By
Leia C. Olsen, Hall, Render, Killian, Heath & Lyman P.C., Milwaukee
July 20, 2011 – Currently, patients have a right to receive an accounting of certain disclosures of protected health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Recently, the U.S. Department of Health and Human Services (HHS) published proposed regulations that would expand the scope of HIPAA privacy rule provisions related to such accounting requirements.
The proposed regulations, issued May 31, 2011, propose several changes to provisions governing the traditional right to an “accounting of disclosures,” and would create a new right for individuals to obtain an “access report” identifying who accessed an individuals’ protected health information and why.
Current rules regarding the right to an accounting
Under HIPAA, each individual currently has the right to receive an accounting of disclosures of protected health information made by a “covered entity” in the six years prior to the date of the individual’s request. Generally, that right does not extend to certain disclosures, including disclosures for treatment, payment, and health care operations, which are necessary for the day-to-day operation of a covered entity.
The Health Information Technology for Economic and Clinical Health Act (HITECH) changed the accounting of disclosures requirement to include, in addition to all previous requirements, disclosures for treatment, payment, and health care operations if such disclosures are through an electronic health record.
HITECH also required the Secretary of HHS to adopt regulations balancing individuals’ interest in knowing how their protected health information is used and disclosed against the administrative burdens of providing an accounting.
Changes to the right to an accounting of disclosures
It appears that some of the changes in the proposed regulations were intended to decrease the burden on covered entities. Under the proposed regulations, the information subject to the accounting requirement would be limited to information included in the designated record set as defined by HIPAA.
HHS also tries to narrow the accounting requirement by specifically delineating the types of disclosures subject to an accounting versus the current structure, which provides only a few exceptions to the all-inclusive accounting requirement.
Finally, under HITECH, the accounting period is reduced to three years prior to the date of the request as opposed to the current six-year requirement.
Some of the proposed changes, however, could create significant administrative burdens for covered entities. Business associates are directly referenced in the proposed accounting requirements, requiring covered entities to include in the accounting information for all business associates that create, receive, maintain, or transmit designated record set information.
Covered entities must also produce the accounting in the form or format requested by the individual, if readily producible in that form or format. Further, covered entities would only have 30 days to provide an accounting rather than the current 60-day period.
The new right to an access report
Citing authority under HITECH and discretion under the HIPAA statute, HHS, in the proposed rule, creates a new right for individuals to obtain an access report from covered entities.
Access reports are akin to audit logs that track which users of an electronic system have accessed information about the individual. Significantly, these reports must include both uses and disclosures made by workforce members of a covered entity or business associate, and must identify the individual who accessed the information, the date and time the information was accessed, and the reason for such access.
What providers should consider
Since this is only a proposed rule, it is not yet necessary for covered entities to implement expensive, systemic changes to comply with these new requirements. Covered entities should nevertheless take this opportunity to assess their current systems to determine what changes would be necessary if these proposed regulations would be implemented in their current, or near-current, form. Among those issues that covered entities should consider are the following:
How does the entity define its designated record set for purposes of complying with the accounting requirement?
How will the entity identify business associates who have access to, or who are custodians of, designated records sets?
How will the entity document and respond to requests for an access report? Are the entity’s current systems able to track information necessary for an access report? For example, does the system track the user’s actual name? Does it record the user’s reason for accessing the information? This may have a significant impact on covered entities, such as health plans, that typically do not maintain EHR systems but still have electronic protected health information.
What changes will the entity need to make to its Notice of Privacy Practices or business associate agreements to address the new requirements?
Comment period and compliance dates
HHS will accept comments regarding the proposed regulations from the public and the industry for a 60-day period ending Aug. 1, 2011. Sometime thereafter, possibly late 2011 or early 2012, HHS will issue final regulations.
While the final regulations will likely differ from the proposed regulations, it is unclear to what extent HHS will make changes to reflect comments submitted about the proposed regulations.
The compliance date for the new accounting of disclosures requirements will be 240 days after the final regulations are published in the Federal Register.
The compliance date for the right to an access report will be Jan. 1, 2013, for entities that acquired an electronic health record on or after Jan. 1, 2009, or Jan. 1, 2014, for entities that acquired an electronic health record before Jan. 1, 2009.
To view a copy of the proposed regulations, including instructions for submitting comments, visit: http://www.gpo.gov/fdsys/pkg/FR-2011-05-31/pdf/2011-13297.pdf.
About the author
Leia C. Olsen, Case Western (2007), cum laude, practices health law in the Milwaukee office of Hall, Render, Killian, Heath & Lyman P.C. She focuses in regulatory compliance, billing and reimbursement, clinical services, and patient safety. She can be reached at lolsen@hallrender.com.
The author thanks Rachel S. Delaney for her assistance and contribution to this article.