On May 27, 2011, the US Department of Health and Human Services (HHS) announced proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. These changes are designed to implement the statutory amendments to HIPAA made by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, and to change existing accounting requirements under HIPAA to improve their workability and effectiveness. The Notice of Proposed Rulemaking (NPRM) that contains the proposed changes was published in the Federal Register on May 31, 2011, and comments must be submitted to HHS on or before August 1, 2011.

Major changes to the HIPAA Privacy Rule proposed by HHS in the NPRM are summarized below. Covered entities and business associates will be required to comply with the revised accounting of disclosures provision by no later than 180 days after the effective date of the final rule (240 days after publication in the Federal Register). Covered entities and business associates will be required to comply with the new requirement to provide individuals with the right to an access report beginning January 1, 2013 for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014 for electronic designated record set systems acquired on or before January 1, 2009.

Modification of Individuals’ Rights to Accounting of Disclosures

Scope of Accounting of Disclosures Limited to "Designated Record Sets"

The HIPAA Privacy Rule establishes a standard for accounting of disclosures of protected health information (PHI). Under the current Privacy Rule, individuals are entitled to an accounting of disclosures of PHI in paper or electronic format whether or not the information is in a designated record set. In the NPRM, HHS proposes to limit an individual’s right to an accounting of disclosures to only PHI that is located in a "designated record set," i.e., medical, enrollment, payment, billing or claims adjustment records maintained by or for a covered entity, and any other records used by or for the covered entity to make decisions about individuals. A designated record set does not encompass records such as hospital peer review files used to improve hospital care or transcripts of customer calls used to review customer service. Individuals would still be entitled to an accounting of disclosures of PHI in hard copy or electronic format, as long as it is maintained in a designated record set.

This limitation to a designated record set would also apply to information held by business associates. Covered entities are required to include accounting information for all disclosures by their business associates that create, receive, maintain or transmit designated record set information. Thus, a covered entity would be required to account for its business associates’ disclosure of information contained within a designated record set, but not the disclosure of information that falls outside of a designated record set.

Time Period for Accounting of Disclosures Reduced to Three Years

Under the current Privacy Rule, covered entities and business associates must account for disclosures of PHI for a six-year period prior to an individual’s request. The HITECH Act grants an individual the right to receive an accounting of disclosures for the purposes of treatment, payment and health care operations through an electronic health record (EHR) for the three-year period prior to a request. To maintain a consistent accounting time period for all types of disclosures, the NPRM proposes revising the Privacy Rule to require covered entities and business associates to account for disclosures over a three-year period prior to the request. If the covered entity was subject to the Privacy Rule for less than three years at the time of a request, then it need only account for the period of time during which it was subject to the Privacy Rule.

HHS also proposes that covered entities be required to provide individuals with the option of limiting a request for accounting to a particular time period, type of disclosure or recipient, rather than a full accounting covering the entire three-year period. Narrowing the scope of the report in this manner may significantly reduce costs for the covered entity and provide more relevant information for individuals. Covered entities would also be permitted to offer other options to individuals for limiting their accounting requests, for example, individuals may request only those disclosures made by a particular business associate of the covered entity.

Types of Disclosures Subject to Accounting Requirement Explicitly Listed

The NPRM proposes modifying the structure of the Privacy Rule to explicitly list the types of disclosures that are subject to the accounting requirement, rather than the exceptions to the requirement. The listed types of disclosures are those for which HHS predicts that individuals will have a significant legal or personal interest.

Covered entities will continue to be required to account for disclosures that are impermissible under the Privacy Rule, but accounting is optional as to disclosures for which a covered entity has already provided breach notification either directly or through a business associate as required by the Breach Notification Rule. Except for disclosures involving reports of child abuse or neglect to an appropriate government authority, disclosures for the purpose of public health activities will continue to be subject to the accounting requirement. HHS proposes to continue to require that covered entities account for disclosures for judicial and administrative proceedings, law enforcement, and to avert a serious threat to health or safety. The NPRM also maintains the requirement that covered entities account for disclosures for military and veterans activities, the Department of State’s medical suitability determinations, government programs providing public benefits and workers’ compensation.

New Additional Exemptions From Accounting Disclosure Requirements

In the NPRM, HHS proposes additional exclusions from the accounting requirement in a number of different categories.

