On May 31, 2011, the U.S. Department of Health and Human Services (“HHS”) published a proposed rule regarding the provisions of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) concerning accounting of disclosures of electronic protected health information (“PHI”). The proposed rule contains two main parts: (1) modifications to the existing accounting of disclosures requirements and (2) a new “access report” requirement.

Background:

HIPAA currently requires covered entities to make available to an individual an accounting of certain disclosures of the individual’s PHI. The accounting provided to the individual must contain certain information such as the date of the disclosure, the name (and address, if known) of the entity or person receiving the information, a description of the information disclosed, and a brief statement of the purpose of the disclosure.

Some disclosures, such as disclosures for treatment, payment, and health care operations, are exempt from this accounting requirement and do not have to be included in the accounting. However, Section 13405(c) of the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) provides that the exemption for disclosures for treatment, payment, and health care operations does not apply to such disclosures that are made through an electronic health record. The HITECH Act goes on to state that the Secretary of HHS must promulgate regulations governing the information to be collected by covered entities about these electronic disclosures.

To implement the requirements of the HITECH Act, HHS proposes to divide the current accounting of disclosures requirement into two separate rights: (1) an individual’s right to an accounting of disclosures that are most likely to affect the individual and (2) an individual’s right to an access report that provides information on who has accessed electronic PHI in a designated record set.

Accounting of Disclosures:

Currently, HIPAA regulations provide that an individual has a right to an accounting of disclosures and then specifically identifies those disclosures that are exempt from the accounting requirement. HHS proposes to modify the regulations to instead specifically identify the disclosures that are subject to the accounting requirement, and in doing so, HHS includes only those disclosures that it believes are most likely to be of interest to individuals. The proposed changes would therefore eliminate some disclosures from the accounting requirement (e.g., disclosures required by law and disclosures for research).

Second, HHS proposes to limit the scope of information subject to the accounting of disclosures requirements to the information contained in a designated record set. (Designated record sets generally include the medical and health care payment records and other records used by or for a covered entity to make decisions about individuals.) HHS notes that covered entities should already have documentation of which systems qualify as designated record sets. HHS also proposes to include a direct reference to business associates to make clear that the covered entity must include in the accounting all disclosures by the covered entity’s business associates that create, receive, maintain, or transmit designated record set information.

Finally, the proposed rule would reduce the period that must be covered by the accounting from six years to three years and notes that this change is due in part to HHS’s belief that individuals are usually interested in learning of more recent disclosures of their information. HHS also proposes, however, that covered entities must generally provide the accounting of disclosures within 30 days instead of 60 days.

Access Report:

The proposed rule also creates a right for an individual to receive an access report from covered entities that indicates who has accessed his or her electronic designated record set information. Unlike an accounting of disclosures, the proposed access report would include both uses and disclosures of information in an electronic designated record set, but would not include uses and disclosures of PHI maintained in paper records.  HHS contemplates that this new requirement will impose a minimal burden on covered entities because systems with designated record set information should already be configured to record users’ access to information and covered entities should already be logging and tracking access to electronic PHI. Because the access report would be a new requirement, HHS proposes that covered entities be required to revise their notice of privacy practices to include information regarding an individual’s right to receive an access report.

HHS proposes that the new access report will include the date and time of access, the name of the person (if available) or entity accessing the information, a description of the information that was accessed (if available), and description of the action by the user, if available (such as “access,” “create,” “delete,” or “modify”). HHS also proposes that covered entities include uses and disclosures by business associates in the access report. 

HHS proposes that an individual would have the option to limit his or her access report to a specific date, time period, or person. HHS additionally recommends, but does not require, covered entities to offer an individual the option of limiting an access report to specific organizations.

Similar to the accounting of disclosures, HHS proposes that covered entities must provide an access report within 30 days. Covered entities would have to provide the access report in a format that an individual can reasonably understand without any external aids.

Conclusion:

While the proposed changes to HIPAA’s accounting of disclosures requirement may not increase the burden on covered entities regarding such accountings, the proposed access report requirement would add a new burden. Covered entities would be responsible for keeping track of which business associates have designated record set information; obtaining such information from business associates and incorporating it into the access report; and aggregating into a single access report all of the electronic designated record set information that covered entities may have in a number of distinct systems that maintain separate access logs. Comments regarding HHS’ proposed rule may be submitted until August 1, 2011.