HIPAA disclosure accounting rules, revisited per the HITECH Act

HIPAA regulations long on the books require that covered entities (i.e. health care providers, payors and clearinghouses) provide patients with accounting of disclosures of their protected health information (PHI) for any purpose other than treatment, payment or health care operations (TPO). The HITECH Act upped the ante, requiring accounting of disclosures of PHI for TPO as well.  Regs implementing this requirement were to be keyed off of the meaningful use regs, and they have now arrived. Stage 1 Meaningful Use requirements do not include EHR capability to track PHI disclosures made for TPO purposes (though that capability was in the draft requirement for Stage 1), potentially making the process more manual than it ought to be.  In addition, despite the fact that patients and patient advocates, when asked, said that they would like to be told a more specific reason for access of PHI than "TPO," there is likely to be little more explanation than that.  The federales have elected to split the existing disclosure accounting rule (which addresses out-of-the-ordinary disclosures, e.g., following a data security breach) into two parts: a disclosure accounting rule and an access reporting rule – every time a patient's designated record set is accessed by anyone, including access in the ordinary course of TPO, access must be logged, so it may be reported to the patient if the patient requests a report. See the HIPAA Privacy Rule – Accounting of Disclosures under the HITECH Act published as a proposed rule on May 31, 2011.  (NPRM available as PDF, too.)

The access report is to be made available, within 30 days of a patient's request, in paper or electronic form (per the patient's request), for a period of time designated by the patient (up to three years preceding the request).  Information on disclosure and access will have to be obtained from business associates as well, to the extent they have access to the patient's designated record set.

Patients get one free access report per 12-month period.  

OCR proposes that covered entities and business associates provide individuals with a right to an access report beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic designated record set systems acquired as of January 1, 2009.

OCR has made a series of judgments about what is reasonable for patients to want to see, has balanced patients' interests with the burden to be imposed on providers and their business associates, and has come up with a pretty good product.  I expect that neither the patient and patient advocacy community nor the provider community will be entirely satisfied, so the federales are probably doing something right.

Notices of Privacy Practices will have to be revised to address this new right.

The comment period on these proposed regs closes August 1.

These tweaks to the HIPAA regs come on the heels of numerous reports of data security breaches, and even a criminal conviction based in part on a HIPAA breach. While they do push the ball forward as required by law, on the whole — taken together with other related regs — they seem inadequate to the task of promoting widespread satisfaction with the degree of data privacy and security afforded the American public by HIPAA and the HITECH Act. 

David Harlow
The Harlow Group LLC
Health Care Law and Consulting