  • Most disclosures required by law would not be subject to the accounting requirement, because typically individuals already have notice of such disclosures, and such disclosures are often population-based rather than related to a specific individual. Covered entities and business associates must account for disclosures to authorities made at their discretion and for disclosures for judicial and administrative proceedings and law enforcement purposes, even where required by law, however, because this type of disclosure directly implicates an individual’s legal and personal interests.
  • Disclosures related to reports of adult abuse, neglect or domestic violence under 45 C.F.R. § 164.512(c) would not be subject to the accounting requirement because of concerns about endangering a covered entity and its employees for making such a report. In most situations involving abuse, however, the individual will already be affirmatively notified of disclosures by the covered entity as required by the Privacy Rule.
  • Disclosures for research purposes under 45 C.F.R. § 164.512(i) in which individual authorization is waived by an Institutional Review Board or Privacy Board would not be subject to the accounting requirement. The NPRM proposes eliminating the requirement for covered entities to provide an accounting of disclosures for research, including the current simplified accounting requirement for studies involving 50 or more individuals which allows covered entities to provide individuals with a protocol listing describing the research protocols for which the individual’s PHI may have been disclosed, rather than an individualized accounting of each actual disclosure. This exception is intended to ameliorate the administrative burden on the research community and the chilling effect the requirements might have had on research involving human subjects. In connection with this proposal, HHS solicits information regarding the burden of the current accounting requirements, including data from covered entities regarding protocol listings, and specific accounting for disclosures for research studies on less than 50 individuals.
  • Disclosures for health oversight activities under 45 C.F.R. § 164.512(d) would not be subject to the accounting requirement because these disclosures are routinely required by law, population-based or triggered by certain events that pertain to the covered entity rather than the individual.
  • Disclosures about decedents to coroners, medical examiners and funeral directors would not be subject to the accounting requirement because they are routine, expected and do not raise significant privacy concerns.
  • Disclosures for cadaveric organ, eye or tissue donation purposes under 45 C.F.R. § 164.512(g) and (h) would not be subject to the accounting requirement in order to permit covered entities to avoid the situation of requesting consent for donation prior to a determination of medical suitability. Further, families are typically already involved in the decision process with respect to donation of organs.
  • Disclosures for protective services for the President and others under 45 C.F.R. § 164.512(k)(3) would not be subject to the accounting requirement.

Reduced Accounting Content Requirements

The Privacy Rule currently requires an accounting of disclosures to include the date of disclosure. HHS proposes that a covered entity or business associate need only provide an approximate date or period of time for each disclosure, if the actual date is not known. An individual must be able to readily determine the month and year of the single disclosure from the information provided. For multiple disclosures to the same person or entity for the same purpose, the accounting may provide the approximate period of time, rather than specific frequency of disclosure or exact start and end date. The date of disclosure provided may be descriptive, rather than specific (e.g., "within 15 days of discharge").

The Privacy Rule currently requires that the accounting include the name of the entity or natural person who received the PHI, and their address if known. The NPRM proposes an exception to this requirement, if providing the name of the recipient would itself represent a disclosure of PHI about another individual.

The NPRM also proposes revising the accounting requirement to include only a brief description of the type of PHI disclosed rather than a description of the disclosed PHI itself. The accounting must also include a brief description of the purpose of the disclosure rather than a full statement, as long as it reasonably informs the individual of the purpose of the disclosure. The NPRM retains the provision stating that a copy of a written request may be substituted for a description of the purpose of the disclosure, and providing a copy of a request is encouraged when it provides more information than the description in the accounting.

Delays in Accounting Due to Law Enforcement Investigation

Covered entities are currently required to delay the provision of an accounting of disclosures based on a request from law enforcement related to an ongoing investigation. The NPRM clarifies that if such a delay is requested, the covered entity must account for all other disclosures and supplement the accounting with information about the law enforcement disclosures upon expiration of that delay. Delays for health oversight investigations will no longer be necessary, as disclosures for such activities would no longer be subject to the accounting requirements under the proposed rule.

New Requirement to Provide Individuals With the Right to an Access Report

The HITECH Act provides individuals with the right to information about disclosures through an EHR for treatment, payment, and healthcare operations for the three-year period prior to their request. HHS proposes to implement this section of the HITECH Act and also expand this right beyond the statutory requirement under its general authority under HIPAA. Specifically, the NPRM proposes that individuals have the right to an access report, which would provide information on both uses and disclosures of electronic PHI contained in any designated record set, not just an EHR. The right to the access report would cover a three-year period prior to the request.

