May 23, 2012

HHS Issues Proposed Rule; Creates New Access Report Obligations and Amends Existing Accounting of Disclosures Provisions

Morgan, Lewis & Bockius LLP.
Andy R. Anderson
Saghi "Sage" Fattahian
Heather Deixler
W. Reece Hirsch
Morgan, Lewis & Bockius LLP
Wednesday, June 15, 2011
Administrative & Regulatory / Communications, Media & Internet / Consumer Protection / Health Law & Managed Care
All Federal
Printer-friendly
Email this Article
Download PDF
Reprints & Permissions

On May 31, the U.S. Department of Health and Human Services (HHS) released a notice of proposed rulemaking (Proposed Rule) creating a new requirement that covered entities produce an "access report" informing individuals of all persons who have viewed their records, while also modifying existing accounting of disclosures rules under the Health Insurance and Portability and Accountability Act of 1996 (HIPAA). 76 Fed. Reg. 31426 (May 31, 2011). The Proposed Rule would impose significant new obligations on all healthcare provider and health plan covered entities, including employer group health plans.

Right to an Access Report

Under the Proposed Rule, covered entities would be required to provide individuals with an "access report," identifying all persons who have accessed an individual's electronic "designated record set" information. The designated record set is the group of records maintained by or for a covered entity that is either (1) used, in whole or part, to make decisions about individuals; (2) a provider's medical and billing records; or (3) enrollment, payment, claims, adjudication, and case or medical management record systems maintained by or for a health plan. This new access right does not extend to paper records.

The new access right is based in part on a requirement established by the Health Information Technology for Economic and Clinical Health Act (HITECH) providing individuals with information about disclosures through an electronic health record (EHR) for treatment, payment, and healthcare operations. The Proposed Rule modifies the HITECH provision in two significant ways:

  • First, the Proposed Rule provides an individual with the right to be informed of all persons who have accessed their record, regardless of whether the information was actually disclosed to someone outside of the covered entity's workforce.
     
  • Second, while HITECH only provided for accounting of disclosures for EHRs, the Proposed Rule creates a new right of an individual to an access report to the designated record sets maintained by all covered entities and business associates, regardless of whether those entities have implemented EHRs.

Additional requirements that HHS proposes regarding the content, timing, and format of the access report include the following:

  • The access report must include (a) the date of the access; (b) the time of the access; (c) the name of the individual who accessed the information, if available, or otherwise the name of the entity who accessed the information; (d) a description of what information was accessed, if available; and (e) a description of the action by the user, if available. The access report is not required to include a description of the purpose of the access or the ultimate recipient of the electronic protected health information (PHI).
     
  • The access report must be provided in a format that is understandable to the individual and may be provided in a machine-readable or other electronic form and format requested by the individual.
     
  • The covered entity has 30 days to provide the access report.
     
  • The covered entity cannot charge for providing the first access report to an individual in any 12-month period, but may charge a reasonable, cost-based amount for each additional access report that is requested within a 12-month period.
     
  • Covered entities and business associates must retain the necessary documentation to produce the access report for three years. However, copies of the actual access report must be retained for six years.

HHS maintains that this new access right should not impose an unreasonable burden on covered entities because, in accordance with the HIPAA Security Standards (Security Rule), electronic systems with designated record set information should currently be creating access logs with sufficient information to create an access report. The degree of burden imposed by the new access rights will undoubtedly be the focus of many organizations submitting comments on the Proposed Rule.

Revised Accounting of Disclosures Requirement

The Proposed Rule also includes a number of changes to the existing accounting of disclosures requirements. Under the HIPAA Standards for Privacy of Individually Identifiable Health Information (Privacy Rule), an individual has a right to an accounting of certain disclosures of PHI about the individual, regardless of where such information is located. While an individual still has a right to an accounting of disclosures as described under the Privacy Rule, the Proposed Rule limits the scope and changes the accounting of disclosures requirements by doing the following:

  • Limiting the scope to the individual's information contained in a designated record set.
     
