OCR Releases Proposed Rule on Accounting of Disclosure

The Office for Civil Rights today released a proposed rule expanding an individual’s rights to an accounting of disclosures of protected health information. The rule modifies the HIPAA privacy rule to implement changes required under the 2009 HITECH Act. Official publication in the Federal Register is scheduled for May 31. OCR’s proposed rule restates the HITECH requirement that covered entities must account for disclosures of protected health information made for purposes of treatment, payment, and healthcare operations—actions previously exempt under HIPAA—if they maintain the information in electronic format. .
Audio Seminar
AHIMA will review the proposed rule in a a free audio seminar June 7. The live event is limited to the first 300 registrants. Register here. Web replay will be available at a later date.

The rule also confirms that covered entities must account for the disclosures of their business associates or require the associates to make their own accounting. Business associates must respond to individual requests made directly to them.

As specified in HITECH, the accounting period is shortened to three years from the date of the individual’s request.

Rights to Reports on Disclosure and Access

In addition, acting on its “general authority under HIPAA,” OCR proposes revising the privacy rule to create two separate rights for individuals: the right to an accounting of disclosures and the right to a report on access.

The access report would not distinguish between “uses” and “disclosures,” thus it would apply when any person accesses a designated record set maintained in an electronic system.

The right to a report on access was not called for specifically under HITECH, but OCR appears to be acknowledging long-standing comments from both providers and consumers that individuals are often more interested in who accessed their information than to whom it was disclosed. The change is intended to “ensure that individuals are receiving the information that is of most interest,” OCR writes.

As proposed, the access report would not indicate the purpose of the access. OCR considers the accounting of disclosure to be the “full accounting” that provides greater detail.

Reporting the Designated Record Set

HITECH did not identify the information to be contained in the accounting. OCR proposes that individuals would have rights to reports on the disclosure and access of the information contained in their designated record sets.

The right to an accounting of disclosure would encompass disclosures of protected health information in a designated record set maintained in either hard copy or electronic format. The access report would only apply to protected health information about an individual that is maintained in an “electronic designated record set.”

First Reports in 2013

Compliance under the rule for all entities covered by HIPAA would begin 180 days after the effective date of the final rule. The rule will become effective 60 days following its publication, so covered entities and business associates will have 240 total days to prepare.

Individuals would have a right to access a report beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic designated record set systems acquired as of January 1, 2009.

Under HITECH, the first of the deadlines would have occurred January 1 of this year.

Publication has been expected for months. OCR first submitted a copy to the Office of Management and Budget for review in early February. In May 2010 OCR requested public input on accounting of disclosure. In part, the office sought comment on the administrative burden of managing expanded accounting, which many covered entities predict will far outweigh the value that patients will receive from them.

Full Set of Privacy Changes Still to Come

OCR’s proposed rule does not address the full set of modifications that HITECH makes to the HIPAA privacy rule, including expansions of consumer’s rights to access and restrict their health information and restrictions related to marketing, fund-raising, and sale of protected health information.

OCR released a notice of proposed rule making covering these modifications in July 2010. A final rule is expected by the end of this year.


  1. Very bad timing, right in middle of race to meet Meaningful Use. Seems the rule making cannot stop, virtually guarenteeing errors will be made.

    Post a Reply
  2. this is a challenging modification to the HIPAA rule’s Accountign of Disclosure piece. In my department I opted to maintain copiues disclosure of all information. We scan copies of all of the release request forms, subpeonas and fee letters. We do this for attorney, insurance, agnecy disability every request. So we can look back to see who recieved disclosures. so even after HIPAA became effective, we continuede to maintain the information.

    Post a Reply
  3. It’s hard to conceive they are doing this! Seems like it’s covered very well to patient’s in the Notice of Practice of health information being released for Health care Tx and reimbursement. Being in LTC we always have request to ACF’s with EMR for information to continue with the care of our residents. I can see alot of frustration with this change for EMR users.

    Post a Reply
  4. How does everyone interpret this HITECH disclosure rule? Our Compliance person interprets it to mean anyone that “accesses” the EMR for this patient, not just disclosures. He feels that if anyone views the electronic patient chart, we need to report that on the accounting of disclosures. I, however, look at it as an actual disclosure to someone outside our facility, whether requested or inadvertently. Thanks.

    Post a Reply
  5. We consider “access” or “viewed” as correct. In the SAG (State Attorney General) training tapes online, they are penalizing for “viewed” PHI, meaning USE. As in “USE and disclosure”. They penalized CE for each inappropriate inhouse “view”, employee viewed 250 PHI X $100 = $2500…and penalized for “minimum necessary” violation, no policies or procedure or verified training….I believe the grand total of $30k just for this 1 violation! I would recommend using “access” or “viewed” or “use” as safeguard for disclosure rule, you can never be to careful.

    Post a Reply
  6. I hope to be able to view the audio seminar on June 7 but must be 300 have registered as it wouldn’t register me. Please let me know when the replay will be. Thank you.
    Anita Daw, BS, RHIT
    HIPAA Coordinator

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!