On May 31, 2011, the Office of Civil Rights of the Department of Health & Human Services (HHS) published a Notice of Proposed Rulemaking (Proposed Rule) to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule standard for accounting of disclosures of protected health information (PHI) and establish a new individual right to obtain an access report that contains information on all uses and disclosures from an electronic designated record set.
The purpose of these modifications is, in part, to implement the statutory provisions under the Health Information Technology for Economic and Clinical Health Act (HITECH) that require covered entities (CEs) and business associates (BAs) to account for disclosures of PHI to carry out treatment, payment, and health care operations if such disclosures are through an electronic health record (EHR). Pursuant to both the HITECH Act and its more general authority under HIPAA, HHS proposes to expand this accounting provision to provide individuals with the right to receive an access report indicating who has accessed electronic PHI (ePHI) (including access for purposes of treatment, payment, and health care operations) in a designated record set, irrespective of whether that record set is an EHR. Under its more general authority under HIPAA, HHS also proposes changes to the existing accounting requirements to provide additional information about the disclosure of designated record set information (whether hard-copy or electronic) to persons outside the CE or its BAs for certain purposes (e.g., law enforcement, judicial hearings, or public health investigations).
HHS proposes to revise 45 CFR § 164.528 by dividing it into two separate sections related to individual rights: paragraph (a) would set forth modified requirements regarding an individual's right to receive an accounting of disclosures, and paragraph (b) would set forth an individual's right to receive an access report (which would include electronic access by both workforce members and persons outside the CE).
HHS is soliciting comments on the Proposed Rule, which must be submitted on or before August 1, 2011. This alert contains an overview of the more significant aspects of the Proposed Rule.
Accounting of Disclosures of Protected Health Information — Section 164.528(a)
Under the current Privacy Rule, an individual has a right to receive an accounting of disclosures by a CE or BA. HHS proposes to make a number of changes to this right. According to HHS, the modifications to the existing accounting of disclosures requirements will improve the workability of the requirements and focus the requirements on providing the individual with information about those disclosures that are most likely to impact the individual's legal and personal interests, while taking into account the administrative burdens on CEs and BAs. Specifically, HHS proposes to:
- Change the scope of information subject to the accounting to the information about an individual in a designated record set
- Explicitly include BAs in the language of the accounting requirements
- Change the accounting period from six years to three years
- List the types of disclosures that are subject to the accounting (rather than listing the types of disclosures that are exempt from the accounting requirements)
Right to an Accounting of Disclosures
Paragraph (a)(1)(i) of the Proposed Rule would maintain the general standard under § 164.528 that an individual has a right to receive an accounting of disclosures, but would extend the accounting requirements to information maintained by BAs. In addition, the scope of the accounting would be modified as discussed below.
Currently, an individual has a right to an accounting of certain disclosures of PHI about the individual, regardless of where such information is located. The Proposed Rule would limit the accounting provision to PHI about the individual in a designated record set. Designated record sets include the medical and health care payment records maintained by or for a CE entity, and other records used by or for the CE to make decisions about individuals. Files that are used for other purposes, such as a hospital's peer review files, would not be subject to this requirement. For example, if hospital peer review files are only used to improve patient care at the hospital, and not to make decisions about individuals, then they are not part of the hospital's designated record set.
Under the current rule, all disclosures are generally subject to the accounting requirement unless specifically exempted. In the Proposed Rule, HHS takes the opposite approach and explicitly lists the types of disclosures that are subject to the accounting requirement. As a practical matter, the types of disclosure exempted from the accounting requirement under the current rule continue to be excluded from the accounting requirement under the Proposed Rule. However, if such disclosures are made through an electronic designated record set, such disclosures must be recorded and made available to the individual in an access report under the proposed § 164.528(b).
The Proposed Rule specifically provides that a CE shall exclude from an accounting or access report any information that meets the definition of patient safety work product under 42 CFR Part 3. In addition, while the accounting of disclosures would continue to include disclosures of PHI that are impermissible under the Privacy Rule, the Proposed Rule would exempt from the accounting requirement impermissible disclosures in which the CE (directly or through a BA) has provided breach notice.
Likewise, the accounting would continue to include disclosures of PHI for public health purposes, but would exclude disclosures about victims of abuse, neglect, or domestic violence under § 164.512(c). HHS also proposes to exempt from the accounting requirements disclosures for health oversight activities under § 164.512(d); disclosures for research purposes under § 164.512(i); disclosures about decedents to coroners and medical examiners, funeral directors, and for cadaveric organ, eye, or tissue donation purposes under § 164.512(g) and (h); disclosures for protective services for the president and others under § 164.512(k)(3); and most disclosures that are required by law (including disclosures to HHS to enforce the HIPAA Administrative Simplification Rules). As will be discussed below, however, to the extent such disclosures are made through an electronic designated record set information, such disclosures would be recorded and available to the individual in an access report under proposed § 164.528(b).
