The new draft regulation from DHHS spells out requirements for electronic health record systems to provide accountings of disclosures and establishes the requirement for an access report. To read the complete Notice of Proposed Rulemaking for Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) published at 76 Federal Register 104, Tuesday, May 31, 2011, click here. For a condensed version, keep reading here.
Previous Privacy Rule Requirements
Under HIPAA’s original Privacy Rule, 45 C.F.R. § 164.528 required covered entities to make available, upon request by an individual, an accounting of certain disclosures of the individual’s protected health information (“PHI”) made during the six (6) years prior to the request. Section 160.103 defined a disclosure as “the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.”
For each such disclosure, the accounting had to include all of the following information:
• Date of the disclosure.
• Name (and address, if known) of the entity or person who received the PHI.
• Brief statement of the purpose of the disclosure (or a copy of the written request for the disclosure). Section 164.538(a)(1) excepted certain disclosures from the accounting requirement, as follows:
• To carry out treatment, payment, and health care operations (“TPO”).
• To individuals of PHI about them.
• Incident to a use or disclosure otherwise permitted or required by § 164.502, such as disclosures required by law, to coroners, to health oversight agencies, and the like.
• Pursuant to an authorization by the individual.
• For a facility director or for disclosures to family members and others involved in the individual’s care.
• For national security or intelligence purposes.
• To correctional institutions or law enforcement officials in certain circumstances.
• As part of a limited data set.
• That occurred before the compliance date. The Privacy Rule also limited disclosures about research and included disclosures to and by business associates.
New HITECH Act Requirements
Section 13405(c) of the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) eliminated the exemption for disclosures for TPO for those disclosures made “through an electronic health record,” but only for three years prior to the request. For business associates, the covered entity must either provide the accounting or provide a list and contact information of all business associates to allow the individual to obtain an accounting from the business associates.
In addition, as part of the HITECH Act’s incentives to qualified providers to implement an electronic health record (“EHR”), the HITECH Act required DHHS to adopt standards for EHR technology, including technologies that allow for an accounting of disclosures for TPO.
Interim Final Rule
The standards in the interim final rule published on January 13, 2010, by the National Coordinator for Health Information Technology adopted a standard that required certified EHRs—that is, those EHRs eligible for the incentives—to have the capability to record date, time, patient identification, and description of the disclosure for disclosures made for TPO.
Access Report: New Required Form of Accounting
In addition to specifying the rules for an accounting, DHHS created a new form of accounting, the access report. The accounting involves cataloguing a set group of disclosures of all PHI (electronic or paper) that is maintained in a designated record set over the preceding three years. The access report involves cataloguing any access to ePHI (electronic PHI), regardless of whether the access is for a use or a disclosure, out of a designated record set for any purpose over the preceding 3 years.
Notice of Proposed Rulemaking for Accounting of Disclosures under the HITECH Act
As noted above, to read the complete Notice of Proposed Rulemaking for Accounting of Disclosures under the HITECH Act, click here. The new draft regulation requirements as drafted by DHHS are as follows:
§ 164.528 Accounting of disclosures of protected health
information and access report.
(a)(1) Standard: Right to an accounting of disclosures of protected
health information. (i) Except as provided in paragraph (a)(1)(ii)
of this section, an individual has the right to a written accounting
of the following disclosures of protected health information about
the individual in a designated record set by a covered entity or
business associate made in the three years prior to the date on
which the accounting is requested:
(A) Disclosures not permitted by this subpart, unless the individual
has received notification of the impermissible disclosure pursuant
to § 164.404;
(B) For public health activities as provided in § 164.512(b),
except disclosures to report child abuse or neglect pursuant to §
164.512(b)(1)(ii);
(C) For judicial and administrative proceedings as provided in §
164.512(e);
(D) For law enforcement purposes as provided in § 164.512(f);
(E) To avert a serious threat to health or safety as provided in §164.512(j);
(F) For military and veterans activities, the Department of State’s
medical suitability determinations, and government programs
providing public benefits as provided in § 164.512(k)(1), (4), and
(6); and
(G) For workers’ compensation as provided in § 164.512(l).
