New proposed rules under HIPAA provide guidance on accounting of disclosures by covered entities and business associates – that is, telling patients and health plan participants when their health information is given out – and to whom. The new rules propose a new individual “right to access” report, and significant changes to current accounting of disclosure requirements.

Current HIPAA rules require covered entities and business associates to account for disclosures of an individual’s protected health information, unless there is an exception. The most common exception applies to disclosures made for treatment, payment, or health care operations. In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) removed that exception and requires accounting of such disclosures if the disclosures are through an electronic health record (EHR). This rule was widely expected to apply mainly to health care providers, who maintain PHI in EHRs.

However, the proposed rule broadens the expected application of the HITECH requirements by creating a requirement for a new basic access report that applies not only to electronic health records, but to uses and disclosures of electronic PHI in a designated record set, including uses and disclosures for treatment, payment or healthcare operations.

This effectively means that health plans and their business associates (to the extent the business associate maintains a designated records set), who may have hoped to avoid the requirement to account for disclosures from electronic health records, would have to provide the new access reports. Designated record sets are defined broadly under HIPAA to include medical and billings records about individuals maintained by or for covered health care providers, enrollment, payment, claims adjudications, and case or medical management record systems maintained by or for health plans, and records used by covered entities to make decisions about individuals.

The proposed rule creates the new right of access by dividing the current accounting of disclosure requirement into two separate rights – an accounting of disclosures and a right to an access report. The table below compares the current accounting of disclosure rule and the two new accounting obligations under the proposed rule.

The proposed rules require covered entities to amend their HIPAA Privacy Notices to describe the new right to request an “access report.” HHS suggests that the final rule may provide some flexibility for updating Privacy Notices, which is not required before the final rule is effective.

The final rule is proposed to be effective 240 days after publication of the final regulation. HITECH provided statutory effective dates which are proposed to apply to the new “access reports.” Access reports will not be required until January 1, 2013 for electronic designated record sets acquired after January 1, 2009 and not until January 1, 2014 for electronic designated record sets acquired before January 1, 2009.

Here is a short table comparing the current rule and the two new accounting obligations of the proposed rule:

Click here to view the table.