Content of the Accounting
Currently, the Privacy Rule requires an accounting of disclosures to include the date of disclosure, name and (if known) address of the recipient, a brief description of the type of PHI disclosed, and a brief statement of the purpose of the disclosure. The Proposed Rule would maintain these requirements, with the following modifications.
A CE or BA would need only provide an approximate date or period of time for each disclosure, if the actual date is not known. At a minimum, the approximate date must include a month and year or a description of when the disclosure occurred from which an individual can readily determine the month and year of the disclosure.
The Privacy Rule currently provides that for multiple disclosures of PHI to the same person or entity for the same purpose, the accounting may provide the frequency, periodicity, or number of disclosures during the accounting period, and the date of the last disclosure. The Proposed Rule would instead require only the approximate period of time for multiple disclosures to the same person or entity for the same purpose.
HHS proposes that the accounting include the name of the entity or natural person who received the PHI and, if known, his or her address, except for when providing the name of the recipient would itself represent a disclosure of PHI about another individual. For example, if a physician's office mistakenly sends an appointment reminder to the wrong patient (and determines that the impermissible disclosure does not require breach notification because it does not compromise the privacy or security of the information), then the accounting may indicate that the disclosure was to “another patient.”
The Proposed Rule would no longer require that the CE or BA provide a description of the PHI disclosed. HHS proposes to revise the regulatory language, replacing “a brief description of the PHI disclosed” with “a brief description of the type of PHI disclosed.” For example, ‘‘for public health'' or ‘‘in response to law enforcement request'' is sufficient. Further, the Proposed Rule would clarify that only a minimum description of the purpose of the disclosure is required.
Although individuals would have a right to an accounting of all of the included disclosures occurring within the three years prior to the request, HHS proposes to require CEs to provide individuals the option of limiting the accounting to a particular time period, type of disclosure, or recipient.
Provision of Accounting
The Proposed Rule includes three modifications to the existing regulatory requirements: (1) decreasing the permissible response time from 60 days to 30 days; (2) requiring that CEs provide individuals with the accounting in the form and format requested by the individual if readily producible (e.g., an electronic copy of the accounting); and (3) clarifying that the CE may require the individual to submit the accounting request in writing.
With respect to fees for providing an accounting of disclosures, the Proposed Rule requires the CE to inform the individual at the time of the first accounting request that all subsequent requests in the 12-month period may be subject to a fee. The Proposed Rule also requires the CE to inform the individual of the fee at the time of the subsequent request and to provide the individual with an opportunity to withdraw or modify the request in order to avoid or reduce the fee.
Law Enforcement and Health Oversight Delay
The Proposed Rule would no longer include a delay for a health oversight investigation, because disclosures for health oversight activities would no longer subject to the accounting requirements.
The current rule provides that CEs must document and retain the information necessary to generate an accounting of disclosures, the written accounting that is provided to an individual, and the designation of the persons or offices responsible for receiving and processing accounting requests for six years from the date of its creation or the date when it was last in effect, whichever is later. In the case of the designation of who is responsible for handling accounting requests, the CE must retain the designation for six years from the date when it was last in effect. HHS proposes two changes to the accounting requirements: (1) the requirement to maintain the information necessary to generate an accounting of disclosures would be reduced to three years, and (2) a CE must retain a copy of the accounting provided to the individual, and not the original accounting document.
Right to an Access Report — Section 164.528(b)
The Proposed Rule would provide individuals with a right to receive an access report that indicates who have accessed information in their electronic designated record set. This right would not extend to access to paper records. The” access report” is a document that a system administrator or other appropriate person generates from the access log in a format that is understandable to the individual. This access report is not the same as an “audit trail” or “audit log.” If an entity has PHI in multiple systems, the data from each audit log, including data from BA's systems, must be gathered and aggregated to generate a single access report.
Although this proposed right to an access report would implement section 13405(c) of the HITECH Act, which requires that a CE provide individuals with information about disclosures of PHI through an EHR for treatment, payment, and health care operations, this Proposed Rule would expand that right in several ways. First, the Proposed Rule would require CEs to provide information about any electronic access to PHI, which encompasses both uses and disclosures of ePHI. According to HHS, because most EHR systems are unable to automatically distinguish electronically between use and disclosure, the requirement to include a report of all access, rather than only access that represents a disclosure, may actually be less burdensome on CEs.
Second, the Proposed Rule would extend the requirement to provide an access report to all CEs and BAs that maintain ePHI about an individual in any designated record set, even if these entities do not have systems that could be classified as EHRs. The right of access, however, does not extend to electronic disclosures outside an electronic designated record set. HHS believes that all electronic records systems, regardless of whether they qualify as EHR, should provide sufficient information to create an access report, because compliance with the Security Rule requires CEs to record when users access information for all systems with designated record set information and to review those audit trails or access logs.
