Publications: Proposed Rule Modifies HIPAA Requirements for Accounting Disclosures

The U.S. Department of Health and Human Services (“HHS”) published a Notice of Proposed Rulemaking (“Proposed Rule”) in the May 31, 2011 Federal Register modifying the requirements for an accounting of disclosures under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule. The Proposed Rule also establishes a right of individuals to obtain access reports of uses and disclosures of protected health information (“PHI”) in an electronic designated record set.

If enacted in its current form, the Proposed Rule would require covered entities to provide reports to individuals of information that covered entities currently are not required to report, such as uses of certain portions of an individual’s PHI by an employee of a covered entity. Further, the Proposed Rule modifies the Privacy Rule’s accounting of disclosures requirement, mainly easing the burden on covered entities but shortening the timeframe the covered entity has to respond to a request for an accounting of disclosures.

Background
Historically, upon an individual’s request, the Privacy Rule required covered entities to provide the individual with an accounting of disclosures of PHI. This accounting excluded certain disclosures, such as those for treatment, payment, and healthcare operations. The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), part of the American Recovery and Reinvestment Act of 2009, expanded the accounting of disclosures requirement, requiring covered entities to account for disclosures for treatment, payment and healthcare operations when such disclosures are made through an electronic health record (“EHR”).

Access Report Proposal
The Proposed Rule in part implements the HITECH Act requirements for accounting of disclosures, although HHS exercises its broader authority under HIPAA and expands beyond disclosures made through EHRs. The Proposed Rule gives an individual the right to receive an access report that indicates who has accessed the individual’s PHI held in an electronic designated record set, including access for treatment, payment and healthcare operations. A designated record set under HIPAA includes medical and billing records and other records used by healthcare providers to make decisions about individuals; an electronic designated record set would encompass an EHR system, as well as other electronic data systems, such as an electronic billing system.

The Proposed Rule specifies that the access report include information on all access to the PHI held in electronic designated record sets (uses and disclosures, rather than just the disclosures covered by the Privacy Rule’s accounting of disclosure requirement) both by members of the covered entity’s workforce (e.g., employees) as well as disclosures to external persons and entities. The access report also includes data from any business associates that maintain PHI in electronic designated record sets on behalf of the covered entity. Access reports would be required to denote the date and time of access, the name of the person (“user”) who accessed the PHI (or the name of the entity that accessed the PHI if the user’s name is not available), a description of the action taken (e.g., create, modify) by
the user, if available, and, if available, a description of the information that was accessed. The access report would cover information for up to three years prior to the date the individual requests the report, although the Proposed Rule requires the covered entity to provide the individual with the option to limit the report to a specific date, time period, person (such as a particular employee) or organization (such as a specific business associate).

Proposed compliance dates for the access report requirement are January 1, 2013 for entities using electronic designated record set systems (including but not limited to EHRs) acquired after January 1, 2009, or January 1, 2014 for entities using electronic designated record set systems acquired up to and including January 1, 2009.

Proposed Changes to Disclosure Accounting
The Proposed Rule also modifies the Privacy Rule’s accounting of disclosures requirement. Currently, an individual has the right to receive an accounting of certain disclosures of his or her PHI (whether held electronically or on paper). The Proposed Rule limits this accounting in several ways, including by limiting the accounting to PHI contained in an electronic or paper designated record set (which would exclude PHI held in other records) and eliminating the need to include in the accounting disclosures for which the covered entity provided a breach notice. The Proposed Rule also shortens the accounting period from six years to three years. However, if the Proposed Rule is implemented, covered entities would be required to respond to requests for an accounting of disclosures within 30 days (with one 30-day extension) rather than the previous response period of 60 days (with one 30-day extension). The proposed compliance date is suggested to be 240 days from the date of publication of the final rule.

HHS is accepting comments through August 1, 2011 online at http://www.regulations.gov or by mail (include one original and two copies) at U.S. Department of Health and Human Services, Office for Civil Rights, Attn: HIPAA Privacy Rule Accounting of Disclosures, Hubert H. Humphrey Building, Room 509F, 200 Independence Ave., SW, Washington, DC 20201. In preparation for a final rule on this topic, healthcare providers who are HIPAA covered entities should review their EHR and other electronic data systems to ensure that these systems are capturing the data necessary to create the proposed access reports and disclosure accounting. Providers also should communicate with their business associates to determine which business associates maintain PHI on behalf of the providers in electronic designated record sets.

Full text of the Proposed Rule can be found here. 

For more information see OCR Requests Comments on Expansion of Accounting of Disclosures Under HITECH Act. 

Should you have any questions or need assistance with facility-provider relationships, please contact a member of the Ungaretti & Harris Healthcare Group.