Earlier this year, the Department of Health and Human Services issued proposed regulations under the privacy rule of the Health Insurance Portability and Accountability Act of 1996. The proposed regulations address the changes to the accounting requirement under the HIPAA privacy rule, pursuant to the Health Information Technology for Economic and Clinical Health Act. The regulations also create a new requirement that covered entities - health plans, health care clearinghouses and health care providers - provide an access report to individuals upon request.
Under the HIPAA privacy rule, people have the right to obtain an accounting of disclosures of their protected health information made by the covered entity. Generally, covered entities are required to provide this accounting within 60 days of the individual's request. Certain disclosures don't have to be included, such as disclosures to carry out treatment, payment, or health care operations, and disclosures pursuant to the individual's authorization. Most disclosures made by group health plans fall within the treatment, payment, or health care operations classification. However, some disclosures made by a group health plan will not fall within the exceptions to the accounting requirement, such as accidental disclosures or disclosures pursuant to a subpoena or court order.
The HITECH Act made significant changes to the accounting rule by requiring that covered entities provide an accounting of disclosures from electronic health records, including disclosures for purposes of treatment, payment or health care operations. Under the HITECH Act, however, an accounting need only cover disclosures made over the previous three years, as opposed to the six-year period required under the original accounting rule.
The proposed regulations
Under the proposed regulations, individuals have the right to receive an accounting of disclosures of their PHI in both paper and electronic form and a written access report of who has accessed their electronic PHI. These rights only extend to PHI maintained in a "designated record set," which generally includes PHI contained in the records used or maintained by a covered entity to make decisions about an individual.
Only specified types of disclosures are subject to the accounting rule. For example, under the proposed regulations, an accounting of disclosures must include:
* Disclosures not permitted by the HIPAA privacy rule, unless the individual has received notification of the impermissible disclosure under the breach notification rules.
* Disclosures for public health activities (except disclosures to report child abuse or neglect).
* Disclosures for judicial and administrative proceedings.
* Disclosures for law enforcement purposes.
* Disclosures to avert a serious threat to health or safety.
* Disclosures for military and veterans activities, the Department of State's suitability determinations and government programs providing public benefits.
* Disclosures for workers' compensation.
Notably, the proposed regulations do not require a covered entity to include disclosures for treatment, payment or health care operations in an accounting of disclosures.
Under the proposed regulations, an accounting of disclosures is required to include disclosures made by both the covered entity and a business associate. Under the current rule, only disclosures made by covered entities are required to be included in an accounting of disclosures. Under the new rule, a covered entity will be required to coordinate with its business associates to ensure that it includes all required disclosures in an accounting.
In addition, under the revised accounting rule, the timeframe for responding to an individual's request for an accounting has been reduced from 60 days to 30 days. However, the accounting is only required to include disclosures made in the previous three years, rather than the previous six years, as currently required under HIPAA.
The new access report requirement under the proposed regulations requires covered entities - including group health plans - to provide individuals with a report of all electronic PHI contained in a designated record set that has been used or disclosed by the covered entity or a business associate. Under the proposed regulations, the access report is not limited to PHI contained in electronic health records, as provided under the HITECH Act.
In addition, the access report must include all uses and disclosures of electronic PHI during the three years prior to the individual's request, including internal disclosures and disclosures for purposes of treatment, payment or health care operations.
Generally, the access report must contain information such as the date, time and description of the information that was accessed, and the user's action - such as whether the user created, modified or deleted the information. As the access report requirement includes uses and disclosures made by both the covered entity and a business associate, in certain circumstances, it may be necessary for a covered entity to aggregate all access information into a single report.
In light of the proposed regulations, employers should review and revise their HIPAA policies and procedures to ensure their group health plans are in compliance with HIPAA. As a result of the new access report requirement, employers and group health plans should ensure that they will have the technology in place to track all uses and disclosures of electronic PHI contained in designated record sets. Employers should also be prepared to review and revise their notices of privacy practices to reflect the changes made by the proposed regulations.
Contributing Editor Kate Bongiovanni is an associate in the tax section of Smith, Gambrell & Russell, LLP. She can be reached at
