HHS proposal would broaden disclosure rules

The Department of Health and Human Services' (HHS) Office of Civil Rights has launched a notice of proposed rulemaking (NPRM) to modify the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information (PHI) and electronic PHI (ePHI).

Under the proposal, individuals would have the right to know which individuals and entities access their PHI and to obtain a report with this information. The modifications are intended, in part, to implement the HITECH Act statutory requirement which stipulates that covered entities and business associates must account for disclosures of PHI to carry out treatment, payment and healthcare operations if such disclosures are through an EHR, according to HHS.

The proposal would divide Section 164.528 of the Privacy Rule, “Accounting of Disclosures of Protected Health Information,” into two separate rights for individuals. First, it would set forth the individual’s right to an accounting of disclosures. Second, it would define an individual’s right to an access report (which would include electronic access by both workforce members and persons outside the covered entity).

The right to an access report would provide information about who has accessed ePHI in a record set; the right to an accounting would provide additional information about the disclosure of designated record set information (whether hard-copy or electronic) to persons outside the covered entity and its business associates for certain purposes (such as law enforcement, judicial hearings or public health investigations).

The access report would allow individuals to learn if specific persons have accessed their electronic designated record set information, but not the purpose of the person’s access. In contrast, the intent of the accounting of disclosures is to provide more detailed information for disclosures that are most likely to impact the individual, according to the proposal.

These changes to the accounting requirements will provide information of value to patients while placing “a reasonable burden” on covered entities and business associates, HHS stated. By limiting the access report to electronic access, the report will include information that a covered entity is already required to collect under the Security Rule.

The right to an accounting of disclosures would encompass both hard copy and ePHI maintained in a designated record set. It would cover a three-year period, and would require a covered entity and its business associates to account for the disclosures of PHI. The right to an access report would only apply to PHI that is maintained in an electronic designated record set, and would also cover a three-year period.

Required information in the access report would include the date, time and name of the person (or name of the entity if the person’s name is unavailable) who accessed the information. HHS also proposed requiring the inclusion of a description of the PHI that was accessed and the user’s action, to the extent that such information is available.

PHI outside the designated record set would remain fully protected by the Privacy Rule and, with respect to ePHI, the Security Rule, HHS stated. In addition, the Breach Notification Rule still applies to all PHI, regardless of where such information exists at a covered entity or business associates. Individuals would still be informed of breaches of unsecured PHI, even when such information resides outside of a designated record set, according to the proposed changes.

Click here to access the NPRM, which was published in the Federal Register May 31. Public comments will be accepted, via mail and through the Federal eRulemaking Portal, for 60 days following publication.