OCR Releases Proposed Rule on Accounting of Disclosure
|The Office for Civil Rights today released a proposed rule expanding an individual’s rights to an accounting of disclosures of protected health information. The rule modifies the HIPAA privacy rule to implement changes required under the 2009 HITECH Act. Official publication in the Federal Register is scheduled for May 31. OCR’s proposed rule restates the HITECH requirement that covered entities must account for disclosures of protected health information made for purposes of treatment, payment, and healthcare operations—actions previously exempt under HIPAA—if they maintain the information in electronic format.||.||
AHIMA will review the proposed rule in a a free audio seminar June 7. The live event is limited to the first 300 registrants. Register here. Web replay will be available at a later date.
The rule also confirms that covered entities must account for the disclosures of their business associates or require the associates to make their own accounting. Business associates must respond to individual requests made directly to them.
As specified in HITECH, the accounting period is shortened to three years from the date of the individual’s request.
Rights to Reports on Disclosure and Access
In addition, acting on its “general authority under HIPAA,” OCR proposes revising the privacy rule to create two separate rights for individuals: the right to an accounting of disclosures and the right to a report on access.
The access report would not distinguish between “uses” and “disclosures,” thus it would apply when any person accesses a designated record set maintained in an electronic system.
The right to a report on access was not called for specifically under HITECH, but OCR appears to be acknowledging long-standing comments from both providers and consumers that individuals are often more interested in who accessed their information than to whom it was disclosed. The change is intended to “ensure that individuals are receiving the information that is of most interest,” OCR writes.
As proposed, the access report would not indicate the purpose of the access. OCR considers the accounting of disclosure to be the “full accounting” that provides greater detail.
Reporting the Designated Record Set
HITECH did not identify the information to be contained in the accounting. OCR proposes that individuals would have rights to reports on the disclosure and access of the information contained in their designated record sets.
The right to an accounting of disclosure would encompass disclosures of protected health information in a designated record set maintained in either hard copy or electronic format. The access report would only apply to protected health information about an individual that is maintained in an “electronic designated record set.”
First Reports in 2013
Compliance under the rule for all entities covered by HIPAA would begin 180 days after the effective date of the final rule. The rule will become effective 60 days following its publication, so covered entities and business associates will have 240 total days to prepare.
Individuals would have a right to access a report beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic designated record set systems acquired as of January 1, 2009.
Under HITECH, the first of the deadlines would have occurred January 1 of this year.
Publication has been expected for months. OCR first submitted a copy to the Office of Management and Budget for review in early February. In May 2010 OCR requested public input on accounting of disclosure. In part, the office sought comment on the administrative burden of managing expanded accounting, which many covered entities predict will far outweigh the value that patients will receive from them.
Full Set of Privacy Changes Still to Come
OCR’s proposed rule does not address the full set of modifications that HITECH makes to the HIPAA privacy rule, including expansions of consumer’s rights to access and restrict their health information and restrictions related to marketing, fund-raising, and sale of protected health information.
OCR released a notice of proposed rule making covering these modifications in July 2010. A final rule is expected by the end of this year.