The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) is reviewing comments submitted by interested parties to OCR's proposed rule (Proposed Rule)1 to implement a provision2 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) that expands the accounting for disclosures standard under the privacy standards (Privacy Standards) adopted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HITECH Act provision requires health care providers, health plans and other HIPAA covered entities (Covered Entities) to account for disclosures of Protected Health Information3 (PHI) made through an electronic health record4 for treatment, payment and health care operations purposes. Based on comments made publicly available by the commenters, the Proposed Rule has engendered vigorous opposition within the health care industry.
The Proposed Rule follows OCR's request for information from interested parties and the public on implementation of the HITECH Act provision on May 3, 2010 (Request For Information).5 OCR indicates in the preamble to the Proposed Rule that responses to the Request For Information influenced the drafting of the Proposed Rule.
OCR also uses the Proposed Rule as a vehicle to propose other changes to improve the "workability and effectiveness" of the accounting standard.6 OCR would essentially divide the accounting standard into two distinct requirements. (OCR's proposed changes are summarized in Table 1 at the end of this White Paper.) First, individuals would continue to have a somewhat more limited version of the current right to an accounting of disclosures of PHI, unless an exception applies. This is the pre-HITECH net accounting standard (Current Accounting Standard).
Second, individuals would have a new right to obtain a report (referred to as an Access Report) identifying an employee or other person who has accessed PHI in an electronic Designated Record Set (as defined below) rather than only the right to gain access to what is more conventionally considered an electronic health record—a computerized version of a health care provider's medical records, unless an exception applies (Access Report Requirement). A Designated Record Set includes any of the following: medical records and billing records of a health care provider; enrollment, payment, claims adjudication or case or medical management record systems of a health plan; and other records used by a Covered Entity to make decisions about individuals.7 Arguably, tying the Access Report to an electronic Designated Record Set exceeds the HITECH Act requirement that a Covered Entity to account for disclosures made through an electronic health record. However, the HITECH Act included an expansive definition of electronic health record that is similar in substance to the HIPAA regulations' broad definition of a Designated Record Set rather than describing a merely computerized version of a health care provider's record of clinical services provided to a patient.
The Access Report Requirement is OCR's proposal to implement the HITECH Act's expansion of the Current Accounting Standard. The breadth of the Access Report Requirement and the logistics in generating a single report across disparate and varied electronic systems has generated significant concern8 among Covered Entities and their business associates (Business Associates)9 that would need to collect and report the access information. OCR acknowledged that the process for meeting the Proposed Rule's accounting standard and Access Report Requirement is time consuming and expensive but anticipated that the process of generating an Access Report would be automated and would piggyback on existing requirements in the HIPAA security standards (Security Standards) for audit logs. However, various commenters have noted that the Security Standards' audit log requirements are less proscriptive and instead allow for an approach that is tailored to the resources and technology of the Covered Entity.10 Thus, there remains a significant difference of opinion regarding the ability of Covered Entities and Business Associates to leverage current systems to comply with the proposed Access Report Requirements.
OCR does not believe that including electronic billing systems and other electronic clinical systems (which maintain Designed Record Sets) beyond conventional electronic health records places an undue burden on Covered Entities and Business Associates because the existing Security Rule requires systems that maintain electronic PHI to include audit log functionality.11 OCR also stated that it would be difficult for Covered Entities to distinguish what components of a Designated Record Set constitute electronic health records as the "concept of what constitutes an EHR is in a state of flux."12
OCR indicates that the Current Accounting Standard (as amended by the Proposed Rule) and the Access Report Requirements would be "distinct but complimentary."13 The purpose of the Access Report is to inform individuals about who has accessed their electronic Designated Record Set information rather than the purpose for such access. The purpose of the Proposed Rule's accounting standard is to provide more fulsome information on a subset of disclosures thought to be of the greatest interest to individuals. OCR stated that it believed that the two related requirements would provide individuals with information of the greatest interest and import "while placing a reasonable burden on covered entities and business associates."14
OCR proposes that Covered Entities and Business Associates provide individuals with a right to an Access Report beginning January 1, 2013, for electronic Designated Record Set systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic Designated Record Set systems acquired on or before January 1, 2009.15 Covered Entities would be required to comply with OCR's changes to the accounting of disclosure requirements 180 days after the effective date of the final rule implementing the changes. Since the effective date of the final rule will be 60 days after publication in the Federal Register, Covered Entities will have 240 days to come into compliance with the changes.
