HHS Issues Proposed Rule; Creates New Access Report Obligations and Amends Existing Accounting of Disclosures Provisions
On May 31, the U.S. Department of Health and Human Services (HHS) released a notice of proposed rulemaking (Proposed Rule) creating a new requirement that covered entities produce an "access report" informing individuals of all persons who have viewed their records, while also modifying existing accounting of disclosures rules under the Health Insurance and Portability and Accountability Act of 1996 (HIPAA). 76 Fed. Reg. 31426 (May 31, 2011). The Proposed Rule would impose significant new obligations on all healthcare provider and health plan covered entities, including employer group health plans.
Right to an Access Report
Under the Proposed Rule, covered entities would be required to provide individuals with an "access report," identifying all persons who have accessed an individual's electronic "designated record set" information. The designated record set is the group of records maintained by or for a covered entity that is either (1) used, in whole or part, to make decisions about individuals; (2) a provider's medical and billing records; or (3) enrollment, payment, claims, adjudication, and case or medical management record systems maintained by or for a health plan. This new access right does not extend to paper records.
The new access right is based in part on a requirement established by the Health Information Technology for Economic and Clinical Health Act (HITECH) providing individuals with information about disclosures through an electronic health record (EHR) for treatment, payment, and healthcare operations. The Proposed Rule modifies the HITECH provision in two significant ways:
- First, the Proposed Rule provides an individual with the right to be informed of all persons who have accessed their record, regardless of whether the information was actually disclosed to someone outside of the covered entity's workforce.
- Second, while HITECH only provided for accounting of disclosures for EHRs, the Proposed Rule creates a new right of an individual to an access report to the designated record sets maintained by all covered entities and business associates, regardless of whether those entities have implemented EHRs.
Additional requirements that HHS proposes regarding the content, timing, and format of the access report include the following:
- The access report must include (a) the date of the access; (b) the time of the access; (c) the name of the individual who accessed the information, if available, or otherwise the name of the entity who accessed the information; (d) a description of what information was accessed, if available; and (e) a description of the action by the user, if available. The access report is not required to include a description of the purpose of the access or the ultimate recipient of the electronic protected health information (PHI).
- The access report must be provided in a format that is understandable to the individual and may be provided in a machine-readable or other electronic form and format requested by the individual.
- The covered entity has 30 days to provide the access report.
- The covered entity cannot charge for providing the first access report to an individual in any 12-month period, but may charge a reasonable, cost-based amount for each additional access report that is requested within a 12-month period.
- Covered entities and business associates must retain the necessary documentation to produce the access report for three years. However, copies of the actual access report must be retained for six years.
HHS maintains that this new access right should not impose an unreasonable burden on covered entities because, in accordance with the HIPAA Security Standards (Security Rule), electronic systems with designated record set information should currently be creating access logs with sufficient information to create an access report. The degree of burden imposed by the new access rights will undoubtedly be the focus of many organizations submitting comments on the Proposed Rule.
Revised Accounting of Disclosures Requirement
The Proposed Rule also includes a number of changes to the existing accounting of disclosures requirements. Under the HIPAA Standards for Privacy of Individually Identifiable Health Information (Privacy Rule), an individual has a right to an accounting of certain disclosures of PHI about the individual, regardless of where such information is located. While an individual still has a right to an accounting of disclosures as described under the Privacy Rule, the Proposed Rule limits the scope and changes the accounting of disclosures requirements by doing the following:
- Limiting the scope to the individual's information contained in a designated record set.
- Reducing the accounting period to disclosures occurring during the previous three years, rather than the previous six years as currently required under HIPAA.
- Providing a list of the types of disclosures subject to the accounting, in contrast to the current requirement that disclosures be included in an accounting, subject to the availability of specified exceptions.
- Permitting the accounting to include an approximate date or time period for each disclosure, or even a descriptive date of disclosure, rather than an exact date.
- Excluding (a) disclosures about victims of abuse, neglect, or domestic violence; (b) disclosures for health oversight activities; (c) disclosures for research purposes; (d) disclosures about decedents to coroners and medical examiners, funeral directors, and for cadaveric organ, eye, or tissue donation purposes; and (e) most disclosures required by law (including disclosures to the Secretary of HHS to enforce the Privacy and Security Rules).
- Decreasing the timeframe for responding to an accounting request to 30 days, rather than 60 days. The abbreviated timeframe for providing an accounting could be particularly problematic with respect to disclosures of paper medical records.
- Requiring a covered entity to include accounting information for all disclosures by its business associates.
Compliance with the requirement to provide access reports would be required beginning January 1, 2013 (for electronic designated record set systems acquired after January 1, 2009) and January 1, 2014 (for electronic designated record set systems acquired on or before January 1, 2009). Compliance with the new accounting of disclosures requirements would be within 240 days of publication of the final regulations.
HHS is soliciting comments on the Proposed Rule, which must be submitted on or before August 1, 2011.