Limitations on the Right to an Access Report

The access report is limited to providing information about who has accessed PHI about an individual that is maintained in an electronic designated record set held by a covered entity or business associate. This right would not extend to access to paper records or electronic disclosures of PHI occurring outside of electronic designated record set systems.

Access Report Requirements Regarding Business Associates

The NPRM proposes that covered entities be required to furnish access reports that include applicable uses and disclosures of their business associates that maintain electronic designated record set information. The HITECH Act requires covered entities to provide accounting of their own disclosures, but permits covered entities to either provide the disclosures of their business associates or a list of contact information for each of their business associates. Under the general authority of HIPAA, HHS expands this requirement for access reports to require covered entities to actually contact the business associates that create, receive, maintain or transmit electronic designated record set information and obtain from them access reports with respect to the individual’s information. The covered entity’s ultimate access report must include uses and disclosures by business associates of electronic designated record set information. The NPRM recommends that covered entities track which of their business associates have designated record set information.

Informational Content of the Access Report

At a minimum, the access report would be required to identify the date and time of access to the electronic PHI. To the extent available, the access report must set forth the first and last name of the natural person accessing the electronic designated record set information, a description of what information was accessed, and a description of the action by the user (e.g., "create" or "modify"). The report would not distinguish between "uses" and "disclosures" or between EHR and non-EHR electronic systems.

If the name of the natural person is unavailable, the name of the entity accessing the information would be deemed sufficient. Where an electronic designated record set system exchanges data with another electronic system within the organization, the access report may simply identify the access by the name of the covered entity. If more information is available, covered entities are encouraged to include it.

Section 13405(c) of the HITECH Act provides that the Secretary of HHS must take into account the interests of individuals in learning the circumstances under which their PHI is being disclosed and the administrative burden of accounting for such disclosures in mandating the collection of information. Accordingly, the NPRM notes that it is not necessary for all covered entities and business associates to modify their electronic designated record set systems to collect a description of what information was accessed. Nor is the access report required to include a description of what use or disclosure was ultimately made with the information or to whom the user provided the information. The access report is not required to include the address of the user or a description of the purpose of the access. HHS requests comment on ways in which types of access, if excepted from the access report, could be automatically identified and excluded.

Access Report Requirements Already Covered by the HIPAA Security Rule

The proposed requirements are designed to include only the information from access logs for electronic systems with designated record set information that covered entities and business associates are already required to collect in accordance with the HIPAA Security Rule. Information that is not typically captured in access logs generated by systems currently in use will not be required for the access reports so as to avoid undue disruption to workflow. The NPRM states that covered entities and business associates are expected to gather and aggregate data from access logs of raw data from electronic systems containing PHI to generate a single access report. Given that covered entities should already be maintaining access logs pursuant to the Security Rule, HHS requests comment on whether covered entities will be able to generate access reports covering the preceding three years by the applicable compliance dates, either January 1, 2013 or January 1, 2014.

Content and Format of the Access Report

The NPRM proposes requiring covered entities to provide individuals with the option to limit the access report to a specific date, time period, or person in order to focus on information of interest and minimize the information covered entities must collect. It recommends, but does not require, that covered entities offer the option to limit the access report to specific organizations. The covered entity must provide the access report in a format and structure that can be reasonably understood by individuals without an external aid.

Accounting Requirement for Disclosures Made Through Electronic Health Information Exchange Rejected

HHS determined that it would be overly burdensome to provide individuals with the right to receive a full accounting for treatment, payment and health care operations disclosures through an EHR when such disclosures are made through electronic health information exchange (i.e., disclosures that originate from an EHR that are received by another electronic system). Nevertheless, the NPRM announces that HHS intends to work with the Office of the National Coordinator for Health Information Technology (ONC) to assess whether information about the purpose of each exchange transaction should be incorporated into standards for such electronic exchange, which would reduce the accounting burden on covered entities. HHS will then revisit the issue of whether accounting requirements should include these disclosures.

Notices of Privacy Practices Must Incorporate Right to Receive and Access Report

Under the HIPAA Privacy Rule, a covered entity must provide an individual with a notice of privacy practices that includes descriptions of their rights. The NPRM proposes that the notice include a statement regarding an individual’s right under the proposed rule to receive an access report. As a result, covered entities would be required to revise and distribute the notice under 45 C.F.R. § 164.520, which mandates such action when there is a material change to notice. The regulation requires health care providers with a direct treatment relationship with individuals to make the notice available upon request on or after the effective date of the revision. If the provider maintains a physical service delivery site, notice must promptly be posted and available for individuals to take with them. Health plans are currently required by the Privacy Rule to distribute notices to current members within 60 days of material revision.

