The U.S. Department of Health and Human Services ("HHS") published proposed rulemaking on May 31, 2011 (the "Proposed Rule") modifying HIPAA's Privacy Rule concerning the accounting of disclosures of protected health information ("PHI"). The Proposed Rule not only alters the existing accounting of disclosures of PHI obligations, it also creates an entirely new requirement, mandating that covered entities, upon request, produce an "access report" identifying who has accessed an individual's PHI. The Proposed Rule, therefore, would give individuals two distinct, albeit complementary, rights: one for an accounting of disclosures to persons outside the covered entity and its business associates (whether in electronic or paper format) and another for an access report providing information on who has accessed electronic PHI. HHS's Office of Civil Rights director Georgina Verdugo stated in a news release that the Proposed Rule is designed to ensure that providers properly safeguard private health information and allows individuals to "know how their health information has been used or disclosed."
One of the key components of the Health Insurance Portability and Accountability Act ("HIPAA") is the establishment of national standards to protect the privacy and security of personal health information. These provisions apply to three types of "covered entities": (1) health care providers who conduct covered health care transactions electronically; (2) health plans; and (3) health care clearinghouses. HHS first promulgated the Standards for Privacy of Individually Identifiable Health Information, commonly referred to as the "Privacy Rule," in 2000. Among other things, the Privacy Rule requires covered entities to make available an accounting of certain disclosures of an individual's PHI, regardless of whether the disclosure was in paper or electronic format. The Privacy Rule defines a disclosure as the "release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information," but provides for certain exceptions that need not be included in the accounting, including any disclosures made "[t]o carry out treatment, payment and health care operations."
Similarly, the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") was enacted in 2009 and was designed to address the privacy and security concerns associated with the electronic transmission of health information. Under HITECH, the disclosure exemption discussed above relating to those disclosures made to carry out treatment, payment and health care operations was no longer applicable to disclosures made through an electronic health record.
Modification To Existing Accounting Of Disclosures
The Proposed Rule includes modifications to existing HIPAA accounting disclosure requirements. Under the current disclosure requirements, an individual has a right to an accounting of disclosures of PHI about the individual, regardless of where such information is located. The Proposed Rule, however, significantly limits this provision by restricting the scope of information subject to the accounting to PHI about the individual that is contained in a designated record set ( i.e. , the medical and billing records about individuals maintained by or for a covered health care provider, enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan, and records used by covered entities to make decisions about individuals). By way of example, therefore, a hospital's peer review files, to the extent they are only used to improve patient care at the hospital and not to make decisions about individuals, would not qualify as PHI included in a designated record set and, therefore, would not be subject to disclosure under the Proposed Rule.
In addition, the Proposed Rule provides an explicit list of the types of disclosures subject to the accounting requirement, as well as certain disclosures that would not be included. This is a distinct change from the current rule, which simply requires that all disclosures are to be included unless they fall within a specific exemption. By way of example, some of the disclosures explicitly listed in the Proposed Rule for which an accounting would be required include impermissible disclosures under HIPAA (unless covered by the Breach Notification Rule); disclosures for public health activities (except those involving reports of child abuse or neglect); disclosures for judicial and administrative proceedings; disclosures for law enforcement activities; disclosures to avert a serious threat to health or safety; and disclosures for workers' compensation claims.
Some of the other more significant changes contained within the Proposed Rule include:
• Specifically including accounting information for disclosures by the covered entities' business associates.
• Covered entities need only provide an approximate date or time period for each disclosure, rather than an exact date.
• Creating an exception from the requirement to include in the disclosure the name of the person who received the PHI if providing said information would itself become a disclosure of PHI (e.g., a mistaken disclosure to another patient).
• Reducing the period a covered entity is required to account for disclosures to three years, as opposed to six years as is currently required.
• Decreasing the permissible time to respond to a request for an accounting from 60 days to 30 days (with a single 30-day extension).
• Requiring that the response be in the format requested (e.g., paper or electronic format), if readily producible.
Creating The Right To An Access Report
As noted above, under the Proposed Rule, covered entities would now be required, upon request, to provide individuals with an "access report," specifically identifying all persons who have accessed that individual's electronic designated record set. The Proposed Rule does not include access to paper records. Rather, it is limited to electronic protected health information since trying to track access on paper files would be unreasonably burdensome to covered entities. The access report would be generated from access log data, which is collected each time a user accesses the information.
Generally, the access report must include (1) the date and time of the access; (2) the name of the individual who accessed the information (if available) and if not available, the name of the entity accessing the information; (3) a description of what information was accessed (if available); and (4) a description of the action by the user, i.e. , "create," "modify," or "delete" (if available). Notably, the Proposed Rule does not require the access report to include a description of the purpose of the access or the ultimate recipient of the electronic PHI.
A covered entity must provide the access report within 30 days of request and produce it in a format that is understandable to the individual. In addition, covered entities and their business associates must retain documentation ( e.g. , the access log data) required to generate an access log for three years, but copies of an access report must be retained for a full six years.
Lastly, the Proposed Rule would require covered entities to update their HIPAA Privacy Notices to include the individual's new right to request an access report.
Effective And Compliance Dates
Compliance with the new accounting disclosure regulations would be required within 180 days after the effective date of the final rule. Compliance with the requirement to provide access reports depends on when the electronic designated record set system was acquired. Specifically, covered entities and business associates will be required to produce access reports upon request beginning January 1, 2013 (for electronic designated record sets acquired after January 1, 2009) and on January 1, 2014 (for electronic designated record sets acquired before January 1, 2009).
While the Proposed Rule discusses minimizing the burden it places on covered entities and business associates, it invariably will result in added procedural and technical compliance obligations. Covered entities and business associates need to pay specific attention to what disclosures will be required once the final rules are published and should be prepared, at a minimum, to amend their HIPAA Privacy Notices to comply with the final rule.
HHS is currently seeking comments on the Proposed Rule. The final rule will not be issued until September 2011, at the earliest.
Published July 1, 2011.