This White Paper includes the following sections:
Part I: Current Accounting Standard
Part II: Proposed Access Report Requirement
Part III: Other Proposed Changes to Accounting Standard
Part I. Current Accounting Standard
The Current Accounting Standard requires Covered Entities to make available to individuals a list (called an accounting) of electronic, paper or oral "disclosures" of PHI made by the Covered Entity or its Business Associates during the six-year period prior to the request unless one of the exceptions discussed below applies.16 This requirement applies regardless of whether the PHI is maintained in a Designated Record Set.
A disclosure is "the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information."17 The accounting must include the following information: (1) the date of the disclosure; (2) the name of the recipient; (3) the address of the recipient (if known); (4) a brief description of the information that was disclosed; and (5) a brief description of the reason the information was disclosed or a copy of the original request for the information.18 A Covered Entity is not required to account for internal "use" of PHI by employees or other workforce members under the Current Accounting Standard.
The Current Account Standard does not require a Covered Entity to account for disclosures made under the following conditions: (1) to perform treatment, payment or health care operations functions; (2) to an individual of PHI pertaining to them; (3) incident to a permitted use or disclosure; (4) pursuant to a valid authorization; (5) for the facility's directory, to persons involved in an individual's care, or other notification purposes enumerated in the Privacy Standards; (5) in furtherance of national security or intelligence gathering; (6) to correction institutions or law enforcement; (7) as part of a limited data set; and (8) that occurred prior to the compliance date.19
Part II: Proposed Access Report Requirement
HITECH ACT REQUIREMENTS
The HITECH Act provides that the exception under the Current Accounting Standard for disclosures for treatment, payment and health care operations no longer applies if the disclosure is made "through an electronic health record."20 The HITECH Act defines an electronic health record broadly as "an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff." Given the broad language in the definition, OCR appears to have the authority to require an accounting of disclosures beyond disclosures made through what is commonly understood to be a health care provider's electronic health record. However, the HITECH Act directs HHS to propose an approach that balances the individual's need for and interest in information with the burdens on Covered Entities and Business Associates.21
OVERVIEW OF PROPOSED ACCESS REPORT REQUIREMENT
The Proposed Rule would require a Covered Entity to provide individuals with an Access Report indentifying the following information for each instance of user access to any Designated Record Set maintained by the Covered Entity or one of its Business Associates during the three-year period preceding the individual's request for the report (unless an exception applies): (1) the name of the natural person or entity that accessed the PHI; (2) date of the access; and (3) time of the access.22 OCR proposes that the Access Report include a description of the PHI that was accessed and a description of the user's action (for example, create, modify, read or print) but only to the extent that the Covered Entity's or its Business Associates' existing systems have this capability.23 OCR did not propose to require the capability where it does currently exist because the burden on Covered Entities of updating their systems or implementing new systems outweighs the benefits to individuals, whom OCR believes are principally concerned with who has accessed their information and not why.24 The Access Report records neither the recipient of the disclosed PHI (in the case of a disclosure by a system user to a third party), nor the purpose of the use or disclosure (for example, performing health care operations or making a report to law enforcement).25
ACCESS REPORT MUST INCLUDE USES AND DISCLOSURES
The term "access" is intended to refer to both uses and disclosures through an electronic Designated Record Set. Thus, the Proposed Rule's Access Report Requirement would go beyond the HITECH Act's expansion of the Current Accounting Standard and require the Access Report to include information on both disclosures to individuals and organizations outside the Covered Entity and internal uses of information by the Covered Entity's employees and other workforce members. Unlike the Current Accounting Standard, however, the Proposed Rule does not require the Access Report to identify uses or disclosures outside of an electronic Designated Record Set.
