Under the Health Insurance Portability and Accountability Act (HIPAA), an individual has the right to obtain an accounting of instances in which a covered entity discloses the individual’s protected health information (PHI). Although rarely invoked and subject to numerous exceptions, health plans, health care providers, and health care clearinghouses have been required to maintain records necessary to provide this accounting upon an individual’s request.

Spurred by changes that the Health Information Technology for Economic and Clinical Health Act (HITECH) introduced to these accounting rules, the Department of Health and Human Services (HHS) has proposed new regulations, open to comment until August 1, 2011. The proposal pairs new burdens with modest relief and includes several surprises. Among the more significant changes are the following:

  • The new regulations restructure the existing requirements to include both a modified version of the traditional “accounting of disclosures” rule and a new requirement to provide individuals with an “access report” on request.
  • The HITECH statute’s modifications to the accounting rules apply specifically to electronic health records, which it defines as “an electronic record of health-related information on an individual that is created, gathered, managed and consulted by authorized health care clinicians and staff.” Based on this definition, many health plans did not view the HITECH modifications as affecting their practices. The new regulations do not limit the accounting requirements to electronic health records, but do restrict them to PHI in the individual’s designated record set (which basically contains PHI used to make decisions about the individual).
  • Where the original HIPAA regulations provided that the accounting rules generally applied to disclosures but specified a broad range of exceptions, the new regulations identify the specific disclosures that will be subject to the accounting rules and carve out a relatively small number of exceptions. Significantly, the new rules extend to many public health activities and to disclosures that violate the privacy rules but for which a breach notification has not been provided.
  • Consistent with HITECH’s requirements, the period for responding to an individual’s request for an accounting is shortened from 60 to 30 days.
  • The new requirement to furnish an access report (see the first bullet) was not referenced in the statutory HITECH changes. The access report accounts for instances in which electronic PHI in an individual’s designated record set has been accessed internally, by an organization’s own employees, as well as externally. HHS does not see this requirement as particularly burdensome, as it builds off an existing HIPAA security rule that requires covered entities to monitor information system activity in order to track access to electronic PHI. The reporting obligation applies only to instances when information in a designated record set is accessed. The regulations specify the information to be included in an access report.
  • The accounting of disclosures and the access report will need to account for disclosures dating back only three years from the request (shortened from six years).
  • Consistent with HITECH, both the accounting and access report rules apply to business associates as well as covered entities.

The accounting of disclosure rules are to take effect 240 days after publication of final rules. The access report rules will be effective in two stages, beginning January 1, 2013, for information obtained on and after January 1, 2009.

A few observations

As a covered entity or business associate, your organization may evaluate the modifications needed to comply with the new regulations. For example:

  • You may assess how your systems are hard-wired and how information in them can be accessed and converted into an appropriate accounting or access report.
  • You may consider how well you keep track of the designated record sets maintained by business associates and their ability to produce accountings and reports on request.
  • You may review your notice of privacy practices, business associate agreements, and other HIPAA-compliance documents to determine if changes are appropriate to reflect the new requirements.  

If you engage in certain activities, you may wish to examine changes made by the new rules with particular care. The use and disclosure of PHI for research, public health and health oversight activities, and patient safety reporting have been the source of substantial confusion and debate by many since HIPAA’s enactment. The new accounting rules establish a distinction between situations when a disclosure is required by law (often accounting is not required) and when it is merely authorized by law (typically accounting is required if for a specified purpose) that may lead your organization to make some refined distinctions.