(ii) A covered entity need not account for a disclosure under
paragraph (a)(1)(i) of this section if it also is required by law,
unless such disclosure falls under paragraphs (a)(1)(i)(C) or (D).
(2) Implementation specification: Content of the accounting. (i)
The accounting must include for each disclosure:
(A)(1) The date, if known; or if not, the approximate date or
period of time during which the disclosure occurred which, at a
minimum, shall include the month and year or a description of
when the disclosure occurred from which an individual can readily
determine the month and year of the disclosure; or
(2) For multiple disclosures to the same recipient for a single
purpose, the dates, as described in paragraph (a)(2)(i)(A)(1) of
this section, of the first disclosure and the last disclosure in the
accounting period.
(B) The name of the entity or natural person who received the
protected health information and, if known, the address of such
entity or person, except when such information constitutes
protected health information about another individual, in which
case a description such as “another patient,” “another enrollee,” or
similar language must be included;
(C) A brief description of the type of protected health information
disclosed; and
(D) A brief description of the purpose of the disclosure that
reasonably informs the individual of the basis for the disclosure
or, in lieu of such description, a copy of a written request for a
disclosure under § 164.512, if any.
(ii) The covered entity shall provide the individual with the option
to limit the accounting of disclosures to a specific time period, type
of disclosure, or recipient.
(3) Implementation specification:
Provision of the accounting. (i) The covered entity must act on the
individual’s request for an accounting no later than 30 days after
receipt of such a request, as follows.
(A) The covered entity must provide the individual with the
accounting requested; or
(B) If the covered entity is unable to provide the accounting within
the time required by paragraph (a)(3)(i) of this section, the covered
entity may extend the time to provide the accounting by no more
than 30 days, provided that:
(1) The covered entity, within the time limit set by paragraph (a)(3)
(i) of this section, provides the individual with a written statement
of the reasons for the delay and the date by which the covered
entity will provide the accounting; and
(2) The covered entity may have only one such extension of time
for action on a request for an accounting.
(ii) The covered entity must provide the accounting in the form
and format requested by the individual, if it is readily producible
in such form and format; or, if not, in a readable hard copy form or
such other form and format as agreed to by the covered entity and
the individual.
(iii)(A) The covered entity must provide the first accounting to
an individual in any 12-month period without charge and inform
the individual at the time of the request that there may be a fee for
each subsequent request for an accounting by the individual within
the 12-month period.
(B) The covered entity may impose a reasonable, cost-based
fee for each subsequent request for an accounting by the same
individual within the 12-month period, provided that the
covered entity informs the individual of the fee at the time of the
subsequent request and provides the individual with an opportunity
to withdraw or modify the request for a subsequent accounting in
order to avoid or reduce the fee.
(iv) The covered entity may require individuals to make requests
for an accounting in writing provided that it informs individuals of
such a requirement.
(4) Implementation specification: Law enforcement delay. (i)
If a law enforcement official states to a covered entity that
providing an accounting to an individual of disclosures to the law
enforcement official would be reasonably likely to impede the law
enforcement agency’s activities, the covered entity shall:
(A) If the statement is in writing and specifies the time for
which a delay is required, delay providing the individual with an
accounting of disclosures for such purposes for the time period
specified; or
(B) If the statement is made orally, document the statement,
including the identity of the official making the statement, and
delay providing the individual with an accounting of disclosures
for such purposes temporarily and no longer than 30 days from the
date of the oral statement unless a written statement as described in
paragraph (a)(4)(i)(A) of this section is received during that time.
(ii) The covered entity shall account for all other disclosures in
accordance with paragraph (a) of this section and shall supplement
the accounting with information about the disclosures to law
enforcement upon expiration of the requested law enforcement
delay.