OCR cites three reasons for requiring an Access Report to include internal uses of PHI even though the HITECH Act only requires an accounting of disclosures outside the Covered Entity:
- OCR believes that individuals want to learn about both internal uses and external disclosures of their PHI.
- Based on the responses to the Request For Information, OCR believes that many security log systems lack the capability to distinguish between uses and disclosures, and therefore the focus on the encompassing term "access" may relieve Covered Entities and Business Associates from having to modify their systems.
- OCR anticipates that Covered Entities and Business Associates currently have security log systems that can record uses and disclosures because the Security Standards already require audit capabilities. The Security Standards require Covered Entities to implement "hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information"26 and "procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports."27 However, the Security Standards' audit log requirement is less proscriptive than the Proposed Rule's Access Report Requirement. Instead, the Security Standards allow a Covered Entity significant latitude to determine the security controls that are reasonable and appropriate in the Covered Entity's information technology environment.28
EXCEPTIONS TO ACCESS REPORT REQUIREMENT
OCR does not believe that the same exceptions available for the Current Accounting Standard are necessary for Access Report Requirement29 because the Access Report will not be required to include the purpose of the access and will not include the name of the recipient unless the recipient is also the user with direct access to the PHI). For example, the Proposed Rule does not exclude from the Access Report Requirement Standard access to PHI for purposes of making law enforcement disclosures since law enforcement would typically not have direct access to a Designated Record Set. In addition, information meeting the definition of patient safety work30 product may be omitted from an Access Report.31
FORM AND FORMAT
The Proposed Rule would require that the Covered Entity provide the Access Report in a form and format that can be easily understood by the requesting individual.32 The Covered Entity must provide the Access Report in a machine readable or other electronic form and format that is specified by the individual if easily producible. In those cases where it is not easily producible, the Covered Entity may provide a hard copy instead.33 A Covered Entity would be required to provide the Access Report under the same timetable as an accounting and the same fee charging rules would apply.34
REVISION TO NOTICE OF PRIVACY PRACTICES
The Proposed Rule requires Covered Entities to modify their notice of privacy practices to include the individual's right to an Access Report.35 Because this would constitute a "material change" to the notice, the Privacy Standards require that certain steps be taken to notify patients of the change. Covered Entity health care providers with a direct treatment relationship with the patient must make the notice available upon request as of the effective date of the revision and promptly post the notice at any delivery sites with copies for individuals to take with them.36 Health plans must distribute revised notices within 60 days of the effective date of the revision.37 OCR notes that health plans may incur significant costs in meeting this requirement and is considering a number of options to take these burdens into account.38
RELATIONSHIP TO EHR CERTIFICATION CRITERIA
The HHS Office of the National Coordinator for Health Information Technology (ONC) adopted final standards, implementation specifications and certification criteria for EHR technology to qualify as certified EHR technology for Stage 1 of the Medicare and Medicaid EHR incentive programs, which became effective August 27, 2010 (Certification Requirements).39 The Certification Requirements include a standard and certification criterion for the capability to record date, time, patient identification, user identification, and a description of the disclosure for each disclosure that a hospital or professional made for treatment, payment and health care operations.40 The standard and certification criterion do not require EHR technology to account for internal uses of PHI by a Covered Entity's workforce. The standard and criterion are intended to implement the accounting standard of the Privacy Standards, but are optional for certification purposes.41 Accordingly, EHR technology may be certified for Stage 1 of the Medicare and Medicaid EHR Incentive Programs even if it does not facilitate the provision of an Access Report or accounting. OCR indicated that it intends to coordinate with ONC alignment of the Privacy Standards with the EHR certification regulations. For more information on the Certification Requirements, see our White Paper entitled, "Navigating the Government's Final Rules for Earning Incentive Dollars Through Meaningful Use of E-Health Record Technology" which can be found at www.mwe.com/info/news/wp0910c.pdf
Part III. Other Proposed Changes to Current Accounting Standard
The Proposed Rule would amend the Current Accounting Standard to narrow the accounting to certain disclosures of PHI in an electronic or paper Designated Record Set, exclude additional disclosures from the Current Accounting Requirement and reduce the accounting look-back period to three years. The proposed amendments are discussed below.
