On May 31, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ("OCR") published a notice of proposed rulemaking ("NPRM") modifying the HIPAA Privacy Rule's standard for accounting of disclosures of protected health information ("PHI"). The rulemaking was required by the Health Information Technology for Economic and Clinical Health ("HITECH") Act, which requires covered entities and business associates to account for disclosures of PHI made through an electronic health record ("EHR") for purposes of treatment, payment, and health care operations. Under the Privacy Rule, accounting for paper disclosures of PHI for these three purposes was not required.
Although covered entities and business associates were hoping that the NPRM might limit the burden of complying with the statutory requirements of the HITECH Act, those hopes have not been realized. The NPRM somewhat lessens the compliance burden by limiting the existing accounting provisions, but any reduced burden in that regard is offset by the proposed new right individuals would have to receive a report of who, within or outside the covered entity, has accessed their electronic PHI ("ePHI").
Industry's Response to Request for Information on Accounting Requirement. The health care industry repeatedly has expressed concern about the effort and costs likely involved in complying with an enhanced accounting requirement, especially since most covered entities report that only a very few individuals have requested an accounting since the April 14, 2003 effective date of the Privacy Rule. In May 2010, OCR published a request for information ("RFI") in which it sought the industry's guidance on the burdens covered entities face in accounting for disclosures, the capabilities of current technologies, and the extent of individuals' interests in learning about disclosures of their PHI.
Although 10 of the 171 respondents to the RFI noted that accounting for disclosures for purposes of treatment, payment, and health care operations would foster increased transparency and patient trust, as well as improve the detection of breaches of PHI and poor privacy and security safeguards, a majority of respondents asserted that such accountings would provide "little to no benefit to individuals (over 80 respondents)" while incurring "substantial administrative, staffing and monetary burdens (over 120 respondents)." Those concerned about the burdens of the new requirement cited potential increased health care costs, reduced patient care time as a result of disruptions to provider work flow, and a possible chilling effect on the adoption of EHR systems, especially among small providers. Of the covered entities responding, nearly 30 had received no requests for an accounting of disclosures, and more than 90 covered entity respondents had received fewer than 20 requests, since the Privacy Rule's effective date.
In the NPRM, OCR addressed these concerns by proposing to revise the accounting requirement to provide two separate rights for individuals: a modified right to receive an accounting of disclosures, and a new right to receive an access report (to include information about electronic access to an individual's ePHI by workforce members and persons outside the covered entity). The access report would provide information on who has accessed ePHI in a designated record set, including any access for purposes of treatment, payment, and health care operations, while the accounting would provide more detailed information about disclosures of PHI or ePHI to those outside the covered entity and its business associates. OCR believes that such access reports would be created through an automated process performed by covered entities' information systems. Because the HIPAA Security Rule already requires covered entities and business associates to maintain access logs, OCR asserted that creating such reports would impose a minimal burden on those entities.
New Accounting Rules. The NPRM would revise the Privacy Rule provision on accounting of disclosures to require accountings of disclosures only of PHI maintained in a designated record set, rather than disclosures of PHI stored elsewhere. This means, for example, that no accounting need be made of disclosures of PHI contained in a hospital's peer review files, provided that such information is used to improve patient care rather than to make decisions about individuals. The NPRM would further revise the Privacy Rule's accounting provision to list the types of disclosures that are subject to the accounting, rather than listing the types of disclosures that are exempt from the accounting.
Thus, accountings of disclosures would only be required for disclosures:
- that are impermissible under the Privacy Rule but did not result in a breach notice
- for all public health activities except disclosures that are also required by law and disclosures of child abuse or neglect
- for judicial and administrative proceedings
- for law enforcement activities
- to avert a serious threat to health or safety
- for military and veterans activities
- for Department of State medical suitability determinations
- to government programs providing public benefits
- for workers' compensation
The proposed revised accounting requirement is not as straightforward (or as likely to reduce the compliance burden) as it may appear. First, the categories of disclosures subject to the accounting requirement are not clearly delineated. For example, although covered entities and business associates generally would not be required to account for disclosures required by law, they would be required to account for disclosures for judicial and administrative proceedings and for law enforcement purposes, even where those disclosures are required by law. In contrast, if a public health disclosure (which usually must be included in an accounting) is also required by law, it would not be subject to the accounting requirement—although a public health disclosure that is permitted by law would be. Second, covered entities would have to exclude from an accounting or access report any patient safety work product information (as defined in the Patient Safety and Quality Improvement Act of 2005). These detailed requirements, among others, would require covered entities and business associates to implement very specific policies and procedures for accounting of disclosures and access reports and then carefully train affected employees.
Although the NPRM does not require an accounting of disclosures for purposes of treatment, payment, and health care operations where such disclosures are made through an EHR and pass through an electronic health information exchange ("HIE"), OCR cautioned that it intends to revisit this issue as electronic HIE expands to determine whether to require covered entities and business associates to account for such disclosures. This definitely is not good news.
Content of Accounting. The NPRM would require covered entities and business associates to provide the date of disclosure or, if the actual date is not known, an approximate date or period of time for each disclosure (month and year). For multiple disclosures to the same entity for the same purpose, an approximate time period of all the disclosures would be sufficient (from month/year to month/year). Alternatively, the accounting could include a description for the date of disclosure, such as "within 15 days of discharge" for a disclosure to a public health authority. Accountings would have to include the name of the person or entity who received the information and their address, if known, unless disclosure of the name would result in disclosing PHI (where, for example, disclosure was to another patient). Accountings also would be required to include a brief description of the type of PHI disclosed and the purpose of the disclosure (e.g., "for public health").
