The Department of Health and Human Services (HHS) has published a Notice of Proposed Rulemaking (NPRM) about the accounting provisions of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. See 76 Fed. Reg. 31426 (May 31, 2011). Comments are due by August 1.
This proposed rule implements a statutory provision of the Health Information Technology for Economic and Clinical Health (HITECH) law. It dramatically alters the current HIPAA accounting rule, with substantially increased burdens for covered entities and business associates. For example, it requires a much broader set of disclosures to be tracked by covered entities and business associates. More significantly, it also creates—based on HHS’ general authority under HIPAA rather than the HITECH law—a new obligation for covered entities and business associates to track internal “access” to protected health information in a designated record set.
Over the next few weeks, companies in the health care industry—including all covered entities and their business associates—should evaluate these proposals carefully and should determine promptly whether they wish to comment on this proposed rule.