May 24, 2012

Proposed HIPAA Reporting Requirement May Lead to Increased Compliance Costs and Enforcement Action

Poyner Spruill LLP Attorneys at Law, a North Carolina Law Firm
Nancy C. Brower
Elizabeth H. Johnson
Poyner Spruill LLP
Tuesday, August 9, 2011
Administrative & Regulatory / Communications, Media & Internet / Health Law & Managed Care / Labor & Employment
All Federal / North Carolina
Printer-friendly
Email this Article
Download PDF
Reprints & Permissions

On May 31, 2011, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued a notice of proposed rulemaking (NPRM) that would allow individuals to obtain an “access report” from HIPAA covered entities reporting virtually every instance of access to their electronic protected health information (ePHI), including all access by individual employees. The proposed access report must reflect the full name of every person or entity that accessed an individual’s ePHI (if maintained in a designated record set) in the prior three years.

An express purpose of this proposal is to allow individuals to identify situations in which a member of a covered entity’s workforce inappropriately accessed their ePHI. Individuals can then file a complaint with the OCR claiming improper employee access to ePHI.

In a recent case, the OCR entered into a $865,000 settlement with the University of California at Los Angeles Health Systems (UCLAHS) after investigating celebrity complaints of potential inappropriate ePHI access by UCLAHS employees. The investigation led to OCR allegations that UCLAHS employees repeatedly accessed ePHI of many patients, including several celebrity patients, when they did not have any job-related need to access the data, and that UCLAHS failed to implement security controls to reduce the risk of impermissible access, failed to provide Security Rule training, and failed to apply appropriate sanctions against workforce members who violated UCLAHS policies and procedures.

In the NPRM, OCR stated that it believes the degree of access logging required in the new access report is currently being captured and stored by covered entities’ electronic information systems because OCR interprets HIPAA’s audit controls standard (45 C.F.R. § 164.312(b)) and information system activity review implementation specification (45 C.F.R. § 164.308(a)(1)(ii)(D)) to require that all such access be logged, including “view” or “read only” access. However, this interpretation of the Security Rule is much broader than many had believed, and the NPRM has already fallen under criticism as a result. If the new rule is implemented as proposed, many covered entities will incur significant unexpected costs related to systems modifications, data storage (access logs must be retained for three years), training, privacy notice revision and redistribution and response to individual requests.

Business associates will have to undertake a similar degree of implementation to provide covered entities with access logs relevant to the access report, and covered entities will need to consider updating their business associate agreements to reflect this requirement. Individual privacy complaints filed with covered entities and OCR may well increase if this new rule is adopted, either because covered entities will fail to completely or timely provide the access report, or because individuals reviewing their access report will find real or (more likely) perceived cases of inappropriate access to their records.
 

© 2012 Poyner Spruill LLP. All rights reserved.

About the Author

Nancy C. Brower
Partner

Nancy practices in the area of employee benefits and ERISA. She has significant experience designing and documenting retirement plans and executive compensation plans as well as providing administrative advice on these plans. Nancy has represented clients before the Internal Revenue Service and Department of Labor, and she has represented clients in matters involving employee benefit due diligence, negotiation and planning in the context of mergers and acquisitions.

Representative Experience

    • Designed and documented retirement plans
    • ...
ncbrower@poynerspruill.com
704-342-5275
www.poynerspruill.com

About the Author

Elizabeth H. Johnson
Partner

Elizabeth’s practice focuses on privacy, information security, and records management. Her comprehensive, practical approach to privacy law is reflected by the diversity of her clients, which hail from a variety of industries including health care, financial services, insurance, retail, telecom, utility, technology, consumer goods and client services. Elizabeth has also worked with organizations of various size and scope, ranging from Fortune 100 companies with international reach to local charities.  She was listed among the top privacy professionals in Computerworld’s...

ejohnson@poynerspruill.com
919.783.2971
www.poynerspruill.com

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. NLR does not accept advertising from attorneys or law firms. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be an advertisement or a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.