The Department of Health and Human Services (HHS) published on 31 May a proposed rule modifying the HIPAA Privacy Rule's accounting of disclosures requirement. The proposed rule would provide individuals with a new right to receive a written "access report" that describes uses and disclosures of their protected health information (PHI) made through an "electronic designated record set." The proposed rule also makes a number of changes to the existing accounting of disclosures requirements.
New individual right to obtain access report
Under the proposed rule, individuals would have the right to request a written report detailing who had accessed their PHI within the past three years. The right applies to PHI maintained by a covered entity or business associate in an electronic designated record set. The proposal does not distinguish between "uses" and "disclosures" of PHI, and access reports would need to include uses by a member of the covered entity's workforce as well as to disclosures outside the covered entity or business associate.
The proposed rule goes beyond what was required by the HITECH Act in that it is not limited to information in an electronic health record and would require healthcare providers, health plans, and business associates working on their behalf to provide detailed disclosures of information accessed through an electronic designated record set for almost all purposes — including treatment, payment, and healthcare operations. Individuals would exercise the new right by requesting an access report, which would document by name the individuals who electronically accessed and viewed their protected health information. Although covered entities are currently required by the HIPAA Security Rule to track access to electronic protected health information, they are not required to share this detailed level of information with patients or health plan members.
Designated record sets include medical, healthcare, and other
records used by a covered entity to make decisions about
individuals. The preamble to the proposed rule includes several
examples of PHI that are not designated record sets, including a
hospital's peer review files (provided they are used only
to improve patient care, and not to make decisions about
individuals) and transcripts of customer calls (provided they are
only used for customer service review purposes, and not to make
decisions about individuals). HHS' proposal to require an
access report for electronic designated record sets is much broader
than the HITECH Act language, which requires an expanded accounting
of disclosures only for electronic health records. Accordingly,
covered entities that do not generally maintain electronic health
records — including many health plans — will be
subject to the new access report requirement if they maintain PHI
electronically in a designated record set.
An access report
must include the date of access, time of access, and, if available,
the name of the person (or entity) that accessed the information, a
description of the information that was accessed, and a description
of the action that was taken by the user (such as create, modify,
access, or delete). Covered entities are not required to disclose
the purpose of the access.
A covered entity must give the requesting individual the option to
limit the access report to a specific date, time period, or person.
For example, an individual can limit the report to any access by a
specific person within the past six months. The report must be
presented in an understandable format and be provided in electronic
form and format, unless a hard copy is requested. A covered entity
may not charge for providing an access report if it is the first
such report requested by an individual in any 12-month period; any
subsequent requests by the individual within the 12-month period
may be subject to a "reasonable, cost-based
fee."
The covered entity must provide the access report within 30 days of the individual's request, although that time limit may be extended once for an additional 30 days, so long as the individual is notified of the reasons for the delay and the date by which the report will be provided. These time limitations may present particular challenges for covered entities whose business associates maintain electronic designated record sets on their behalf, as the access report must address information held by business associates, and the proposed rule does not include the option for a covered entity to provide an individual with its own report and a list of its business associates. Therefore, upon receiving a request for an access report, a covered entity will need to promptly notify its business associates so that they may assemble the relevant data, which would then be consolidated into a report to the requesting individual.
The new access
report requirements would become effective on 1 January 2013 (for
electronic designated record set systems acquired after 1 January
2009) and 1 January 2014 (for electronic designated record set
systems acquired on or before 1 January 2009). Covered entities
would need to update their Notices of Privacy Practices to inform
individuals of this new right as well as the changes to the
accounting of disclosures right.
Accounting of disclosure requirements to be eased
In addition to
establishing a new right to an access report, the proposed rule
also amends the existing accounting of disclosure provisions. For
the most part, the proposed changes should ease the burden on
covered entities of complying with the accounting
requirements.
The proposal reduces the period of the accounting from six years to
three years (the same period covered by the access report) and
removes several of the categories of disclosures that were
previously required to be included in accounting, including those
for research purposes or as required by law. Covered entities would
not be required to include in the accounting any data breaches
about which the entity had already provided the individual with
notice. In addition, the accounting would now be limited to PHI
maintained in a designated record set (although, unlike the access
report provision, the accounting requirement would continue to
apply to paper records). For multiple disclosures to a single
recipient for a single purpose, the proposal would allow covered
entities to report a general range of dates (such as December 2010
through August 2011), rather than the specific date of each
disclosure. In addition, covered entities would be allowed to
report the approximate date of any disclosure for which the exact
date was not known.
Not every change in the proposal is favorable to covered
entities. In particular, the timeframe for completing the
accounting would be reduced from 60 days to 30 days (with a single
30-day extension available). As noted above, this shortened
timeframe could pose difficulties for covered entities needing to
obtain an accounting from business associates.
The revised
accounting of disclosure requirements would become effective 240
days after publication of a final rule in the Federal
Register.
Action steps for HIPAA covered entities and business associates
Covered entities and business associates with concerns about the potential impact of the proposed rule should provide HHS with their comments, which are due by 1 August 2011. The proposed rule is available at www.gpo.gov/fdsys/pkg/FR-2011-05-31/pdf/2011-13297.pdf.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.