Proposed HIPAA Privacy Disclosure Accounting

On May 30, 2011, the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (“Proposed Rule”) modifying the disclosure accounting provisions of the Privacy Rule promulgated pursuant to the Health Insurance Portability and Accountability Act (HIPAA), in accordance with the Health Information Technology for Economic and Clinical Health Act (the HITECH Act). The Proposed Rule (1) provides patients with a right to an “accounting of disclosures” and (2) gives patients the right to obtain an “access report” for electronic health records.  

The Proposed Rule significantly broadens the scope of disclosure accounting, resulting in an increased burden for both covered entities and business associates. Comments on the Proposed Rule are due by August 1, 2011, and may be submitted at http://www.regulations.gov/.

Current Law

Under the HIPAA Privacy Rule, covered entities (healthcare providers, health plans, and healthcare clearinghouses) must make available to an individual upon request, an accounting of certain disclosures of the individual’s protected health information (PHI) made during the six years prior to the request. An accounting must include all disclosures of PHI, except for certain specifically excluded disclosures, including disclosures to carry out treatment, payment and healthcare operations. The accounting requirement applies to disclosure of paper and electronic PHI maintained by a covered entity. Further, the accounting must be made by a covered entity, not only for the covered entity’s disclosures, but also for a business associate’s disclosures.

The Privacy Rule mandates that the disclosure log contain the following information about each disclosure: 1) date of disclosure; 2) name and address of the person who received the PHI; 3) description of the information disclosed; and 4) purpose of the disclosure.

Expansion of Accounting Required by the HITECH Act

Although the Privacy Rule exempted disclosures for treatment, payment or healthcare operations from the accounting requirements, the HITECH Act modified the disclosure accounting rules, imposing an obligation upon covered entities to account for treatment, payment or healthcare operations disclosures where the disclosures are made “through an electronic health record” (EHR) during the three years prior to the request. The covered entity must also provide to individuals an accounting of such disclosures made by its business associates or a list and contact information of all business associates.

Accounting of Disclosure Requirements under the Proposed Rule

In order to implement the HITECH statutory requirements, the Proposed Rule revises the HIPAA Privacy Rule by adding a section addressing an individual’s right to an accounting of disclosures. The right to an accounting of disclosures still encompasses disclosures of both hard copy and electronic PHI; however it is limited to health information in a designated record set. A designated record set includes the medical, case management, billing, payment and other records used by an entity to make decisions about an individual. Further, an accounting of disclosures would only need to be provided for a three-year period, rather than the six-year period currently prescribed by the Privacy Rule.

Additionally in the Proposed Rule, instead of listing specifically exempted disclosures, HHS makes an explicit statement of the categories of information that must be included in the accounting:  

  • disclosures not permitted by the HIPAA Privacy Rule (unless the individual has already received notice of the improper disclosure);  
  • disclosures for public health activities (except disclosures to report child abuse or neglect);  
  • disclosures for judicial and administrative proceedings;  
  • disclosures for law enforcement purposes;  
  • disclosures to avert a serious threat to health or safety;  
  • disclosures for military and veterans activities, the Department of State’s medical suitability determinations, and government programs providing public benefits; and  
  • disclosures for workers compensation.  

For example, PHI disclosed in response to subpoenas or court orders must be logged. For some healthcare providers, disclosures related to workers compensation may be common, and should be logged. In the event of an audit, HHS may request such logs, and covered entities that fail to maintain proper logs may be subject to fines.  

Additionally, the Proposed Rule makes changes to the type of information that must be available in the disclosure log. If the date of disclosure is unknown, the Proposed Rule only requires that covered entity or business associate to provide an approximate date or period of time for each disclosure. Also, the name of the entity or person receiving the PHI does not need to be included in the accounting where the name would itself represent a disclosure of PHI about another individual (for example, if a physician’s office accidently sends an appointment reminder to the wrong patient). Finally, HHS proposes to require covered entities to give individuals the option to limit the accounting request to that which is of interest to an individual, such as limiting the request to a particular time period, type of disclosure or recipient.  

Access Reports Required by Proposed Rule

The Proposed Rule would give patients a right to an access report for PHI that is maintained in an electronic designated record set. The access report would provide (1) the date and time of the access; (2) the name of the person, if available, or otherwise the name of the entity that accesses the electronic designated record set information; (3) a description of the information that was accessed if available; and (4) a description of the action by the user, if available (e.g., create, modify, delete).

A covered entity would have 30 days to provide an access report, although this period may be extended if necessary. Additionally, the covered entity may not charge an individual for providing the first access report in a 12-month period, but may charge a fee for subsequent access report requests during that same 12-month period, provided that the individual is furnished with notice of the costs. Although the HIPAA Security Rule already requires audit tracking through some sort of information technology system, covered entities and business associates need to ensure that such systems are in place in order to provide the access reports.  

HHS proposes that these access report requirements would apply as early as January 1, 2013 for any electronic designated records set system acquired after January 1, 2009. For systems acquired before January 1, 2009, covered entities and business associates must provide access rights to individuals as of January 1, 2014.

What Covered Entities Should Do

  • Although covered entities and business associates should already have accounting procedures in place, some covered entities have failed to implement these procedures because the events required to be logged occurred infrequently or the duty to log (such as worker’s compensation disclosures) was not understood. This is the time for covered entities to review log procedures to ensure that they have proper processes for accounting for disclosures.  
  • Covered entities should review their electronic logging processes with their IT staff and identify their EHRs and designated record sets for purposes of compliance with the new rules.  
  • Covered entities should identify what EHRs and designated record sets are held by business associates. For example, a self-insured healthcare plan may have no designated record sets other than perhaps PHI in enrollment data sent to the plan’s third party provider, who in turn may have extensive designated record sets of medical claims information on health plan participants.  
  • Covered entities should review accounting processes with their business associates to assure that proper accounting of disclosures occurs.  

What Business Associates Should Do

  • Business associates should also confirm that proper disclosure accounting procedures are in place and identify designated record sets and EHRs.  
  • Business associates, such as accountants, lawyers, consultants and others performing business services for covered entities, may find they have few if any designated record sets or EHRs.  

Unresolved Issues under the Proposed Regulations

  • The proposed regulations require covered entities and business associates to have sophisticated systems in place to track access and disclosures in electronic designated record sets. This will be costly and administratively burdensome for those covered entities that have not yet adopted such technology.  
  • Under the proposed regulations, it is critical to determine whether PHI is disclosed through an electronic designated record set. This determination may be difficult in certain cases.  
  • Although the HITECH Act required HHS to consider the administrative burden imposed by its regulations upon covered entities, the proposed regulations largely disregard the operational impact of the new requirements.  

The proposed effective date for these new requirements is 180 days after the effective date of the final regulation.