Under Section 13405(c)(3) of the HITECH Act, a CE may provide either an accounting that includes disclosures by BAs or an accounting that is limited to its own disclosures and a list of BAs (with contact information for each BA). HHS asserts that the second option places too much of the burden on individuals. Therefore, the Proposed Rule requires that the CE's access report include uses and disclosures of electronic designated records set information by BAs, rather than merely providing a listing of BAs. In response to a request for an access report, a CE must contact the BAs that create, receive, maintain, or transmit electronic designated record set information and obtain from such BAs access reports with respect to the individual's information.
Content of the Access Report
In paragraph (b)(2), HHS proposes that the access report must set forth: (a) the date of access; (b) the time of access; (c) the name of the natural person, if available, otherwise the name of the entity accessing the electronic designated record set information; (d) a description of the information was accessed, if available; and (e) a description of the action by the user, if available (e.g., “create,” “modify,” “access,” or “delete”). HHS recognizes that some access logs may not provide the first and last name of the person accessing the information, but instead may rely on a user ID, CEs must match the user ID with a first and last name to generate the access report. If the access log captures the name of an entity, rather than a natural person (e.g., when information from an EHR is exchanged with an organization outside of the CE), the access log may include only the name of the organization receiving the information. If an electronic designated record set system exchanges data with another electronic system within the organization, such access could permissibly be logged by the name of the CE to reflect that the individual's information was accessed by one of the CE's systems.
The Proposed Rule would require that an access report include a description of the information in the electronic designated record set that was accessed, if this information is available. However, HHS does not propose to require CEs and BAs to collect such information.
Lastly, the Proposed Rule would require that the access report include a general description of the action taken by the user with respect to the record, if available, such as whether the user created, modified, deleted, or merely accessed the record. Unlike an accounting of disclosures under paragraph (a), the access report need not include the address of the user or a brief statement of the purpose of the disclosure.
As with the accounting of disclosures, HHS proposes to require CEs to provide individuals with the option to limit the access report to a specific date, time period, or person, and to recommend that CEs allow individuals the option to limit the access report to specific organizations.
Provision of the Access Report
The Proposed Rule includes consistent requirements with respect to timing, fees, form, and format of access report, ability to require that the individual make the request in writing, and documentation.
Confidentiality of Patient Safety Work Product
Under the Proposed Rule, a CE would exclude from its accounting or access report any information that meets the definition of patient safety work product under 42 C.F.R Part 3.
Notice of Privacy Practices — Section 164.520
The Proposed Rule would require CEs to include a statement regarding an individual's right to receive an access report in its Notice of Privacy Practices. Since this would constitute a material change to the Notice, CEs would be required to revise and distribute the revised notice. Because compliance with the access report requirements would not be mandated until January 1, 2013 or January 1, 2014, depending on the age of their electronic designated record set systems, CEs would not need not revise their notices of privacy practices to reflect the right to receive an access report until the earliest applicable compliance date. Any modifications to the 60-day time period for health plans will be addressed in the final rules.
Requests for Comment
HHS seeks comment on various aspects of the Proposed Rule, including comments regarding:
- HHS' proposal to limit the accounting requirement to PHI in a designated record set and whether there are unintended consequences with doing so in terms of either workability or the privacy interests of the individual
- The burdens on CEs and benefits to individuals associated with also receiving an accounting of disclosures that includes information provided in accordance with the breach notification requirement
- Whether there are other categories of public health disclosures that warrant an exception from the disclosure requirements because such disclosures may be of limited interest to individuals and/or because accounting for such disclosures may adversely affect certain population-based public health activities, such as active surveillance programs; and whether the complexity of carving out such public health disclosures would lead to too much confusion among individuals and CEs
- Whether HHS should exempt from the accounting requirements certain categories of disclosures that are currently subject to accounting
- Whether there are specific concerns regarding the need for accounting of disclosures beyond the three years set forth in the Proposed Rule
- The number of anticipated access reports, the burden of tracking access to electronic designated record set information, including whether the Proposed Rule will have any unintended effects by requiring significant changes to existing systems, and the burden caused by generating an access report
- The additional burden, if any, of providing electronic access reports (either in machine-readable or other electronic format)
- Whether CEs will be able to generate access reports covering the preceding three years of the proposed compliance dates
Effective and Compliance Dates
The Proposed Rule requires compliance with the modifications to the accounting of disclosures requirement beginning 180 days after the effective date of the final regulation (240 days after publication). Compliance with the right to an access report by CEs and BAs would be effective January 1, 2013 for electronic designated record set systems acquired after January 1, 2009 and beginning January 1, 2014 for electronic designated record set systems acquired as of January 1, 2009.