The upside of implementing electronic health records is easy to find—better continuity of care, potentially reduced risk for medical errors and even safeguards in the event of disaster—like the Joplin, Mo. hospital that incredibly switched to an EHR just three weeks before last month's tornado, safeguarding critical patient data.

On the other side of the ledger, alongside the usual fits and starts of the EHR adoption curve, is the plethora of new data that must be safeguarded to protect patients and comply with federal privacy statutes. All that electronic access to patient data, in other words, is also an opportunity for new potential security lapses.
A proposed rule from HHS, released Tuesday, takes aim at this evolving issue, granting patients the right to view exactly who is looking at their records and how they received access.

In all, two new rights would be added to the HIPAA privacy rule: "the right to an accounting of disclosures" of their records, along with a right to an access reports showing "electronic access by both workforce members and persons outside the covered entity." In other words, patients would have access to both information on the individuals who accessed their report and a road map detailing how the information traveled from providers to individual staff and outside entities, that, for one reason or another, received access to their records.

However, the vast majority of respondents to the new rule were pessimistic about how the changes would impact their institutions. HHS received 170 comments from providers, and the majority of commentators "indicated that providing an accounting of treatment, payment, and health care operations disclosures would provide little to no benefit to individuals (over 80 respondents), while incurring substantial administrative, staffing and monetary burdens (over 120 respondents)."

In turn, only a relative handful told HHS they thought audit trails and the right to accounting of disclosures would ultimately help identify weaknesses in privacy and security practices. HHS, for its part, stated Tuesday that "we believe that these changes to the accounting requirements will provide information of value to individuals while placing a reasonable burden on covered entities and business associates."

What's your take: Will more transparency about the use of patient data lead to better security downstream, or will the change simply create more red tape for hospitals with little benefit to the patient? Email your thoughts to, and they may be used in an upcoming column.