HHS issued a proposed rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule's standard for an accounting of disclosures of protected health information (PHI). The proposed rule implements changes to HIPAA under the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) that requires covered entities and business associates to account for disclosures of PHI to carry out treatment, payment and health care operations (TPO) through an electronic health record. Key items under the proposed rule include the following:
- New Right to an Access Report. The proposed regulation divides the existing HIPPA Privacy Rule into two separate rights for individuals: (a) the right to an accounting of disclosures and (b) the right to an access report (including electronic access to both workforce members and persons outside the covered entity). The access report would provide information on who has accessed electronic PHI, including accesses for TPO.
- Changes to Accounting Requirement. The proposed rule makes several changes to the existing accounting of disclosures standard. Specifically, in accordance with the HITECH Act, the proposed rule reduces the accounting period from six years to three years and reduces the response period from 60 days to 30 days (with a 30-day extension). The proposed rule also limits the accounting of disclosures to a designated record set and provides an explicit list of the types of disclosures that must be included.
The proposed modifications to the accounting standards are expected to be effective 240 days after the date the final regulations are published. HHS proposes that covered entities and business associates provide an access report beginning January 1, 2013 for electronic designated record set systems acquired after January 1, 2009 (January 1, 2014 for systems acquired before January 1, 2009). Comments on the proposed regulations are due August 1, 2011.