Timing and Format of Accounting. The NPRM would require a covered entity or business associate to provide an accounting within 30 days of an individual's request, with a single 30-day extension if needed, as compared to the current 60-day response deadline under the Privacy Rule. An accounting would have to be provided in the form and format requested by the individual if readily producible in such form and format (e.g., in electronic form and compatible with a certain software application). However, OCR did not propose to require the provision of accountings in electronic form, because it recognizes that "generating an accounting for disclosures is still a very manual process," and because the accounting requirement applies to both paper and electronic records.
Covered entities are not responsible for ePHI once it is in the hands of the individual; therefore, if an individual requests an electronic copy of the accounting but does not want the file to be encrypted or password protected, the covered entity should comply with the individual's request. The NPRM also permits covered entities to require individuals to request accountings in writing, and—in order to target the accounting to the individual's concerns—covered entities may permit individuals to narrow an accounting request to disclosures made during a certain time period, to a certain recipient, or for a certain purpose.
Documentation Requirements for Accounting. The Privacy Rule required covered entities to account for disclosures of PHI for a period of six years before the date of the individual's request. The NPRM would reduce the period covered by the accounting to three years before the individual's request. Accordingly, covered entities and business associates would have to maintain documentation needed to generate an accounting for only three years, but they would have to retain a copy of any accounting that was provided to an individual for six years. These same documentation requirements would apply to access reports.
New Requirement for Access Reports. Under the NPRM, an individual would have a right to a report of every disclosure of, and access to, the individual's ePHI that is maintained in any designated record set. This proposal appears to significantly exceed the scope of the HITECH Act requirement, which limited the accounting requirement to disclosures of ePHI through an EHR. However, citing the Security Rule requirement that all electronic systems containing designated record set information must create access logs, OCR expanded the accounting right to include uses of information (including access), and to apply that right to all ePHI maintained in a designated record set.
OCR believes that requiring individuals to contact business associates for access reports would unduly burden such individuals, who generally have no relationship with most business associates and would not know which business associates maintain their PHI in a designated record set. Accordingly, the NPRM would require covered entities to furnish access reports on behalf of their business associates that maintain designated record set information. This means that (a) business associates who maintain designated record sets would have to maintain access logs regarding such information and provide those logs to covered entities upon request, and (b) within 30 days after an individual's request, covered entities would have to collect such logs from their business associates and produce them, along with their own access logs (which may be aggregated from logs in multiple systems containing ePHI). To limit the burden of this requirement, covered entities can prevent many of their business associates from maintaining a designated record set.
Content of Access Report. Access reports would have to include the date of access, the time of access, the name of the person (if available) or entity accessing the ePHI, a description of what information was accessed (if available), and a description of what action the user took (if available) (such as "create," "modify," "access," or "delete"). With respect to the name requirement, even though many access logs provide only a user ID instead of a name, OCR nonetheless expects covered entities to match user IDs with the applicable first and last names to create the access report. This requirement could become burdensome, especially if the matching process can't be automated. The access report would not need to include the address of the user or a brief statement of the purpose of the access or disclosure, as OCR noted the high burden collecting this information would place on entities as well as the limited interest of individuals in having this information.
Covered entities may permit individuals to limit the scope of the access report to a specific date, time period, or person, and OCR recommends that covered entities offer individuals the opportunity to limit the access report to specific organizations; in this way, a covered entity may need to require only one of its business associates to provide an access report if that is the entity about which the individual seeks information.
Timing and Format of Access Report. The NPRM would require covered entities to provide access reports to individuals within 30 days of the request, with a single 30-day extension if necessary. An access report also must be provided to an individual in the form and format requested by the individual if readily producible in such form and format. Unlike accountings, the access report applies only to electronic records.
The Stealth Issue for Health Plans. The access report requirement, if unchanged in the final rule, will significantly affect health plan operations. Health plans do not typically maintain EHRs and, accordingly, they were not affected by the HITECH Act provision that expanded the accounting requirement to include disclosures for treatment, payment, or health care operations made through an EHR. But health plans do maintain ePHI of their beneficiaries in designated record sets, as do many health plan business associates. In addition, covered entities or other employers who maintain and administer self-funded health plans for their employees, along with covered entities who bill electronically but do not use EHRs, may find themselves required to comply with the access report requirements, separate and apart from their compliance obligations in their capacities as covered entities.
Compliance Dates. Compliance with the proposed accounting requirements would be required within 240 days of publication of the final rule (expected by the end of 2011). Compliance with the proposed requirement to provide access reports would be required by January 1, 2013 (for electronic designated record set systems acquired after January 1, 2009) or by January 1, 2014 (for electronic designated record set systems acquired before January 1, 2009). However, OCR encourages (but does not require) entities using systems acquired both before and after January 1, 2009 to provide access reports during 2013 that include all systems.
Suggested Action Items.
- The NPRM is a proposed rule, and OCR likely will receive numerous comments recommending a variety of changes; some of these proposed changes may be adopted in the final rule. Accordingly, covered entities and business associates should consider submitting comments to the NPRM that address both the beneficial and burdensome aspects of the proposal. Comments to the NPRM, available at http://www.gpo.gov/fdsys/pkg/FR-2011-05-31/pdf/2011-13297.pdf, are due by August 1, 2011.
- Although covered entities and business associates should not rush to revise their Notices of Privacy Practices or internal policies regarding accounting of disclosures, at this time they can prepare for the forthcoming rule by reviewing their information system auditing capabilities to assure that the systems are capable of, and that they are, logging user access to ePHI in designated record sets.
- Covered entities also should determine and track which business associates maintain or store PHI or ePHI in designated record sets and attempt to limit or eliminate the ability of business associates to maintain or store this information.
- Self-funded employer health plans should review their business associate and plan administration/supervision agreements to determine whether changes will be required if this new requirement should be incorporated into the final rule.