On May 31, 2011, the Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking1 (Proposed Rule) to amend the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.2 The Proposed Rule would revise the current requirements that covered entities provide consumers with an accounting for disclosures of protected health information and add a new requirement that covered entities provide consumers with “access reports” detailing who has accessed protected health information about the individual in an electronic designated record set.3 The Proposed Rule is based on Health Information Technology for Economic and Clinical Health (HITECH) Act requirements as well as the general authority of HHS to issue the HIPAA privacy rules. The deadline for submitting public comments regarding the Proposed Rule is August 1, 2011.
Accounting for Disclosures
The Proposed Rule would revise the Privacy Rule’s existing accounting for disclosures requirements,4 including changes:
To revise the rule to identify those disclosures which must be included, rather than the existing formulation that identifies disclosures that are exceptions to the accounting requirement.
- The Proposed Rule would require that any unauthorized disclosures of protected health information that did not already result in a breach notification to the individual be disclosed in the accounting.
- Other disclosures that would have to be included in the accounting are disclosures for: public health activities (other than child abuse and neglect); judicial and administrative proceedings; law enforcement purposes; averting a serious risk to health or safety; certain military and veteran activities, State department medical suitability determinations, and certain government benefit programs; and workers compensation purposes.
- To limit the disclosure obligation to information in designated record sets. 5
- To reduce the amount of time a covered entity has to respond from 60 days to 30 days (with the possibility of one 30-day extension).
- To expressly reference business associates in the standard.
In addition to revising the existing accounting for disclosures requirements, the Proposed Rule also would add a new requirement that covered entities provide individuals, upon request, with an “access report” indicating instances in which protected health information in electronic designated record sets has been accessed (other than patient safety work product). The access report would be required to include the date of access; time of access; the name of the natural person accessing the designated record set, if available, or the name of the accessing entity; a description of what information was accessed, if available; and a description of action taken by the user, if available (such as “create”, “modify”, “access” or “delete”).
As with the accounting for disclosures, the covered entity would have 30 days from the date of the request to provide the access report, with the possibility of a single 30-day extension. The report would have to cover access to electronic designated record sets (including those held by business associates) that occurred in the three years prior to the date of the request, although the individual could request an access report cover a shorter period of time. The Proposed Rule also addresses the form and format of the access report to be provided. Fees also are addressed. The first access report requested in a 12-month period would be free to the individual and the covered entity would be permitted to charge a reasonable, cost-based fee for subsequent requests.6
Differences Between the Access Report and the Accounting
The access report would be separate from the required accounting for disclosures and the two reports differ in several respects. The access report, for example, only would apply to electronic designated record sets, while the accounting for disclosure requirements would apply to all designated record sets, including paper files. In addition, while the accounting for disclosures requirement only would apply to disclosures of the type specified in the rule, the new access reports would be required to include the specified information about access to protected health information through the electronic designated record set, including access for internal use by the covered entity’s own workforce. HHS expects that access reports will be “gathered and aggregated” from audit logs for each electronic designated record set.7
The Proposed Access Report Differs from HITECH Act Requirements
The access report is required, in part, by HITECH Act § 13405(c). The Proposed Rule, however, differs significantly from the requirements of § 13405(c). The Proposed Rule, for example, would apply to all protected health information in electronic designated record sets, not only the electronic health records referenced in § 13405(c). The access report requirement also would apply to access rather than only disclosures of protected health information in electronic designated record sets. Further, the Proposed Rule would not include an option for covered entities to provide individuals with a list of its business associates as an alternative to including information from the business associates in the required access report.8 HHS is citing its general authority to issue HIPAA privacy rules as authority for these changes.
HHS is proposing that compliance with the changes to the accounting for disclosure requirements would be required 240 days after the publication of the final rule. Compliance with the new access report requirements would be staggered, with compliance required by January 1, 2013, for electronic designated record set systems that were acquired after January 1, 2009. Access reports would be required by January 1, 2014, for electronic designated record sets acquired prior to January 1, 2009.9