The third anniversary of the release by the Department of Health and Human Services (“HHS”) proposed regulations implementing changes to the accounting of disclosures provisions under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) has passed without much notice. The proposed regulations arose from requirements in the Health Information Technology for Economic and Clinical Health Act (“HITECH”), passed as part of the American Recovery and Reinvestment Act of 2009.
The proposed rule struck-up significant controversy because of provisions that created a new requirement for covered entities and business associates to provide access reports of electronic health records that some said went beyond the mandate in HITECH. As Kirk Nahra described it, “They chose the least used piece of HIPAA and made it hardest to comply with. It’s an enormous compliance and financial challenge.” He wishes HHS would throw the proposal in the trash and start over. Meanwhile, the healthcare industry and EHR developers are left waiting to learn if and when they will be required to modify their technology and processes to comply with a new accounting for disclosures requirement.
HITECH made several changes to HIPAA, including expanding the scope of the HIPAA Privacy Rule provisions that provide individuals with the right to obtain an accounting of disclosures of their protected health information (“PHI”). The current rule provides each individual with the right to receive an accounting of disclosures of PHI made by a covered entity in the six years prior to the date of the individual’s request, but it did not include information related to treatment, payment or operations, thereby excluding much of the access that occurs in a patient encounter.
HITECH changed the accounting of disclosures requirement to include disclosures for treatment, payment and healthcare operations if the disclosure is through an electronic health record (“EHR”). The 2011 proposed rule divided the current accounting of disclosures requirement into two separate rights. The first is the right to an accounting of disclosures as currently provided in the Privacy Rule, along with expanded reporting to some disclosures not now required under the present Rule. The second and most controversial provision proposed creating a new right for individuals to obtain an “access report” akin to audit logs or audit trails that indicate which users of an electronic system have accessed information about the individual. Accordingly, these reports would include not only disclosures, but legitimate accesses by members of a covered entity’s or business associate’s workforce as well. Covered entities and their business associates would be required to report on who had accessed their electronic PHI, actions taken, and a description of why the access was necessary. This latter piece also troublesome because many systems do not report on appropriateness of the event.
In justifying its proposal for requiring covered entities and business associates to produce access reports, HHS cited its authority under HITECH and its discretion under the more general HIPAA statute. HHS also pointed out that the burdens associated with complying with the right for access reports should be minimized by the fact that covered entities and business associates already are required by the HIPAA Security Rule to maintain activity logs pertaining to information systems that contain electronic PHI. However the access report requirement ignited fierce opposition from healthcare providers, health plans and electronic health record vendors who panned the proposal as being unworkable and far beyond what was authorized in the HITECH Act.
In September of 2013 HHS held an unprecedented “virtual” hearing on the accounting for disclosures and access reports proposal under the auspices of the the ONC Privacy and Security Tiger Team, an advisory committee to the department. The hearing allowed a broad range of views concerning the need for a patient’s right to an access report from across the health care spectrum. HHS was listening: sources at HHS say that work on a final rule to adopt the changes called for in the HITECH Act are on the back burner. But the question remains unanswered: What to do and how to do it.
Click here to learn more about right to an accounting for disclosures on HHS.gov.