On May 31, 2011, the Office of Civil Rights (“OCR”), Department of Health and Human Services (“HHS”) issued a notice of proposed rulemaking that would expand the HIPAA accounting provision1 to give individuals the right to an access report identifying who has accessed their electronic Protected Health Information (“PHI”) in a designated record set.2
The HIPAA Privacy Rule currently requires covered entities to make available to an individual within 60 days an accounting of certain disclosures of the individual’s PHI made during the six years prior to the request. A “disclosure” is the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.3 The current provision applies to disclosures of paper and electronic PHI—regardless of whether such information is in a designated record set. Importantly, covered entities are not required to provide an accounting of disclosures made for the purposes of carrying out treatment, payment and health care operations. Pursuant to their business associate agreements, business associates are required to make available the information required for the covered entity’s accounting.
HHS proposes to revise the current accounting provision by dividing it into two separate but complementary rights for individuals: (1) a right to an accounting of disclosures; and (2) a right to an access report (which would include electronic access by both workforce members (e.g. an employee of Hospital ABC logs into the hospital’s records management system and views the record of Patient A, her ex-husband’s girlfriend) and persons outside the covered entity (e.g. Hospital A discloses Patient A’s record to Mr. Attorney in response to a court order)).
The Right To An Accounting
The right to an accounting of disclosures provides an individual with information about the disclosure of designated record set information (whether hardcopy or electronic) to persons outside the covered entity and its business associates for certain purposes such as law enforcement, judicial hearings and public health investigations. Its purpose is to provide an individual more detailed information (a full accounting) for certain disclosures that are most likely to impact the individual.
As proposed, an accounting of disclosures would encompass disclosures of both hard copy and electronic PHI maintained in a designated record set.
The proposed rule reduces the timeframe for responding to an accounting request from 60 days to 30 days and reduces the reporting time period from 6 years to 3 years.
The content of the accounting of disclosures includes the date of the disclosure, the extent of the information disclosed, the recipient of the information and the purpose for the disclosure.
The anticipated compliance date for the amended accounting provision is 240 days after publication of the final rule.
The Right to An Access Report
The proposed right to an access report provides information to an individual about who has accessed electronic PHI in a designated record set (including access for purposes of treatment, payment and health care operations).4 The purpose of an access report is to allow individuals to learn if specific persons have accessed their electronic designated record set information. The access report does not provide information about the purpose for the access.
The proposed rule requires a covered entity to provide the access report within 30 days of the request and to provide it the electronic form and format requested by the individual (unless a hard copy is requested). The covered entity must also furnish access reports for business associates that maintain designated record set information. As proposed, the rule requires that an access report cover a three-year period immediately prior to a request for an access report.
The access report must set forth (a) the date of access; (b) the time of access; (c) the name of the natural person, if available, otherwise the name of the entity accessing the electronic designated record set information; (d) a description of what information was accessed, if available and (e) a description of the action by the user, if available (e.g. create, modify, access or delete).5
The proposed rule requires a statement in each covered entity’s notice of privacy practices regarding an individual’s right to receive an access report.6
The anticipated compliance date for the proposed right to access report is January 1, 2013 for any electronic designated record set systems that were acquired after January 1, 2009, and January 1, 2014 for electronic designated record set systems that were acquired on or before January 1, 2009.