On May 31, 2011 the US Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) administrative simplification rules (the Proposed Rule) to expand an individual’s right to an accounting of disclosures of his or her protected health information (PHI). The Proposed Rule would also establish an individual’s right to obtain a report on who has electronically accessed his or her PHI. If implemented as proposed, the changes could create a significant additional administrative burden for many health care organizations.
Together with several new penalty and enforcement provisions, the Health Information Technology for Economic and Clinical Health (HITECH) Act — and the Proposed Rule — indicates the federal government’s continued concern with identity theft and individual privacy rights in an era of increased use of electronic health data.
After the final rule is published — which could happen later this year — covered entities and their business associates will need to review their HIPAA policies and procedures and modify their existing business associate agreements to ensure compliance. Further, covered entities will likely have to update their Notice of Privacy Practices.
Public comments on the Proposed Rule are due to HHS by August 1, 2011. The following is a brief summary of key changes in the Proposed Rule:
- Accounting of Disclosures. HIPAA currently provides individuals the right to an accounting of disclosures of PHI made by a covered entity during the previous six years, subject to a number of exceptions, the most notable of which are disclosures made to carry out treatment, payment and health care operations. Under the Proposed Rule, the disclosure period would be reduced to three years and would extend to business associates. The accounting would provide information about the disclosure of designated record set information (whether hard copy or electronic) to persons outside the covered entity and its business associates for certain purposes (e.g., law enforcement, judicial hearings and public health investigations). Additionally, the Proposed Rule would reduce from 60 days to 30 days the time in which the covered entity is required to respond to a request for an accounting.
- Access Reports. Under the Proposed Rule, individuals would have a right to receive a written report that indicates who has accessed their PHI in an electronic designated record set maintained by a covered entity or its business associates for up to three years prior to the request. The access report must include i) the date of access, ii) the time of access, iii) the name of the person or entity that accessed the PHI, iv) a description of the information accessed, and v) a description of the action by the user, if available (e.g., “create,” “modify,” “access” or “delete”). Consistent with the requirements of the HITECH Act, the access reports would include uses or disclosures for treatment, payment and health care operations purposes. The report must be provided within 30 days of the request in a readable format.
Effective and Compliance Dates
Although many of the provisions under the HITECH Act took effect on February 18, 2010, OCR has recognized that it would be difficult for covered entities and business associates to comply until final rules are issued. OCR therefore proposes separate compliance dates for the changes to the accounting of disclosures requirements and for an individual’s right to receive an access report.
Covered entities and business associates will be required to comply with the revised accounting of disclosures provisions no later than 180 days after the effective date of the final rule. The effective date of the final rule will be 60 days after publication in the Federal Register, so covered entities and business associates will have 240 days after publication of the final rule to comply with the new accounting of disclosures provisions.
Covered entities and business associates will be required to produce an access report upon request beginning January 1, 2013 for any electronic designated record set systems that were acquired after January 1, 2009, and beginning January 1, 2014 for electronic designated record set systems that were acquired on or before January 1, 2009. Covered entities and business associates should already be logging access to electronic PHI and should currently have the ability to generate access reports pursuant to the HIPAA Security Rule. OCR recognizes that during 2013 a covered entity or business associate may be required to produce an access report that includes access to some electronic designated record set systems (those acquired after January 1, 2009) but not others (those acquired as of January 1, 2009). OCR is encouraging covered entities and business associates in such circumstances to provide access reports that include all designated record set systems during 2013, even if the covered entity or business associate is not required to include some of the electronic systems at that time.
In the meantime, there are steps covered entities and business associates can take to prepare for these anticipated changes. Both groups will eventually need to review and revise their HIPAA policies and procedures and business associate agreements. If your organization is a covered entity or a business associate, you can begin to create a strategy for these updates. If your organization is a covered entity, that strategy should also include a plan to update your Notice of Privacy Practices to accommodate the changes to individual rights.
Finally, as part of increased enforcement of HIPAA requirements, and in concert with revised penalty provisions under the HITECH Act, the federal government has indicated it will expand its HIPAA oversight through compliance reviews and audits. Therefore, both covered entities and business associates should consider conducting internal HIPAA audits and assessments to help identify and address any areas of concern.