The Office for Civil Rights (OCR) of the Department of Health and Human Services today proposed an expansion of the rights of individuals to obtain reports from health providers and insurers about how their protected health information (PHI) is used.1 The draft regulations will require health providers and insurers (called “Covered Entities”) to provide more data faster and in a variety of formats as requested by individuals. In a surprising analysis contained in the draft regulations, the OCR estimates it will take Covered Entities only 20 minutes to read and implement these changes, which encompass 24 pages of regulations. This is the latest example of the government’s inaccurate estimate of costs borne by the health industry to comply with regulations that provide questionable benefits for a small segment of the population. The public will have until July 31, 2011 to provide comments on the proposed changes.

Proposed Changes to Accounting of Disclosures of PHI

Pursuant to the Health Insurance Portability and Accountability Act (HIPPA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, the OCR last year requested information from the health industry and privacy advocates about individuals’ interests in learning of disclosures of PHI, the burdens on the health industry in tracking and accounting for such disclosures, and the capabilities of current technology to collect such information. Despite receiving overwhelming responses that such accounting for disclosures would provide little benefit to individuals while incurring substantial administrative, staffing and monetary burdens, the OCR has proposed an expansion of an individual’s right to obtain an accounting of who accessed his or her PHI. The OCR believes this will provide greater transparency and better facilitate compliance and enforcement of HIPAA and HITECH Act requirements.

Under the HIPAA Privacy Rule,2 an individual has the right to request from a Covered Entity an accounting of PHI disclosures made to other individuals or entities. The OCR proposes to expand this right by requiring Covered Entities to collect this information from Business Associates,3 instead of directing individuals to contact the Business Associate to request such information. The OCR also proposes to change the accounting period from six years to three years during which a Covered Entity must account for such disclosures. The OCR moreover seeks to list the types of disclosures that are subject to the accounting rather than listing the types of disclosures that are exempt from the accounting. The OCR believes this last change will make it easier to read and understand the Privacy Rule, which currently logs in at 57 pages in the Code of Federal Regulations.

Under the proposed regulations, Covered Entities will have only 30 days to provide an accounting of disclosures, instead of the current 60 days. Covered Entities will have to provide the accounting in the form and format requested, in an understandable format, using software identified by the individual. Also if requested, the accounting cannot be password protected or encrypted and should be provided in a format that can be easily processed and analyzed via computer.

The OCR suggests minor changes to the content of an accounting currently required under the Privacy Rule. At present, Covered Entities must include the date of disclosure, name and address (if known) of recipient, a brief description of the type of PHI disclosed and a brief statement of the purpose of the disclosure. Under the proposed rules, Covered Entities may provide an approximate date or period of time for each disclosure, if the actual date is not known. The OCR also proposes to exempt from disclosure the name and address of a PHI recipient if that disclosure would itself be a violation of the Privacy Rule. For example, if a physician’s office mistakenly sends an appointment reminder to the wrong patient, then the accounting need not include the wrongful recipient’s name and address. Finally, the OCR proposes to allow Covered Entities to provide only a brief “description” instead of a “statement” if the description reasonably informs the individual of the purpose of the disclosure.

Individuals may request one accounting per 12-month period for free. Subsequent requests within a 12-month period would be charged a “reasonable and cost-based fee,” which may include the costs of including disclosures by Business Associates. It is unclear what the OCR’s idea of a “reasonable and cost-based fee” is, but suffice it to say, it will unlikely cover all costs that a Covered Entity will incur in responding to these requests.

A New Right to an Access Report

Using its authority under the HITECH Act, the OCR also proposes to provide individuals with the right to an “access report” from Covered Entities. An “access report” would provide a list of everyone who has accessed an individual’s electronic health record (EHR).

To prepare an “access report,” Covered Entities would have to aggregate data from multiple information systems in order to generate a single report that includes the names of everyone within the Covered Entity and all Business Associates who have accessed a patient’s EHR. This list would include all employees who access EHR in the normal scope of their jobs. A Covered Entity must also put this information into a format that is understandable to an individual.

In crafting this new “access report,” the OCR goes beyond the HITECH Act, which only requires providing individuals with information about disclosures made outside a Covered Entity. The OCR suggests broadening this requirement to include the names of all those working within the Covered Entity who use a patient’s EHR. The OCR claims it broadened this right because it believes it will improve transparency and better facilitate compliance and enforcement with the HIPAA Privacy and Security Rules. However, based upon comments it received last year from health industry representatives and privacy advocates, relatively few individuals would benefit from such a disclosure.

Covered Entities will have to provide individuals with an “access report” within 30 days of request. The first “access report” must be provided free of charge, and subsequent requests within a 12-month period may only be charged a “reasonable and cost-based fee.” The “access report” must be provided in a form and format as requested by the individual and in an understandable format.

Costs and Changes Resulting from Proposed Regulations

If the draft regulations become final, Covered Entities will have to change their Notice of Privacy Practices (NPP) and make amendments to their Business Associate Agreements (BAA). The NPP will have to inform individuals of their new right to an “access report” and the BAA will have to require Business Associates to track members of its workforce who access a patient’s EHR. Such changes will be effective either January 1, 2013 or January 1, 2014, depending upon when a Covered Entity acquired an EHR.

Additionally, Covered Entity and Business Associate staff will have to be trained on how to collect, aggregate and produce data in various forms and formats as requested by individuals and in a format that an individual can understand. Furthermore, health information systems will have to be upgraded in order to provide these reports.

Surprisingly, the OCR estimates the total costs to the private sector from these draft regulations to be only $20.2 million. The OCR bases this estimate on its assumption that Covered Entities will be able to implement all these changes in 20 minutes, at the cost of $30 per Covered Entity. Such an estimate is likely to be wildly inaccurate and vastly underestimates the effort and time that Covered Entities will need to comply. Interested parties are encouraged to submit comments on these proposals before July 31, 2011.