Comment on FR Doc # 2011-13297

The HIPAA privacy laws are already very strict and provide patients with a high level of security. I acknowledge that NO system will ever be 100% secure and inadvertent disclosures will happen at some point or another for a small number of patients. The proposed rule for a disclosure report to be reported to patients of all access of their PHI goes beyond any security right that a patient has and becomes an unenforceable burden for providers. Internal users that are accessing PHI properly should not have to be reported, but technologically it would be impossible to glean inappropriate access from appropriate access. The choice would then be to disclose everything to the patient and place the provider at risk for challenges from the patient to appropriate user access of their PHI or not disclosing anything and be in violation of this proposed rule. Ensuring only appropriate users have access to PHI provides the highest level of reasonable security for patients while still allowing providers to operate. This proposed rule goes too far and could prove to be an absolute nightmare for providers and will potentially interfere with their ability to provide care. For example: This proposed rule would require a provider to provide a report of all access to their PHI as often as it is requested some patients with mental illnesses are very sensitive about their PHI. Some patients may request this information daily, if not more frequently, and the provider would be stuck with the burden of complying with the patient’s request. Again, I do support the current HIPAA privacy protections, but this additional proposed rule is unnecessary and inappropriate. I respectfully request HHS not pursue implementation of this proposed rule.