HHS to Expand Rule on Accounting of Disclosures

A final rule that will strengthen HIPAA privacy and security safeguards is expected before the end of the year. But on Friday, May 27, the Department of Health & Human Services’ Office of Civil Rights (OCR) revealed another highly anticipated rule. OCR laid out its proposal to modify the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information (PHI).

Besides strengthening accounting of disclosures from electronic health records, the OCR proposal would establish guidelines for providing an “access report” to patients indicating who has accessed data in a designated record set. (These access reports will come from audit logs, and an access report is similar to an “audit report.” HHS notes that, in accordance with the Security Rule, all EHR systems should already be creating access logs with sufficient information to create an access report.)

So an access report would provide information on who has accessed electronic PHI (including access for purposes of treatment, payment, and healthcare operations), while the right to an accounting would provide additional information about the disclosure of information to persons outside the covered entity and its business associates for certain purposes (e.g., law enforcement, judicial hearings, public health investigations).

These modifications are designed to meet the HITECH Act requirement that covered entities and business associates account for disclosures of PHI to carry out treatment, payment and healthcare operations if such disclosures are through an EHR.

Unlike the current regulatory language, which may make it difficult to easily understand the types of disclosures that are subject to the accounting requirement, the proposed rule explicitly lists the types of disclosures that are subject to the requirement.

CIOs and chief information security officers will be studying the 95-page proposed rule closely. “Accounting for disclosures is a very big deal, and we are concerned about the rule,” says Terrell Herzig, data security officer at UAB Health System in Birmingham, Ala. One concern is that the PHI may not be only in one system, but in other certified pieces with data flowing into a main EHR, he adds. “Compiling that log data from multiple systems for reporting is complex. The EHR vendors haven’t had that type of flexibility built into their systems. A few years ago we developed our own system to coordinate this.”

Others see the proposed HITECH modifications just adding to an already administratively burdensome requirement. They suggest that patients really only want to know if a record is accessed inappropriately, not that 30 people accessed their record for legitimate care purposes.

The proposed access report would cover a three-year period and would provide the individual with information about who has accessed the individual’s electronic PHI held by a covered entity or business associate. It would not distinguish between “uses” and “disclosures,” and thus, would apply when any person accesses an electronic designated record set, whether that person is a member of the workforce or a person outside the covered entity.

HHS proposes to require covered entities and business associates to produce an access report upon request beginning Jan. 1, 2013, for systems that were acquired after Jan. 1, 2009, and beginning Jan. 1, 2014, for electronic record systems that were acquired on or before Jan. 1, 2009.

HHS is considering excluding research disclosures from the accounting requirements because, even though the Privacy Rule includes a simplified accounting option for research disclosures to large studies, HHS continues to hear concerns from the research community regarding the administrative burden of the accounting requirements and the potentially resulting chilling effect the requirements have on human subjects research.

The public has 60 days to comment on the proposed rule.