DESIGNATED RECORD SET
The Proposed Rule would no longer require Covered Entities to account for disclosures of PHI not maintained in a Designated Record Set.42 As a result, Covered Entities would no longer be required to account for records containing PHI that are not used to make clinical, billing or payment decisions about an individual. For example, a hospital would not be required to account for a disclosure of PHI in peer review records that are used to make credentialing and quality improvement decisions instead of clinical and payment decisions.
The right of accounting extends to disclosures to and by Business Associates of PHI maintained in Designated Record Sets.43 However, since many Business Associates do not maintain Designated Record Sets, many Business Associates would no longer need to account for disclosures of PHI.
EXCEPTIONS TO ACCOUNTING REQUIREMENT
The Current Accounting Standard lists the categories of disclosures that are excepted from the accounting requirement.44 The Proposed Rule revises the standard to specify which disclosures of PHI in a Designated Record Set are accountable.45
The Proposed Rule preserves the categories of disclosures excepted from the Current Accounting Standard. In addition, the Proposed Rule would exclude the following additional categories of disclosures:
- About victims of abuse, neglect or domestic violence
- For health oversight activities
- For certain research purposes46
- Pursuant to waivers of authorization for research
- About decedents to coroners and medical examiners, funeral directors, and for cadaveric organ, eye or tissue donation purposes
- For protective services for the President and enumerated others
- Patient safety work product47
However, the Proposed Rule provides that disclosures that would otherwise require an accounting, for example, public health disclosures, that are also required (as opposed to permitted) by law would not be subject to the accounting requirement.48 Nonetheless, Covered Entities and Business Associates must still make an accounting of disclosures for judicial and administrative proceedings and for law enforcement purposes, even when such disclosures are required by law.49 The Proposed Rule explains this different approach by noting disclosures for law enforcement and judicial and administrative proceedings "directly implicate an individual's legal and/or personal interests" and therefore an individual has a need and right to learn of such disclosures.50
RELATIONSHIP TO HITECH BREACH NOTIFICATION REQUIREMENTS
The Breach Notification Standards require Covered Entities to notify individuals of a breach of unsecured PHI. Subject to certain exceptions, a breach is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the Privacy Standards which poses a significant risk of financial, reputational, or other harm to the individual. The Proposed Rule's accounting standard would require a Covered Entity to account for a disclosure of PHI that is not permitted by the Privacy Standards even if it does not pose a significant risk of harm to an individual or otherwise meets an exception to the Breach Notification Standards' breach definition.51 Therefore, the Proposed Rule would allow individuals to learn about impermissible disclosures that do not require a breach notification letter.
CONTENT OF ACCOUNTING
The Proposed Rule proposes to maintain the current content of an accounting with minor modifications. First, the accounting would only need to provide an "approximate" date or period of time for each disclosure if the precise date is not known.52 In all cases, the date must include a month and a year or a description of when the disclosure occurred so that the individual can easily determine the month and year.53 For multiple disclosures of PHI to the same person/entity for the same purpose, the Proposed Rule would permit a Covered Entity to identify an approximate period of time (for example, January 2011 through June 2011).54 However, an exact start and end date would no longer be required.
As a general rule, the Proposed Rule would require an accounting to include the name of the recipient of the disclosed information; however, the Proposed Rule would not require the name of the recipient if this would itself represent a disclosure of PHI.55 For example, if a mail merge error resulted in health plan beneficiaries receiving an explanation of benefits corresponding to the beneficiary next in alphabetic order, the recipient would be entitled to privacy protection as well. Rather, in such cases, the accounting requirements could be met by indicating that the disclosure was to "another patient" or other language that would not compromise an individual's privacy.