(5) Implementation specification: Documentation. (i)
Notwithstanding § 164.530(j)(2), for each disclosure that is subject
to the accounting requirements of this section, a covered entity
or business associate must retain the information required to be
included in an accounting under this section for three years from
the date of the disclosure.
(ii) A covered entity must document the following and retain the
documentation as required by § 164.530(j):
(A) A copy of the written accounting that is provided to the
individual under this section; and
(B) The titles of the persons or offices responsible for receiving
and processing requests for an accounting by individuals.
(b)(1) Standard: Right to an access report. An individual has
a right to receive a written access report that indicates who has
accessed protected health information about the individual in an
electronic designated record set maintained by a covered entity or
business associate for up to three years prior to the date on which
the access report is requested.
(2) Implementation specification: Content of the access report.
(i) The covered entity must provide the individual with an access
report that includes the following:
(A) Date of access;
(B) Time of access;
(C) Name of natural person, if available, otherwise name of entity
accessing the electronic designated record set;
(D) Description of what information was accessed, if available;
and
(E) Description of action by the user, if available,
e.g., “create,” “modify,” “access,” or “delete.”
(ii) The covered entity shall provide the individual with the option
to limit the access report to a specific date, time period, or person.
The covered entity may provide the individual with the option
to limit the access report to a specific organization, such as the
covered entity or a specific business associate.
(iii) The covered entity must provide the access report in a format
that is understandable to the individual.
(3) Implementation specification: Provision of the access report.
(i) The covered entity must act on the individual’s request for an
access report no later than 30 days after receipt of such a request,
as follows.
(A) The covered entity must provide the individual with the access
report requested; or
(B) If the covered entity is unable to provide the access report
within the time required by paragraph (b)(3)(i) of this section, the
covered entity may extend the time to provide the accounting by
no more than 30 days, provided that:
(1) The covered entity, within the time limit set by paragraph
(b)(3)(i) of this section, provides the individual with a written
statement of the reasons for the delay and the date by which the
covered entity will provide the access report; and
(2) The covered entity may have only one such extension of time
for action on a request for an access report.
(ii) The covered entity must provide the individual with the access
report in a machine readable or other electronic form and format
requested by the individual, if it is readily producible in such form
and format; or, if not, in a readable electronic form and format as
agreed to by the covered entity and the individual. If the individual
requests the access report in hard copy form, the covered entity
must provide the individual with the access report in a readable
hard copy form. For purposes of this paragraph, machine readable
data is digital information stored in a standard format enabling the
information to be processed and analyzed by computer.
(iii)(A) The covered entity must provide the first access report to
an individual in any 12-month period without charge and inform
the individual at the time of the request that there may be a fee
for each subsequent request for an access report by the individual
within the 12-month period.
(B) The covered entity may impose a reasonable, cost-based
fee for each subsequent request for an access report by the
same individual within the 12-month period, provided that the
covered entity informs the individual of the fee at the time of the
subsequent request and provides the individual with an opportunity
to withdraw or modify the request for a subsequent access report in
order to avoid or reduce the fee.
(iv) The covered entity may require individuals to make requests
for an access report in writing provided that it informs individuals
of such a requirement.
(4) Implementation specification: Documentation. (i)
Notwithstanding § 164.530(j)(2), for each use or disclosure that is
subject to the access report requirements of this section, a covered
entity or business associate must retain the information required to
be included in an access report under this section for three years
from the date of the use or disclosure.
(ii) A covered entity must document the following and retain the
documentation as required by § 164.530(j):
(A) A copy of the access report that is provided to the individual
under this section; and
(B) The titles of the persons or offices responsible for receiving
and processing requests for an access report by individuals.
(c) Confidentiality of patient safety work product. A covered
entity shall exclude from an accounting or access report under this
section any information that meets the definition of patient safety
work product at 42 CFR 3.20.