On May 31, 2011, the Office of Civil Rights (OCR) published a proposed HITECH accounting of disclosures rule. The proposed rule includes provisions which, for covered entities, are good, bad and ugly. The HIPAA privacy rule currently requires covered entities to make available an accounting of certain disclosures of an individual’s protected health information. The proposed rule revises this accounting of disclosures requirement. In addition, in part based on HITECH’s mandate, and in part based on OCR’s desire to ensure that individuals are receiving the information that is of most interest, the proposed rule would require covered entities to provide a report showing who has accessed (not just disclosed) protected health information in an electronic designated record set. Highlights of the proposed rule are summarized below:
Accounting period would be reduced from six to three years. The HIPAA privacy rule currently requires that an accounting of disclosures include disclosures during the six year period immediately preceding the request for an accounting. The proposed rule would reduce that period to three years.
Only disclosures of information from designated record sets would be accounted for. The proposed rule would limit disclosures that must be accounted for to only disclosures of information from a designated record set. A “designated record set” includes the medical and billing records and other groups of records used to make decisions about the individual. For example, a hospital’s peer review files that include protected health information about many patients but are used only to improve patient care at the hospital, and not to make decisions about individuals, are not part of that hospital’s designated record sets. For covered entities that maintain health information in a variety of systems, limiting the disclosures which must be tracked to those from designated record sets may make the “accounting” burden more manageable. Note, however, that disclosures of information not in a designated record set would remain subject to the HITECH breach notification rule.
Fewer disclosures would be required to be accounted for. The HIPAA privacy rule currently excepts certain disclosures from the accounting requirement. The proposed rule would except the following disclosures as well:
- Disclosures required by law (other than disclosures for judicial and administrative proceedings and for law enforcement purposes);
- Disclosures about victims of abuse, neglect or domestic violence;
- Disclosures to health oversight agencies (e.g., health care professional or health care facility licensure agencies);
- Certain otherwise permitted disclosures about decedents;
- Certain otherwise permitted disclosures to organ procurement organizations; and
- Disclosures for research purposes.
Covered entities would have only thirty days to respond to a request for an accounting. The proposed rule would reduce the time covered entities have to respond to a request for an accounting from sixty days to thirty days. Covered entities that are unable to respond in thirty days are still eligible for a one-time, thirty-day extension.
Covered entities would have to provide the accounting in the form and format requested. As is currently required when individuals request access to their protected health information, covered entities must provide the accounting in the form and format requested by the individual if the accounting is readily producible in such form and format. For example, if an individual requests the accounting in a format compatible with a particular word processor, the covered entity should honor the request if the format is readily producible. If the requested format is not readily producible, then a covered entity may provide a hard copy of the accounting, or communicate with the individual so as to determine if another form or format is acceptable.
The Ugly - Accounting of Access Standard
The proposed rule would give individuals the right to receive from covered entities a written report showing who has accessed the individual’s protected health information in an electronic designated record set for up to three years prior to the date on which the access report is requested. Covered entities would have to give individuals the option to limit the accounting to a specific date, time period or person, and the right to an accounting of access would be required to be included in covered entities’ notices of privacy practices. HITECH obligates OCR to craft a rule to require an accounting of disclosures for treatment, payment and health care operations purposes through an electronic health record. The proposed rule however goes far beyond what HITECH requires. The proposed rule requires that the access report include both disclosures and uses through an electronic designated record set for almost any purpose, including disclosures and uses by business associates. OCR contends that the proposed rule would not unreasonably burden covered entities because covered entities are presently obligated to track access pursuant to the HIPAA security rule. Notwithstanding OCR’s assertions to the contrary however, the breadth of OCR’s proposal may pose significant challenges for covered entities.
Changes to Accounting of Disclosures Standard. The proposed changes to the accounting of disclosures requirement would be become effective 240 days after a final rule is published in the Federal Register.
Accounting of Access Standard. The effective date of the accounting of access standard depends on the date the covered entity acquired its electronic designated record set system. For electronic designated record set systems acquired before January 1, 2009, the effective date is January 1, 2014. For electronic designated record set systems acquired after January 1, 2009, the effective date is January 1, 2013. Note that, once the standard is effective, the access report must include any access during the three-year period preceding the request for the report. In other words, even before the effective date of the standard, covered entities must begin tracking access to their electronic designated record sets in a way that will permit them to provide the report after the effective date.
OCR has solicited comments regarding a number of provisions of the proposed rule. Those comments must be received by OCR on or before July 29, 2011. OCR acknowledges that the right to an accounting is infrequently used and that only a small minority of individuals will actually exercise their right to an accounting of disclosures or access in the future. Hopefully the comment submissions will convince OCR that it needs to revise the proposed rule in a way that strikes a better balance between the benefit to individuals of providing accountings of disclosures/access and the burden on covered entities of establishing the systems and processes necessary to provide such accountings to a relatively small number of individuals.