health IT’s HIT Policy Committee, has recommended that the Office for Civil Rights of U.S. Department of Health and Human Services (“OCR”) abandon its May 2011 proposed rule to require covered entities to provide patients with a list of workforce members who have accessed protected health information (“PHI”) contained in an electronic designated record set (“access reports”). The proposed rule was meant by OCR to implement a provision of the 2009 HITECH Act requiring HHS to expand the existing accounting of disclosures requirement to include disclosures of PHI for treatment, payment and health care operations through an electronic health record.

After months of study and a day-long hearing in September 2013, the Tiger Team concluded that the proposal, which was widely unpopular from its inception, is overbroad and lacks value. In a meeting held December 4, 2013, the Tiger Team stated that it “does not believe the proposed access report meets the requirements of HITECH to take into account the interests of the patient and administration burden on covered entities.”

The Tiger Team proposed an alternative for implementing the HITECH Act’s accounting of disclosure mandate, urging OCR “to pursue a more focused approach that prioritizes quality over quantity, where the scope of disclosures and related details to be reported to patients provide information that is useful to patients, without overwhelming them or placing undue burden on [covered entities].” The Team further recommended that OCR take a “step-wise” approach to implementing the HITECH Act, and focus on data disclosed outside of a covered entity or organized health care arrangement.

In the December 4 meeting, the Tiger Team also recommended that OCR add two new “addressable” standards to the HIPAA Security Rule related to audit controls:

  1. Audit controls must record PHI-access activities to the granularity of (i) the individual user (e.g., human) accessing PHI and (ii) the individual whose PHI is accessed.
  2. Information recorded by the audit controls must be sufficient to support the information system activity review required by section 164.308(a)(1)(ii)(D) and the investigation of potential inappropriate accesses of PHI.

How HHS will respond to the Tiger Team’s recommendations, and when a final rule will be released, remains to be seen.

Photo of Jennifer Pike Jennifer Pike
Email
Photo of Brad Rostolsky Brad Rostolsky
Email
  • Posted in:
    Health Care and Life Sciences
  • Blog:
    Life Sciences Legal Update
  • Organization:
    Reed Smith LLP
  • Article: View Original Source

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo