Department of Health and Human Services Proposes Regulations Requiring Substantial Changes to Accounting of Disclosures under the HIPAA Privacy Rule

On May 31, 2011, the Department of Health and Human Services (HHS) published a proposed rule in the FEDERAL REGISTER regarding the accounting provisions of the Health Insurance Portability and Accountability Act of 1996 (PL 104-191) (HIPAA). The proposed rule, which implements a statutory provision from the Health Information Technology for Economic and Clinical Health Act (HITECH Act), dramatically alters the current HIPAA rule requiring accounting of disclosures of protected health information (PHI), and would substantially increase the burdens on covered entities and business associates to record and account for such disclosures. The proposed rule may be viewed at the following link: . The deadline for comments is August 1, 2011.

Under the existing HIPAA privacy regulations, health care providers and other covered entities must keep a record of certain disclosures made of an individual’s PHI and, when requested by the individual, give him or her an “accounting” of the disclosures made. A “disclosure” is defined for these purposes as the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information. The “accounting” must include: (1) the date of the disclosure, (2) the name and address of the entity or person who received the protected health information, (3) a brief description of the information disclosed, and (4) a brief statement of the purpose of the disclosure or a copy of the written request for the disclosure. This accounting provision applies to disclosure of both paper and electronic PHI. Currently, health care providers are not required to keep track of disclosures made for treatment, payment, or health care operations purposes.

The HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (PL 111-5), requires HHS to modify the HIPAA Privacy, Security, and Enforcement Rules to strengthen the privacy and security protections for health information. The HHS proposed rule, directed at addressing this requirement, will increase the responsibilities of covered entities to account for disclosures and extend those requirements to the covered entities’ business associates. In particular, the proposed rule would give an individual a right to an “access report,” which would include information on electronic access by any person, including workforce members and persons outside the covered entity. The access report would provide information on who has accessed electronic PHI in a designated record set including access for purposes of treatment, payment, and health care operations. The right to an access report would only apply to PHI that is maintained in an electronic designated record set. The access report would cover a three-year period and would require the date, time, and name of the person or entity who accessed the information. It would also require the inclusion of a description of the PHI that was accessed and the user’s action, to the extent such information is available. Covered entities will have to revise their Notice of Privacy Practices (and redistribute them to patients) to inform patients of their right to receive an “access report” in addition to an accounting of certain disclosures.

The proposed rule would require covered entities and business associates to comply with the modifications to the accounting of disclosures requirement beginning 180 days after the effective date of the final regulation. Further, covered entities and business associates must provide individuals with a right to an “access report” beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic designated record set systems acquired as of January 1, 2009.

Please let us know if we may provide additional information on the proposed regulations or assistance in the preparation of comments.