On May 31, 2011, the Department of Health and Human Services (“HHS”) proposed new regulations under the Health Insurance Portability and Accountability Act (“HIPAA”) that will grant patients the right to obtain more information from their health care providers regarding disclosures of their protected health information (“PHI”). Pursuant to these proposed rules, covered entities and business associates will be required to provide patients with an accounting of disclosures of PHI stored in an electronic health record, which have been made for treatment, payment and health care operations (“TPO”). In addition, patients will be able to request an access report informing patients who has accessed electronic PHI in a designated record set.
Accounting for Treatment, Payment and Health Care Operations
Under current HIPAA regulations, covered entities and business associates are already required to maintain an accounting of disclosures of PHI. The accounting must include: (1) The date of the disclosure; (2) the name (and address, if known) of the entity or person who received the protected health information; (3) a brief description of the information disclosed; and (4) a brief statement of the purpose of the disclosure (or a copy of the written request for the disclosure).
Disclosures made for the purposes of TPO have previously been statutorily exempted from the accounting requirement. However, the Health Information Technology for Economic and Clinical Health Act (“HITECH”) provides that the exemption for disclosures to carry out TPO no longer applies to disclosures made through an electronic health record. This proposed rule will implement this new statutory requirement. The proposed rule will also reduce the length of time that the accounting must cover from six years to three years.
Access Reports
In addition to the right to an accounting of disclosures, HHS is proposing to provide patients with a right to receive an access report that informs patients about who has accessed their electronic PHI that is maintained in a designated record set. An access report is a document that a system administrator or other appropriate person generates from the access log of an electronic health records system in a format that is understandable to the patient. Records that are maintained in a designated record set are a group of records maintained by or for a covered entity that is:
(i) The medical records and billing records about individuals maintained by or for a covered health care provider;
(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.
The access report must set forth: (1) the date of access; (2) the time of access; (3) the name of the natural person, if available, otherwise the name of the entity accessing the electronic designated record set information; (4) a description of what information was accessed, if available; and (5) a description of the action by the user, if available (e.g., “create,” “modify,” “access,” or “delete”).
The covered entity must provide the patient with the first access report requested in a year, free of charge. However, the covered entities may charge a reasonable, cost-based fee for additional requests for access reports.
HHS expects that most electronic health record systems will be capable of compiling the accounting of PTO disclosures and the access reports with only a minimum burden to the covered entities. HHS is accepting comments on these proposed regulations until August 1, 2011. If you wish to provide comments, you may do so here. Houston Harbaugh will continue to monitor these rules and keep you abreast of changes to your HIPAA policies and procedures that will need to be implemented.