On May 31, 2011, the United States Department of Health and Human Services, Office for Civil Rights ("HHS-OCR") issued a proposed rule, the HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health ("HITECH") Act (the "Proposed Accounting Rule" or the "Proposed Rule"). The Proposed Accounting Rule would (1) modify the existing accounting of disclosures of protected health information ("PHI") obligations under the HIPAA Privacy Rule, and (2) obligate covered entities and business associates to provide "access reports." In addition, the Proposed Accounting Rule would require covered entities to modify their Notices of Privacy Practices to include a statement that individuals have the right to receive an accounting of disclosures and an access report.
Accounting of Disclosures
The HIPAA Privacy Rule currently requires all HIPAA covered entities to log and provide to individuals an accounting of all disclosures of PHI, except those specifically excluded from the accounting requirement. The accounting requirement applies to disclosures that occurred up to six years prior to the request and applies to disclosures of PHI in both hard copy and electronic format. Covered entities also are required to obligate their business associates to log such disclosures and provide an accounting upon request.
The Proposed Accounting Rule would modify the existing HIPAA Privacy Rule accounting requirements in the following significant ways:
- The scope of the information subject to the accounting requirement would continue to be both hard copy and electronic information, but it would be limited to information maintained in a designated record set (i.e., information contained in the medical and billing/payment records maintained by or for a covered entity, and other records used by or for a covered entity to make decisions about individuals).
- The accounting period would be decreased from six years to three years.
- The accounting would need to be provided within 30 days of an accounting request instead of 60 days.
- The types of disclosures for which an accounting is required would be specifically enumerated. That is, subject to certain limitations, unless required by law, the following would be the only disclosures for which an accounting would be necessary:
- impermissible disclosures, unless the individual already was notified in accordance with the HHS Breach Notification Rule;
- public health disclosures, unless the disclosure is to report child abuse or neglect;
- disclosures for judicial and administrative proceedings;
- law enforcement disclosures;
- disclosures to avert a serious threat to health or safety;
- disclosures for military and veterans activities, U.S. Department of State medical suitability determinations, and government programs providing public benefits; and
- workers’ compensation disclosures.
Provision of Access Reports
HHS-OCR proposes to modify the Privacy Rule by adding a requirement that covered entities provide individuals with an access report identifying who has accessed PHI in an electronic designated record set maintained by a covered entity or business associate for up to three years prior to the access report request date. The access report would need to identify anyone who accessed the PHI in the electronic record (whether internally or externally), the date and time the PHI was accessed, a description of the information accessed "if available," and a description of the action by the user, if available (such as "create," "modify," "access," or "delete"). HHS-OCR considered requiring the purpose of the access to be recorded and included, as well, but determined that the burden of implementing such a requirement outweighed any potential benefit to individuals.
The access report requirement is intended to address the HITECH Act’s requirement that covered entities account for disclosures of PHI made through an electronic health record ("EHR"). However, the Proposed Rule goes further than the HITECH Act by requiring an access report that will include both uses and disclosures of PHI (not just disclosures), in any electronic designated record set (not just an EHR), and for any purpose (not just treatment, payment, and health care operations). Although it certainly appears broader in scope, HHS-OCR seems to believe that structured this way, the Proposed Rule’s burden on covered entities will be reasonable because the HIPAA Security Rule already requires logs that track such access, and, as such, covered entities should be able to provide this information to individuals upon request.
HHS-OCR is seeking comments on the Proposed Accounting Rule and a number of issues raised in the preamble. Comments are due to HHS-OCR on or before August 1, 2011. If you would like assistance filing comments, please contact us.