  • Reducing the accounting period to disclosures occurring during the previous three years, rather than the previous six years as currently required under HIPAA.
     
  • Providing a list of the types of disclosures subject to the accounting, in contrast to the current requirement that disclosures be included in an accounting, subject to the availability of specified exceptions.
     
  • Permitting the accounting to include an approximate date or time period for each disclosure, or even a descriptive date of disclosure, rather than an exact date.
     
  • Excluding (a) disclosures about victims of abuse, neglect, or domestic violence; (b) disclosures for health oversight activities; (c) disclosures for research purposes; (d) disclosures about decedents to coroners and medical examiners, funeral directors, and for cadaveric organ, eye, or tissue donation purposes; and (e) most disclosures required by law (including disclosures to the Secretary of HHS to enforce the Privacy and Security Rules).
     
  • Decreasing the timeframe for responding to an accounting request to 30 days, rather than 60 days. The abbreviated timeframe for providing an accounting could be particularly problematic with respect to disclosures of paper medical records.
     
  • Requiring a covered entity to include accounting information for all disclosures by its business associates.

Compliance with the requirement to provide access reports would be required beginning January 1, 2013 (for electronic designated record set systems acquired after January 1, 2009) and January 1, 2014 (for electronic designated record set systems acquired on or before January 1, 2009). Compliance with the new accounting of disclosures requirements would be within 240 days of publication of the final regulations.

HHS is soliciting comments on the Proposed Rule, which must be submitted on or before August 1, 2011.

Copyright © 2012 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

About the Author

Andy R. Anderson
Partner

Andy R. Anderson is a partner in Morgan Lewis's Employee Benefits and Executive Compensation Practice.

Mr. Anderson has handled a variety of employee benefits matters, including government self-correction programs, cafeteria plans, health and welfare plans, VEBAs, and benefit plans for tax-exempt organizations and churches. He has worked with numerous Fortune 500 companies regarding the administration of employee benefits programs, with an emphasis on the administration of health and welfare plans. Mr. Anderson frequently counsels clients on regulatory...

aanderson@morganlewis.com
312-324-1177
www.MorganLewis.com

About the Author

Saghi "Sage" Fattahian
Associate

Saghi "Sage" Fattahian is an associate in Morgan Lewis’s Employee Benefits and Executive Compensation Practice. Ms. Fattahian focuses her practice on a variety of employee benefits matters, including the design and implementation of qualified plans, welfare plans, fringe benefits, and other compensation arrangements. She assists clients in developing compliance protocols on regulatory issues dealing with the Internal Revenue Code, ERISA, COBRA, and HIPAA.

sfattahian@morganlewis.com
312-324-1744
www.MorganLewis.com

Contributors

Heather Deixler
Associate

Heather B. Deixler is an associate in Morgan Lewis's FDA and Healthcare Practice. Ms. Deixler focuses her practice on healthcare regulatory compliance and corporate transactions. She counsels healthcare providers in areas such as physician self-referral (i.e., the federal Stark Law and its state law counterparts), HIPAA and privacy law issues, regulatory compliance, and fraud and abuse. Ms. Deixler also assists clients in healthcare-related business transactions, litigation, and antitrust claims and investigations.

hdeixler@morganlewis.com
415.442.1317
www.MorganLewis.com

About the Author

W. Reece Hirsch
Partner

W. Reece Hirsch is a partner in Morgan Lewis's FDA and Healthcare Practice. Mr. Hirsch focuses his practice on healthcare law regulatory and transactional matters. He counsels and represents hospitals, health plans and insurers, physician organizations, healthcare information technology companies, pharmaceutical and biotech companies, and other healthcare organizations on transactional and regulatory matters, including Medicare, fraud and abuse, self-referral, and privacy issues.

rhirsch@morganlewis.com
415-442-1422
www.MorganLewis.com

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. NLR does not accept advertising from attorneys or law firms. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be an advertisement or a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.