On May 31, the U.S. Department of Health and Human Services (HHS) released a notice of proposed rulemaking (Proposed Rule) creating a new requirement that covered entities produce an "access report" informing individuals of all persons who have viewed their records, while also modifying existing accounting of disclosures rules under the Health Insurance and Portability and Accountability Act of 1996 (HIPAA). 76 Fed. Reg. 31426 (May 31, 2011). The Proposed Rule would impose significant new obligations on all healthcare provider and health plan covered entities, including employer group health plans.
Right to an Access Report
Under the Proposed Rule, covered entities would be required to provide individuals with an "access report," identifying all persons who have accessed an individual's electronic "designated record set" information. The designated record set is the group of records maintained by or for a covered entity that is either (1) used, in whole or part, to make decisions about individuals; (2) a provider's medical and billing records; or (3) enrollment, payment, claims, adjudication, and case or medical management record systems maintained by or for a health plan. This new access right does not extend to paper records.
The new access right is based in part on a requirement established by the Health Information Technology for Economic and Clinical Health Act (HITECH) providing individuals with information about disclosures through an electronic health record (EHR) for treatment, payment, and healthcare operations. The Proposed Rule modifies the HITECH provision in two significant ways:
Additional requirements that HHS proposes regarding the content, timing, and format of the access report include the following:
HHS maintains that this new access right should not impose an unreasonable burden on covered entities because, in accordance with the HIPAA Security Standards (Security Rule), electronic systems with designated record set information should currently be creating access logs with sufficient information to create an access report. The degree of burden imposed by the new access rights will undoubtedly be the focus of many organizations submitting comments on the Proposed Rule.
Revised Accounting of Disclosures Requirement
The Proposed Rule also includes a number of changes to the existing accounting of disclosures requirements. Under the HIPAA Standards for Privacy of Individually Identifiable Health Information (Privacy Rule), an individual has a right to an accounting of certain disclosures of PHI about the individual, regardless of where such information is located. While an individual still has a right to an accounting of disclosures as described under the Privacy Rule, the Proposed Rule limits the scope and changes the accounting of disclosures requirements by doing the following:
Compliance with the requirement to provide access reports would be required beginning January 1, 2013 (for electronic designated record set systems acquired after January 1, 2009) and January 1, 2014 (for electronic designated record set systems acquired on or before January 1, 2009). Compliance with the new accounting of disclosures requirements would be within 240 days of publication of the final regulations.
HHS is soliciting comments on the Proposed Rule, which must be submitted on or before August 1, 2011. For more information or if you have questions regarding the issues discussed in this LawFlash, please contact any of the following attorneys:
Chicago
San Francisco