HHS: HIPAA Privacy Rule Accounting of Disclosures

Wednesday, June 01, 2011

Rebecca Herold

65be44ae7088566069cc3bef454174a7

On Friday, May 27, 2011, the Department of Health and Human Services (HHS) published the HIPAA Privacy Rule Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act Notice of Proposed Rule Making (NPRM). 

I’m still going through it but here are my preliminary thoughts…

At a high level, the Accounting of Disclosures NPRM would result in a couple of primary changes:

  • Both covered entities (CEs) and business associates (BAs) would need to account for disclosures of PHI in electronic health records (EHRs) that are part of a designated record set (DRS) for treatment, payment and health care operations (TPO) in addition to the existing requirements for accounting for access to PHI in all forms for generally all types of disclosures that fall outside of TPO. Individuals would have a right to see this “accounting” of disclosures. As indicated within the NPRM, “the intent of the accounting of disclosures is to provide more detailed information (a “full accounting”) for certain disclosures that are most likely to impact the individual.”
  • CEs would need to provide individuals with an “access report” that indicates who has accessed ePHI within a DRS (including access to ePHI within an EHR for TPO) in addition to associated details about that access, such as date, time, type of access, description of the data accessed, and probably most significantly, the specific persons or entities who have accessed them.  As indicated within the NPRM, “The intent of the access report is to allow individuals to learn if specific persons have accessed their electronic designated record set information (it will not provide information about the purposes of the person’s access).”

When taking this further into more specific implications of the changes to CEs and BAs, first consider the HIPAA Security Rule, § 164.312 Technical safeguards. “(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

Logging access to ePHI has been around since the Security Rule went into effect. So, even though the original accounting for disclosures requirements did not include activities for TPO, CEs should theoretically already have the access/disclosure logging activities implemented.  As should BAs after the HITECH rule went into effect. 

However, realistically, I doubt if more than 40% (and this is my own spit-wad estimation which is likely on the high side) actually have such logging in place. The Accounting of Disclosures NPRM is a wake-up call for CEs and BAs alike to get this portion of the Security Rule implemented. 

Once it is implemented, then creating easy-to-understand reports to show these accesses will be a matter of creating or updating existing applications that access ePHI.  This could take some time to plan for and implement if starting from scratch.

Of significance to CEs and BAs, then, is:

  • The expansion of the accounting of disclosures details. While this is likely already going on for the most part, and is being tracked in one way or another, it will still require changes to the corresponding policies and/or procedures that cover accounting for disclosures, in addition to possible changes in the applications being used to log and track these types of disclosures, and the ways in which this accounting is provided to individuals requesting to see it.
  • The creation of a new Designated Record Set (DRS; containing ePHI) access report.  This data is likely already collected somewhere, but CEs and BAs (who have DRS’s) will need to create reports that are readable by all individuals, and not just a listing of the raw log data.
  • The need to let individuals know their new, expanded rights will result in the need for CEs to update their Notice of Privacy Practices (NPPs), and then ensure the updated NPPs are provided to patients according to the new requirements and within the indicated timeframes, which do seem to try and accommodate the CEs according to current requirements for at least annual notices.
  • The change of 6 years to 3 years to maintain the accounting for disclosures is likely meant to help save storage space for CEs and BAs, in addition to the stated reasons within the NPRM.  However, an impact already being heard is the concern that there are still other standing requirements to maintain certain other documentation, such as policies/procedures, for at least 6 years. CEs and BAs now wonder if they *HAVE* to change the disclosures to 3 years, or can keep current logging practices the same (at 6 years) so they can have one less thing to do with implementing the final version of this NPRM.  
  • The need for BAs to not only get into compliance with the accounting for disclosures requirements, but also create new ePHI access reports; this while they are still trying to get into compliance with the other HITECH requirements that most have not made much progress with to date.  BAs that, to date, have hardly worried about HIPAA/HITECH now are losing sleep over it, and rightly so.  They need to assign staff within their organizations responsibilities for addressing these increasing regulatory requirements for specific information security and privacy controls and practices.
  • These changes would go into effect, if accepted as proposed, for the access reports beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic designated record set systems acquired as of January 1, 2009.  So, with all the probable programming/systems changes these will bring, CEs and BAs will need to get started on the changes sooner rather than later.  Certainly as soon as the final version of the Accounting for Disclosures NPRM is released.  Determining where all DRSs exist now would be prudent; even if the NPRM is not finalized as-is entities need to have this information documented any way, and most do not.

I will provide more details and information related to this in the coming days...

Cross-posted from Privacy Professor

Possibly Related Articles:
20069
HIPAA
Healthcare Provider
HIPAA Privacy Compliance HITECH Healthcare HHS
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.