Covered entities would need to revise their notices of privacy practices to reflect the right to receive an access report according to the earliest applicable compliance date. As stated above, the effective dates are January 1, 2013 if the electronic designated record set systems were acquired after January 1, 2009, or January 1, 2014 if the electronic designated record set systems were acquired as of January 1, 2009. In the interim, the 60-day requirement for health plans to change their notices of privacy practices may be modified by HHS in other HITECH Act or Genetic Information Nondiscrimination Act of 2008 (GINA) final rules. Whether or not the time period is revised, the cost to health plans of revision and distribution of notices can be minimized by taking advantage of the lengthy compliance period. For example, the notice of the new right to access could be included in an annual mailing prior to the deadline.

Proposed Requirements That Apply to Accounting of Disclosures and Access Reports

Modified Requirements Regarding the Provision of Both Accounting and Access Reports

The NPRM proposes four modifications to the existing regulatory requirements: (1) decreasing the permissible response time for covered entities from 60 days to 30 days; (2) requiring that covered entities provide individuals with the accounting or access report in the form and format requested by the individual if readily producible; (3) clarifying that the covered entity may require the individual to submit the accounting or access report request in writing and (4) informing the individual of the fee policy for subsequent requests.

With regard to the new proposed response period, the NPRM specifies that if the reduced 30-day time period is not adequate for a response, a single 30-day extension may be available. For access reports, the covered entity must provide the individual with a written statement including the reason for the delay, and the date by which the access report will be provided. HHS requests comment on the length of time needed by covered entities to collect the necessary information and to generate the accounting of disclosures.

The NPRM proposes that the covered entity must provide the access report in machine readable or other electronic form and format as requested by the individual if readily producible, unless the individual does not agree to accept the electronic format and requests a hard copy form. Covered entities are strongly encouraged to provide the individual with a machine readable or other electronic copy of the accounting where they are able to do so and the individual has not specifically requested a paper copy. Machine readable data is digital information stored in a standard format enabling the information to be processed and analyzed by computer (e.g., text-based PDF or MS Word).

The NPRM specifies that the covered entity must inform individuals of a requirement to request an accounting or access report in writing, if it chooses to adopt such a policy. Covered entities are encouraged to create forms for individuals to request an accounting or access report that inform individuals of the information that will be included, and allow individuals to narrow the request based on their interests.

HHS will retain the rule which prohibits a covered entity from charging an individual a fee for the first request for an accounting or access report in a 12-month period, but permits the charging of a reasonable, cost-based fee for an accounting or access report in response to subsequent requests within the 12-month period. The NPRM proposes that the covered entity inform the individual of the fee policy both at the time of the initial request as well as the subsequent request. The individual must be provided with an opportunity to withdraw or modify the request in order to avoid or reduce the fee.

Revised Documentation Requirements for Accounting and Access Reports

Under the current rule, a covered entity must maintain for six years the information necessary to generate an accounting of disclosures, the written accounting that is provided to an individual, and the designation of the persons or offices responsible for receiving and processing accounting requests. The NPRM proposes a reduction in the retention period to three years for the documentation necessary to generate an accounting or access report. The NPRM also clarifies that a covered entity must retain a copy of the accounting or access report provided to the individual — rather than the original accounting document — for six years. The designation of persons or offices responsible for receiving and processing requests for access reports or accounting must also be maintained for six years from the last date the designation was in effect.

Patient Safety Work Product Excluded for Confidentiality Purposes

Under the Patient Safety and Quality Improvement Rule at 42 C.F.R. Part 3, which implements the Patient Safety and Quality Improvement Act of 2005, a member of a covered entity’s or business associate’s workforce may access electronic designated record set information for patient safety activities. Such use or disclosure of PHI may constitute patient safety work product under 42 C.F.R. Part 3 and, therefore, may fall under the privilege and confidentiality provisions of the Patient Safety and Quality Improvement Rule. The NPRM proposes that covered entities exclude any information that meets the definition of patient safety work product at 42 C.F.R. § 3.20 in order to avoid conflicts between the two regulatory schemes.