On May 31, 2011, the Department of Health and Human Services issued a notice of proposed rulemaking pursuant to its authority under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) pertaining to new standards for the accounting of disclosures of protected health information (“PHI”).
HIPAA’s Privacy Rule requires covered entities to provide individuals, when requested, with an accounting of certain disclosures of PHI. The proposed rule expands the existing accounting requirements by creating two separate but complementary rights for individuals: (i) the right to an accounting of disclosures of their PHI from both covered entities and business associates; and (ii) the right to an access report detailing who accessed their electronic PHI. This right to obtain an access report is a significant new requirement.
Accounting of disclosures
Under the proposed rule, the right to an accounting of disclosures of PHI pertains to disclosures made in hard-copy and electronic formats and covers a three-year look-back period (instead of the previous six years) from the date of the request. Significantly, although not required in the past, the accounting would now include disclosures made by both covered entities and their business associates (as defined in HIPAA) of PHI in electronic health records to carry out treatment, payment, and health care operations.
Important additional proposed modifications to the existing requirements for accountings of disclosures by a covered entity or business associate include:
- limiting the accounting to include only an individual’s PHI in a “designated record set,” which would include medical and payment records created or maintained “by or for a covered entity, and other records used by or for the covered entity to make decisions about individuals.” Files used to improve customer service or patient care generally (not the care for a specific patient), such as peer review and customer call information, would fall outside the designated record set;
- providing disclosures made by business associates in the accountings (instead of just a list of business associates);
- reducing the accounting period to three years from six years;
- exempting from the accountings information regarding child abuse or neglect disclosed to a public health or government authority. Due to the potential harm to covered entities and/or their employees if they have to explain to a parent or guardian that the suspected child abuse or neglect was reported to authorities;
- proposing to include a list of the specific types of disclosures that are subject to the accounting requirement in an effort to make compliance with the accounting requirements easier to reference and understand. Under the current regulations, only exemptions to the accounting requirement are listed explicitly;
- exempting disclosures currently subject to the accounting requirement, such as those (a) about victims of abuse, neglect, or domestic violence; (b) for research purposes; (c) about health oversight activities; (d) about decedents to coroners, medical examiners, funeral directors, and organ or tissue donation; (e) and most disclosures that are required by law;
- more flexible reporting requirements in the accounting regarding date, timeframe, and types of PHI disclosed (for example, similar disclosures could be listed as “August 2010 through November 2010”); and
- decreasing the period within which a covered entity may respond to a request for an accounting of disclosures from sixty days to thirty days.
HHS noted that it was attempting to limit the “full accounting” to disclosures that were of the most importance to individuals.
The proposed rule require covered entities and business associates to comply with the modified accounting of disclosures requirements within 180 days from the effective date of the final regulation.
Under the proposed rule, HHS proposes a new right to receive an access report of electronic PHI. The access report would include individuals and entities that accessed electronic PHI stored by covered entities and their business associates and covers a three-year look-back period. The access reports would not include the reason the electronic PHI had been accessed but would include: (i) the date; (ii) time; (iii) name of the person or entity (if the person’s name is not available) that accessed the PHI; (iv) if available, a description of the information accessed; and (v) if available, a description of the action taken by the user accessing the information.
Important provisions regarding an individual’s proposed right to an access report include:
- requiring covered entities to aggregate data regarding access to electronic PHI on all of the covered entity’s systems, and those of its business associates, into one access report specific to the requesting individual. In this respect, the proposed rule is broader than the requirements of HITECH, which allowed covered entities to simply produce a list of their business associates;
- listing both uses (internal access to an individual’s electronic PHI stored by a covered entity or business associate) and disclosures (external access) in the access reports;
- defining the “designated record set” that is subject to an access report as all electronic PHI. Here, too, the proposed rule is broader than the requirements of HITECH, which only require electronic health records to be included in the designated record set;
- allowing thirty days to provide an access report to a requesting individual (a covered entity may extend the deadline for an additional thirty days, only once, and with a written explanation of the reason for the delay);
- prohibiting a covered entity to charge an individual for providing the first access report in a one-year period, but allowing covered entities to charge a “reasonable, cost-based amount” for each additional access report thereafter; and
- requiring covered entities and business associates to keep the necessary documentation to produce access reports for three years and requiring covered entities to keep copies of all access reports produced for six years.
The purpose of the access report is to provide information about each disclosure (including for treatment, payment, and health care operations) through an electronic health record, which is required by HITECH. The proposed rule states that covered entities should work with individuals requesting the access report to provide a report responsive to the request (such as an employee’s access who may be an acquaintance of the individual) in order to limit the burden of responding to the request.
The proposed rule requires covered entities and business associates to provide individuals with a right to an access report beginning January 1, 2013, or January 1, 2014, depending upon the date the entity acquired the electronic designated record set systems.
HHS is seeking comment on the proposed rule by August 1, 2011.