The Current Accounting Standard requires that the accounting include "a brief description of the PHI disclosed."56 The Proposed Rule would modify this slightly to read "a brief description of the type of PHI disclosed."57 Covered Entities would still be permitted to meet this requirement by providing a copy of the written request that triggered the disclosure if it better informs the individual of the purpose of the disclosure.
ACCOUNTING LOOK-BACK PERIOD
The HITECH Act changes the accounting period from six to three years preceding the request.58 The Proposed Rule would reduce to three years the time frame for retaining information that is retained solely to make an accounting.59 The Proposed Rule would still require a Covered Entity to retain for six years a copy of any accounting provided and documentation of the designation of who is responsible for handling accounting requests.60
TIMING OF DELIVERY OF ACCOUNTING
The Proposed Rule includes three modifications to the required timing of delivery of an accounting under the Current Accounting Standard:
- A Covered Entity's response time would be reduced from 60 days to 30 days because OCR believes it should not take longer than 30 days.61
- A Covered Entity may obtain a one-time 30-day extension.62
- If law enforcement requests a delay in making an accounting in connection with an ongoing law enforcement investigation, the Covered Entity must make a timely account of all other accountable disclosures and then supplement the report with information about the law enforcement disclosure once the law enforcement delay expires.63
FORM AND FORMAT OF ACCOUNTING
The Proposed Rule would require a Covered Entity to provide an accounting in a form and format requested by the individual if it is readily producible. If the requested form or format is not readily producible, the Covered Entity may provide a hard copy or work with the individual to seek to identify another acceptable form and format.64
1 76 Fed. Reg. 31426 (proposed May 31, 2011) (to be codified at 42 C.F.R. Part 164).
2 42 U.S.C. § 17935(c) (2006).
3 See 45 C.F.R. § 160.103 (2010) for a definition.
4 42 U.S.C. 17291(5).
5 75 Fed. Reg. 23214 (May 3, 2010); see also our On the Subject, entitled, "HHS Issues Request for Information on HITECH Act Requirement for Accounting For Disclosures Through an Electronic Health Record."
6 76 Fed. Reg. at 31426.
7 45 C.F.R. § 164.501.
8 See, e.g., American Hospital Association's model comments to the Proposed Rule at http://www.aha.org/aha/letter/2011/110720-cl-hitechacctdiscl.docx?group=hospital.
9 See 45 C.F.R. § 160.103 for a definition.
10 See, e.g., American Hospital Association's model comments to the Proposed Rule at http://www.aha.org/aha/letter/2011/110720-cl-hitechacctdiscl.docx?group=hospital.
11 76 Fed. Reg. at 31437. See 45 C.F.R. 64.312(b) for the Security Rule audit control requirement.
12 76 Fed. Reg. at 31437.
13 76 Fed. Reg. at 31429.
15 76 Fed. Reg. at 31429
16 45 C.F.R. § 164.528(a)(1).
17 45 C.F.R. § 160.103.
18 45 C.F.R. § 164.528(b)(2).
19 45 C.F.R. § 164.528(a). In addition, in connection with disclosures made for research purposes pursuant to a waiver or authorization involving 50 or more subjects, the current Privacy Standards permit a Covered Entity to provide to an individual a list of research protocols rather than specific information. The individual therefore receives a list of protocols in which his/her PHI may have been used and contact information for those studies rather than confirmed information about the specific studies in which the individual's PHI was disclosed. 45 C.F.R. § 164.528(b)(4)(i).
20 42 U.S.C. 17935(c).
