May 31, 2011
By Scott Smith*
In the May 31, 2011, edition of the Federal Register, U.S. Department of Health and Human Services, Office for Civil Rights, issued a notice of proposed rulemaking to modify the accounting of disclosures requirements under the Health Insurance Portability and Accountability Act Privacy Rule. The proposed rule is designed to implement the requirement under Health Information Technology for Economic and Clinical Health Act that covered entities and business associates provide an accounting of disclosures of protected health information disclosed for treatment, payment, or healthcare operations (TPO) purposes when these disclosures are made through an electronic health record (EHR). As proposed, the rule gives patients the right to an "access record" similar to an electronic log that shows who has viewed the patient's designated record set. The proposed rule otherwise clarifies the accounting of disclosures requirements for covered entities and business associates.
The existing exemption for accounting of disclosures for TPO purposes would be eliminated for disclosures through an EHR. Business associates are also required to keep an accounting and to respond to a patient request for an accounting of disclosures. An individual has a right to the accounting for disclosures occurring three years prior to the request (not six years) (the three-year requirement also applies to access reports). The proposed effective date for the new requirements is January 1, 2013, for covered entities that acquired an EHR after January 1, 2009. For covered entities that acquired an EHR prior to January 1, 2009, the proposed effective date of the new requirements is January 1, 2014.
The proposed rule creates two separate, but related rights: (1) the right to an access report; and (2) the right to an accounting. The access report is an electronic log of anyone who has accessed the patient's electronic designated record set, including for TPO purposes, whether inside or outside of the covered entity (including a business associate). The accounting is additional information related to either electronic or paper disclosures of information from the designated record set. Described another way, the access report identifies the names of persons who have accessed the patient's EHR, while the accounting provides more information as to the reason for the disclosure (e.g., law enforcement request). The accounting and access report requirements only apply to information within the patient's designated record set.
In the new rule, the accounting requirements will be designated by affirmatively listing those uses/disclosures for which an accounting is required instead of the present rule requiring a listing of the situations in which an accounting is not required. Proposed exemptions from the accounting requirement include: child abuse reporting; domestic violence reporting; adult abuse reporting; disclosures for research purposes including those where an Institutional Review Board has waived the consent requirement; disclosures for health oversight activities; disclosures to medical examiners, coroners, and funeral directors as well as those for donation purposes; and most disclosures that are required by law (but judicial/administrative proceeding and law enforcement disclosures will always require an accounting). Once a patient is notified of a breach through the breach notification process, a covered entity is not also required to provide an accounting.
The rule also proposes shortening of time from sixty to thirty days to respond to a request for accounting or access report. To the extent that business associates electronically access protected health information within the designated record set, they are required also to provide the "access report" to individuals upon request or to the covered entity upon request to allow the covered entity to make an accounting.
Comments on the proposed rule are due on or before August 1, 2011.
*We would like to thank Scott Smith, Esquire (University of Utah, Salt Lake City, UT), for providing this email alert.