On May 31, 2011, the Department of Health and Human Services (“HHS”) issued a notice of proposed rulemaking (“Proposed Rule”) in relation to the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule (“Privacy Rule”). The Proposed Rule concerns changes to the accounting disclosures requirement of the Privacy Rule.
The Proposed Rule intends to divide §164.528 of the Privacy Rule (the accounting of disclosures of protected health information provision) to provide two distinct, but complementary, rights for individuals. These rights would include an individual’s expanded accounting of disclosures right and an individual’s right to a report revealing who has accessed his or her protected health information contained in an electronic designated record set.
The revised accounting of disclosures right, to be modified by HHS under HIPAA authority, intends to improve the workability and effectiveness of the provision. This right would provide information about hardcopy and electronic disclosures made from a designated record set to outside persons and the covered entity’s business associates for specific purposes (e.g., legal actions, workers’ compensation). The full accounting of disclosures would provide more detailed information for certain disclosures that would most likely impact an individual. The information would be maintained for a three-year period (a reduction from the current six-year requirement). HHS proposes that all covered entities and business associates implement the modified requirements of the accounting of disclosures provision starting 180 days from the final date of the regulation (240 days after publication).
As part of its authority under the Health Information Technology for Economic and Clinical Health Act (“HITECH”), HHS is proposing to create the right to an access report. This right intends to give individuals information about others’ access to the patients’ protected health information contained in an electronic designated record set. The right would cover a three-year period as well, but it would only provide individuals with a report of who accessed the electronic record and would not include the reasons for the access. The date, time, and name of person accessing the information (or the entity if the individual’s name is unavailable) would be included in the report; the description of the type of information disclosed and the user’s action would also be included if available. No distinction would be made between “uses” and “disclosures” of the information in the report. HHS proposes that business associates and covered entities provide individuals with the access report right under the provision beginning January 1, 2013 (for electronic designated record set systems acquired after January 1, 2009) or January 1, 2014 (for electronic designated record set systems acquired as of January 1, 2009).
Since the rights within the provision are limited to protected health information within a designated record set, some business associates will not be affected by the requirement that covered entities include the applicable disclosures and uses of their business associates.
Public comments on the Proposed Rule will be accepted until August 1, 2011. Comments may be submitted online at http://www.regulations.gov/ (search for the Proposed Rule).
For more information, please contact Abby Pendleton, Esq. or Jessica L. Gustafson, Esq. at (248) 996-8510 or (212) 734-0128, or visit the HIPAA specialty page on the HLP website.