In a Notice of Proposed Rulemaking (NPRM) issued May 31, 2011, the U.S. Department of Health & Human Services Office of Civil Rights moved to simplify the HIPAA Privacy Rule's requirements that covered entities provide individuals with accountings of disclosures of their protected health information (PHI). This easing of the accounting of disclosures requirements would be combined, however, with a new requirement that covered entities provide individuals, on request, with so-called "access reports" concerning their PHI. Comments to the NPRM are due August 1, 2011.
The current Privacy Rule requires a covered entity to provide, upon an individual's request, an accounting of certain disclosures of that individual's PHI during the six years that precede the request. An accounting need not describe disclosures for treatment, payment or health care operations purposes. The HITECH Act expands this requirement by providing that disclosures through an electronic health record to carry out treatment, payment and health care operations must be included in the accounting, and provides also that covered entities must either include disclosures by their business associates in these accountings or provide contact information so the individual could request an accounting of disclosures from each business associate directly.
The Proposed Rule represents HHS's attempt to help covered entities and business associates manage the HITECH Act's expansion of the accounting of disclosures requirement by narrowing the requirement in a number of respects. First, under the Proposed Rule, an accounting would be required only for disclo-sures of protected health information in a designated record set. Next, the period of time covered by the accounting would be shortened from six years to three. In addition, the scope of the required accounting would be limited to only an enumerated list of disclosures, and many disclosures would be exempt from the accounting requirement. Business associates would be directly subject to these requirements as well.
This narrowing of the accounting of disclosures requirement, however, would be tied to a new requirement that covered entities and business associates provide, upon an individual's request, an access report identifying all those who accessed the individual's electronic PHI in a designated record set during the previous three years. The access report would thus address not only access to an individual's PHI incident to disclosing that PHI to another party, but also to access in the course of a covered entity's or business associate's use of that information.
Accounting of Disclosures
Under the Proposed Rule, an individual may request a written accounting of certain disclosures of the individual's PHI in a designated record set made by a covered entity or its business associates during the previous three years. While the current Privacy Rule and HITECH together require accounting for disclosures generally, subject to specified exceptions, the Proposed Rule would require accounting for only those disclosures specifically enumerated in the Rule: (a) impermissible disclosures (i.e., disclosures not covered by an authorization or an exception to the authorization requirement), unless the individual has received notice of the impermissible disclosure under the Breach Notification Rule; (b) disclosures for public health activities, except reports of child abuse or neglect and other reports that are required by law; (c) disclosures for judicial and administrative proceedings; (d) disclosures for law enforcement purposes; (e) disclosures to avert serious threats to health or safety; (f) disclosures for military and veterans activi-ties, for Department of State medical suitability determinations, and to government programs providing public benefits; and (g) disclosures for workers' compensation purposes. Other types of disclosures would not need to be covered by an accounting. The NPRM describes the relatively long list of the types of disclosures that would not be covered by the accountings requirement, and notes that some of these may be of interest and concern to individuals. The NPRM requests comment regarding these proposals.
Under the Proposed Rule, the accounting must include for each covered disclosure: (a) the date or, if not known, the approximate date or period of time of the disclosure; (b) the name of entity or natural person who received the information and, if known, the address of the entity or person; (c) a brief description of the type of information disclosed; and (d) a brief description of the purpose of the disclosure. The Proposed Rule would require that the covered entity or business associate provide the accounting in the form (e.g., paper or electronic) and format (e.g., compatibility with a specific software application) requested by the individual, if it is readily producible in the format the individual requests. This requirement could add significant costs of compliance, because the covered entity or business associate could be required to make a specific determination as to whether each individual's request is "readily producible," rather than allowing the covered entity or business associate to develop a reasonable form and format, or a reasonable selection of forms and formats, that it could apply to all individuals and requests.
In addition, the Proposed Rule addresses: (a) the individual's right to limit the scope of the accounting; (b) a requirement that the accounting be provided within 30 days following the request (with extensions in what HHS describes as "rare circumstances"); (iii) the ability to charge a reasonable and cost-based charge for the accounting, if the individual requests more than one accounting during any 12-month period; (iv) the format of the accounting; and (v) documentation of the accounting.
The Proposed Rule would give individuals a new right, one that HHS describes as "distinct but complementary" to the right to accountings of disclosures, to an access report that identifies who has accessed the individual's electronic PHI in a designated record set (including but not limited to an electronic health record) maintained by a covered entity or its business associate during the past three years. By addressing access to PHI and not only disclosures, the access report requirement would require covered entities to report to individuals not only concerning disclosures of their PHI, but concerning the covered entities' and business associates' accessing of PHI in connection with the use of that PHI.
An access report would contain the following information: (a) the date of access; (b) the time of access; (c) the name of the natural person who accessed the information, if available, and otherwise the name of the entity that accessed the information; (d) a description of what information was accessed, if available; and (e) a description of action by the user, if available. The access report would need to include every instance any user accessed the individual's PHI in an electronic designated record set, regardless of whether the user is a third party or an employee of the entity and regardless of the purpose for which the user accessed the PHI. The access report would be required within 30 days following the individual's request, with limited potential for extensions of time.
There are additional rules regarding: (i) the individual's right to limit the scope of the report; (ii) the time limit for the entity to provide the report; (iii) allocation of the cost of the report; (iv) the format of the report; and (v) documentation of the report.
Comparison of the Requirements
Notice of Privacy Practices
The Proposed Rule would require that covered entities update and distribute their notices of privacy practices to reflect the changed rules, particularly to describe the individuals' rights to request and receive access reports.
The Proposed Rule would require compliance with the revised requirements for accountings of disclosures within 180 days after the final rule's effective date, i.e., 240 days following the final rule's publication date. HHS has acknowledged that certain older electronic systems may not readily support compliance with access report requirements. The NPRM proposes that those covered entities and business associates with systems acquired after January 1, 2009, would be required to comply with the access report rules beginning January 1, 2013. Those with systems acquired on or prior to January 1, 2009, would be required to comply beginning January 1, 2014.