The Department of Health and Human Services (HHS) published on 31 May a proposed rule modifying the HIPAA Privacy Rule's accounting of disclosures requirement. The proposed rule would provide individuals with a new right to receive a written "access report" that describes uses and disclosures of their protected health information (PHI) made through an "electronic designated record set." The proposed rule also makes a number of changes to the existing accounting of disclosures requirements.
New individual right to obtain access report
Under the proposed rule, individuals would have the right to request a written report detailing who had accessed their PHI within the past three years. The right applies to PHI maintained by a covered entity or business associate in an electronic designated record set. The proposal does not distinguish between "uses" and "disclosures" of PHI, and access reports would need to include uses by a member of the covered entity's workforce as well as to disclosures outside the covered entity or business associate.
The proposed rule goes beyond what was required by the HITECH Act in that it is not limited to information in an electronic health record and would require healthcare providers, health plans, and business associates working on their behalf to provide detailed disclosures of information accessed through an electronic designated record set for almost all purposes — including treatment, payment, and healthcare operations. Individuals would exercise the new right by requesting an access report, which would document by name the individuals who electronically accessed and viewed their protected health information. Although covered entities are currently required by the HIPAA Security Rule to track access to electronic protected health information, they are not required to share this detailed level of information with patients or health plan members.
Designated record sets include medical, healthcare, and other records used by a covered entity to make decisions about individuals. The preamble to the proposed rule includes several examples of PHI that are not designated record sets, including a hospital's peer review files (provided they are used only to improve patient care, and not to make decisions about individuals) and transcripts of customer calls (provided they are only used for customer service review purposes, and not to make decisions about individuals). HHS' proposal to require an access report for electronic designated record sets is much broader than the HITECH Act language, which requires an expanded accounting of disclosures only for electronic health records. Accordingly, covered entities that do not generally maintain electronic health records — including many health plans — will be subject to the new access report requirement if they maintain PHI electronically in a designated record set.
An access report must include the date of access, time of access, and, if available, the name of the person (or entity) that accessed the information, a description of the information that was accessed, and a description of the action that was taken by the user (such as create, modify, access, or delete). Covered entities are not required to disclose the purpose of the access.
A covered entity must give the requesting individual the option to limit the access report to a specific date, time period, or person. For example, an individual can limit the report to any access by a specific person within the past six months. The report must be presented in an understandable format and be provided in electronic form and format, unless a hard copy is requested. A covered entity may not charge for providing an access report if it is the first such report requested by an individual in any 12-month period; any subsequent requests by the individual within the 12-month period may be subject to a "reasonable, cost-based fee."
The covered entity must provide the access report within 30 days of the individual's request, although that time limit may be extended once for an additional 30 days, so long as the individual is notified of the reasons for the delay and the date by which the report will be provided. These time limitations may present particular challenges for covered entities whose business associates maintain electronic designated record sets on their behalf, as the access report must address information held by business associates, and the proposed rule does not include the option for a covered entity to provide an individual with its own report and a list of its business associates. Therefore, upon receiving a request for an access report, a covered entity will need to promptly notify its business associates so that they may assemble the relevant data, which would then be consolidated into a report to the requesting individual.
The new access report requirements would become effective on 1 January 2013 (for electronic designated record set systems acquired after 1 January 2009) and 1 January 2014 (for electronic designated record set systems acquired on or before 1 January 2009). Covered entities would need to update their Notices of Privacy Practices to inform individuals of this new right as well as the changes to the accounting of disclosures right.
Accounting of disclosure requirements to be eased
In addition to establishing a new right to an access report, the proposed rule also amends the existing accounting of disclosure provisions. For the most part, the proposed changes should ease the burden on covered entities of complying with the accounting requirements.
The proposal reduces the period of the accounting from six years to three years (the same period covered by the access report) and removes several of the categories of disclosures that were previously required to be included in accounting, including those for research purposes or as required by law. Covered entities would not be required to include in the accounting any data breaches about which the entity had already provided the individual with notice. In addition, the accounting would now be limited to PHI maintained in a designated record set (although, unlike the access report provision, the accounting requirement would continue to apply to paper records). For multiple disclosures to a single recipient for a single purpose, the proposal would allow covered entities to report a general range of dates (such as December 2010 through August 2011), rather than the specific date of each disclosure. In addition, covered entities would be allowed to report the approximate date of any disclosure for which the exact date was not known.
Not every change in the proposal is favorable to covered entities. In particular, the timeframe for completing the accounting would be reduced from 60 days to 30 days (with a single 30-day extension available). As noted above, this shortened timeframe could pose difficulties for covered entities needing to obtain an accounting from business associates.
The revised accounting of disclosure requirements would become effective 240 days after publication of a final rule in the Federal Register.
Action steps for HIPAA covered entities and business associates
Covered entities and business associates with concerns about the potential impact of the proposed rule should provide HHS with their comments, which are due by 1 August 2011. The proposed rule is available at www.gpo.gov/fdsys/pkg/FR-2011-05-31/pdf/2011-13297.pdf.