HHS Publishes Proposed Rule Revising Privacy Rule’s Requirements for Accounting of Disclosures

June 7, 2011 Authors: Denise Webb Glass, Karen Davis

On May 31, 2011, the Department of Health and Human Services (“HHS”) published in the Federal Register a proposed rule implementing a provision of the HITECH Act relating to a patient’s right under the HIPAA Privacy Rule to receive an accounting of disclosures for treatment, payment and health care operations from an electronic health record, while at the same time taking the opportunity under its general HIPAA authority to significantly modify the current overall requirements for accounting of disclosures to patients from both paper and electronic records in ways that would relieve some burdens, but also create new ones. HHS is soliciting comments on the proposed rule until August 1, 2011.

One of the rights accorded patients under the HIPAA Privacy Rule in 2003 was the right to receive an accounting of disclosures of protected health information (“PHI”) made by a covered entity (“CE”) in the six-year period prior to the request. Excepted from the accounting requirement were disclosures to carry out treatment, payment and health care operations, arguably the largest category of disclosures.

Under HITECH, however, passed in 2009, that exception would not apply to disclosures made through an electronic health record for a three-year period prior to the request.

In implementing the HITECH provision in the proposed rule, HHS, under its general HIPAA rulemaking authority, proposes to both narrow and expand the statutory language.

New Requirement for Access Report of Uses/Disclosures from Electronic Records

The proposed rule narrows the new accounting obligations for electronic records by reducing the requirement from a full accounting to a requirement for an “access report.” An access report differs from a full accounting in that it does not list the purpose of the access or the address of the persons or entities accessing the record. HHS expanded the accounting provision by requiring CEs to account for internal “uses” as well as external “disclosures” of PHI within electronic “designated record sets” rather than “electronic health record.” It also requires that all uses and disclosures be listed, not just those in the category of treatment, payment and health care operations.

In the commentary preceding the proposed rule, HHS makes clear its understanding that the current Security Rule already requires CEs and their business associates (“BAs”) to maintain access logs to electronic PHI with sufficient information to enable them to create the access reports and that it believes that most current electronic information systems automatically capture that information. During the comment period on the proposed rule, CEs will want to examine closely whether HHS assumptions about current capabilities of existing audit functions in electronic information systems are correct.

The access report would be required to include the following information:

  • Date and time of access;
  • Name of natural person, if available; otherwise, name of entity accessing the electronic record;
  • Description of information accessed, if available; and
  • Description of action by user, if available, e.g., “create,” “modify,” “access,” or “delete.”

Changes to Existing Accounting of Disclosures Provision

In addition to implementing the HITECH provision, the proposed rule also significantly restructures the existing general accounting requirement that applies to outside disclosures of PHI from both paper and electronic records. The existing provision takes the approach that all outside disclosures are to be included in the accounting except for nine exceptions. The proposed rule reverses that approach: the patient is entitled to an accounting of PHI disclosures within seven categories that HHS considers most likely to impact them or be of interest to them. A number of categories of disclosures are no longer included, such as research, health oversight activities, and most disclosures required by law (although, to the extent that there are disclosures from an electronic record, they will be covered by an access report).

The first category of disclosures affirmatively included is disclosures not permitted by the Privacy Rule, unless the patient has already received notification of the impermissible disclosure under the Breach Notification Rule. Thus unauthorized disclosures that did not rise to the level of a breach are required to be included in response to a request for accounting. Other categories included are: (1) public health activities except disclosures to report child abuse or neglect; (2) judicial and administrative proceedings; (3) law enforcement purposes; (4) to avert a serious threat to health or safety; (5) military and veterans activities, the Department of State’s medical suitability determinations, and government programs providing public benefits; and (6) workers’ compensation.

Other significant proposed changes in the accounting provision are:

  • Timeframe covered under the accounting reduced from six years prior to request to three years
  • Limited to disclosures from designated record sets
  • CE must include disclosures by BAs from designated record sets
  • Response time by CE reduced from 60 days to 30 days with opportunity for one 30-day extension
  • CEs must provide patients with accounting in form (e.g., paper or electronic) and format (compatible with a specific software application) as requested by patient if readily producible
  • CEs may require patient to submit accounting request in writing (HHS encourages CEs to create forms that inform patients of the information that will be included and allow them to narrow the request based on their interests to a specific date, time period or person)
  • Requires CEs to inform patients at the time of the first accounting request that all subsequent requests in the 12-month period may be subject to a fee

Compliance Dates

For entities with electronic designated record set systems acquired after January 1, 2009, the compliance date for the new access report requirement is January 1, 2013. For entities with systems acquired on or before January 1, 2009, the compliance date is a year later—January 1, 2014.

The commentary recognizes that some entities may have a mix of systems—some acquired before 2009 and some after. In those circumstances, HHS urges CEs and BAs to provide access reports that include all designated record set systems in 2013 even if the CE or BA is not technically required to include some of the systems until 2014.

For the other changes to the general accounting of disclosures provision, the compliance date would be 180 days after the effective date of the final rule. The effective date of the final rule would be 60 days after publication in the Federal Register.

This article was prepared by Denise W. Glass (dglass@fulbright.com or 214 855 8063) and Karen Davis (kdavis@fulbright.com or 314 505 8823) from Fulbright's Health Care Practice Group.