HHS releases new draft accounting of disclosure rules

The Department of Health and Human Services (HHS) has released a long-anticipated Notice of Proposed Rulemaking that would implement the changes to accounting of disclosures requirements under the HIPAA Privacy Rule. HHS opened a 60-day comment period effective May 31, the date when the NPRM is scheduled to be published in the Federal Register. The changes, specified in the Health Information Technology for Economic and Clinical Health (HITECH) Act, would expand the types of transactions and uses of data that must be include in accountings of disclosures, reduce the time period for which organizations must maintain the disclosure information, and modify the set of information that must be recorded for each disclosure.

Under the current provisions of the HIPAA Privacy Rule, codified at 45 CFR ยง164.528, covered entities are required to maintain records on disclosures of protected health information for a period of six years, and to furnish that historical record of disclosures (the “accounting”) to individuals who request them. The Privacy Rule included an exemption for disclosures for the purposes of treatment, payment, health care operations, and a variety of other special circumstances, including disclosures to the individual of their own PHI. Collectively, the excepted purposes constitute the vast majority of activity involving disclosure. The current rules also cover all PHI, whether in paper or electronic form. HITECH shortened the accounting period to three years, but removes the exemptions for treatment, payment, and health care operations when the disclosure of information is from an electronic health record (EHR). HHS is also proposing to explicitly list the types of disclosures that are subject to the accounting of disclosure requirement, rather than the prior approach of generally requiring inclusion but enumerating specific exceptions. When the HITECH Act passed, many covered entities expressed concerns about the increased administrative burden they would face by essentially having to track all disclosures rather than the more limited set currently required under the law. Some have also pointed out that many EHR systems currently on the market do not provide the built-in functionality to record the information about each disclosure that is required under the revised rule in HITECH.

As part of the rules promulgated under the “meaningful use” EHR incentive program, the HHS Office of the National Coordinator last year adopted a new standard and EHR certification criterion for recording accounting of disclosure information. When it published its final rule for standards and certification criteria, however, ONC chose to make the accounting of disclosure criterion optional, pending further analysis and discussion on the potential impact of the new requirements to covered entities and business associates. In parallel, HHS issued a request for information in May 2010 seeking input from the industry and other interested parties about the potential burden of complying with the new accounting of disclosure rules, the technical capabilities available in the market to facilitate or automate this process, and evidence about the relative interest among individuals in requesting accountings of disclosures. The new NPRM includes some summary data about the comments received in response to the RFI, perhaps most interestingly noting that a large number of respondents reported no or very few requests for accountings since the Privacy Rule went into effect in 2003.

HHS’ new proposed rule divides individual rights in two, providing for separate rules that give individuals the right to an accounting of disclosures and to an “access report” that, in contrast to disclosures, would provide details about who has electronically accessed the individual’s PHI. The access report provision includes accesses both by employees of covered entities and business associates and by those external to the organization. There is no comparable provision in the current law, but the NPRM notes that since the rule applies only to electronic access, covered entities should already be collecting the relevant information about accesses under practices required in the HIPAA Security Rule. It seems likely that at least part of the justification for this new right is the heightened attention focused on the need for such a record of even routine accesses following a series of well-publicized incidents where hospital employees apparently abused their authorized access by viewing the health records of celebrities or other public figures.