21 The Act directs HHS to issue regulations that "only require such information to be collected through an electronic health record in a manner that takes into account the interests of the individuals in learning the circumstances under which their PHI is being disclosed and takes into account the administrative burden of accounting for such disclosures. Id. For more information on the HITECH Act's amendments to the HIPAA administrative simplification regulations, see our White Paper entitled, "Economic Stimulus Package: Policy Implications of the Financial Incentives to Promote Health IT and New Privacy and Security Protections" which can be found at http://www.mwe.com/index.cfm/fuseaction/publications.nldetail/object_id/ea996ed0-ba3b-480a-988a- 135230c441d6.cfm
22 76 Fed. Reg. at 31437-38 (to be codified at 45 C.F.R. § 164.528(b)(2)).
23 76 Fed. Reg. at 31438 (to be codified at 45 C.F.R. § 164.528(b)(2)(D)-(E)).
24 Id. at 31439.
26 45 C.F.R. § 154.312(b).
27 Id. § 164.308(a)(1)(ii)(D).
28 Id. § 164.306(b).
29 76 Fed. Reg. at 31439 (to be codified at 45 C.F.R.§ 164.528(c)).
30 Patient safety work product is defined at 42 C.F.R. § 3.20.
31 76 Fed. Reg. at 31439.
32 76 Fed. Reg. at 31440 (to be codified at 45 C.F.R. § 164.528(b)(2)(E)(iii)).
33 Id. (to be codified at 45 C.F.R. § 164.528(b)(3)(ii)).
34 Id. (to be codified at 45 C.F.R. § 164.528(b)(3)(i)(B)).
35 76 Fed. Reg. at 31441 (to be codified at 45 C.F.R. § 164.520(b)(1)(iv)(E)).
36 Id. (to be codified at 45 C.F.R. § 164.520(c)(2)(iv)).
39 Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology; Interim Final Rule, 75 Fed. Reg. 2013 (codified at 45 C.F.R. Part 170) (January 13, 2010), available at http://edocket.access.gpo.gov/2010/pdf/2010-17210.pdf.
40 45 C.F.R. § 170.210(e) and 170.302(v).
42 76 Fed. Reg. at 31430 (to be codified at 45 C.F.R. § 164.528(a)(1)(i)).
44 45 C.F.R. § 164.528(a)(l).
45 76 Fed. Reg. at 31431 (to be codified at 45 C.F.R. § 164.528(a)(1)).
46 45 C.F.R. § 164.512(i).
47 Patient safety work product is defined at 42 C.F.R. § 3.20 (2010).
48 76 Fed. Reg. at 31431 (to be codified at 45 C.F.R. § 164.528 (a)(1)(ii)).
49 Id. (to be codified at 45 C.F.R. § 164.528(a)(1)(i)(C)-(D)).
50 Id. at 31434.
51 Id. at 31431 (to be codified at 45 C.F.R. § 164.528 (a)(1)(A)).
52 Id. 31434 (to be codified at 45 C.F.R. § 164.528 (a)(2)(i)(A)(1)).
54 Id. at 31434 (to be codified at 45 C.F.R. § (a)(2)(i)(A)(2)).
55 Id. (to be codified at 45 C.F.R. § 164.528(a)(2)(i)(B)).
57 76 Fed. Reg. at 31434 (to be codified at 45 C.F.R. § 164.528(a)(2)(i)(C)). The purpose of this proposed change is to reinforce that "the accounting is only required to provide information about the types of PHI that were the subject of the disclosure" and a "minimum description [that] reasonably informs the individual of the purpose [of the disclosure]." Id.
58 42 U.S.C. § 17935(c)(1)(B).
59 76 Fed. Reg. at 31436 (to be codified at 45 C.F.R. § 164.528(a)(5)).
60 45 C.F.R. § 164.530(j)(2).
61 76 Fed. Reg. 31435 (to be codified at 45 C.F.R. § 164.528(a)(3)(i)).
62 Id. at 31435 (to be codified at 45 C.F.R. § 164.528(a)(3)(i)(B)(2)).
63 Id. at 31435-36 (to be codified at 45 C.F.R. § 164.528(a)(4)).
64 Id. at 31435 (to be codified at 45 C.F.R. § 164.528(a)(3)(ii)).