HIPAA Changes Seek Balance of Compliance, Right To Know

by Helen Pfister and Susan Ingargiola, Manatt Health Solutions

Republish This Story

In accordance with the HITECH Act’s call for revising privacy rules governing health care information, the federal government has proposed changes to the Health Insurance Portability and Accountability Act that would allow patients to learn more about who has access to their electronic health information.

HIPAA’s Privacy Rule sets limits on who can access an individual’s protected health information (PHI) and gives individuals a number of rights concerning that data, including the right to receive an “accounting of disclosures” from health care providers and other HIPAA-covered entities. An accounting of disclosures includes information about when PHI has been shared and for what purpose, among other things. However, under existing law, accountings do not have to include disclosures that health care providers and other covered entities make to carry out treatment, payment and health care operations (such as when a primary care physician sends a patient’s medical records to a specialist for follow-up care).

Patient privacy advocates have suggested this exclusion eliminates a broad swath of disclosures about which individuals would like to know.

The HITECH Act requires HHS to revise the Privacy Rule to remove the exclusion for disclosures for treatment, payment and health care operations to the extent that the disclosures are made through an electronic health record.

In response, HHS last month proposed new rules that would primarily do two things:

  • Provide individuals with a new “access report” that lists who has accessed their PHI in an electronic designated record set (which is basically medical records, billing records, or other information that is used by covered entities to make payment or treatment decisions and that is maintained electronically) for any purpose, including for treatment, payment and health care operations; and
  • Make changes to “streamline” the Privacy Rule’s current accounting of disclosures provision, such as limiting the types of disclosures that must be accounted for.

Privacy Rule’s Current Accounting of Disclosures Provision

As it currently stands, the Privacy Rule requires covered entities to provide individuals who request it with an accounting of disclosures of their PHI during the six years prior to the request. The accounting must include disclosures by both the covered entity and its business associates. Disclosures refer to access to PHI by someone outside of the covered entity’s or its business associates’ organization.

This means that covered entities and their business associates must track — in both paper records and electronic systems — the following information:

  • Date of the disclosure;
  • Name (and address, if known) of the entity or person who received the data;
  • Brief description of the information disclosed; and
  • Brief statement of the purpose of the disclosure (or a copy of the written request for the disclosure). 

The accounting must include disclosures of PHI for any purpose except for those specifically excluded by the Privacy Rule, such as those for treatment, payment and health care operations.

New Access Report Requirement

The new rules would require the access report to list who has accessed an individual’s PHI in an electronic designated record set, including for treatment, payment and health care operations, among other purposes. Unlike existing accountings of disclosures, the access report would apply only to information maintained electronically.

Covered entities would have to include in their reports any access by their business associates. Information that meets the definition of “patient safety work product” would be excluded. Patient safety work product refers to information collected and created during the reporting and analysis of patient safety events under the Patient Safety and Quality Improvement Act of 2005. This could include the reporting of a medication error, for example.

The purpose of this new access report requirement is to give individuals a more complete picture of who has seen their PHI. It was motivated by the HITECH Act but it diverts from the HITECH Act in some significant ways:

  • By including uses of PHI (i.e., electronic access by members of a covered entity’s or business associate’s work force). In contrast, the HITECH Act requirement was limited to disclosures (i.e., access by someone outside of the covered entity or business associate); and
  • By including all uses and disclosures of PHI in an electronic designated record set. In contrast, the HITECH Act requirement was limited to disclosures through an EHR.

This provision is taking many health plans by surprise because health plans traditionally do not use EHRs and did not expect that the HITECH Act provision, which referred specifically to EHRs, would affect them. But because health plans maintain information electronically in designated record sets, they would be subject to the new access report requirement.

The access report requirement would go into effect beginning Jan. 1, 2013, for electronic designated record set systems that were acquired after Jan. 1, 2009. It would go into effect beginning Jan. 1, 2014, for electronic designated record set systems that were acquired on or before Jan. 1, 2009.

Proposed Changes to Accounting of Disclosures Requirements

In addition to the new access report requirements, HHS proposes to make a number of changes to an individual’s existing right to an accounting of disclosures that would make it easier for covered entities to comply with the requirements.

Unlike the new access reports, the revised accounting of disclosures provisions are designed to provide more detailed information about certain types of disclosures (such as disclosures for law enforcement purposes), and apply to all PHI maintained in a designated record set, whether electronically or not.

The proposed rules would reduce the scope of information subject to an accounting of disclosures from all PHI to just the data maintained in a designated record set. It also would limit the types of disclosures that must be included in an accounting. For example, HHS proposes to exclude disclosures for health oversight purposes, impermissible disclosures for which the covered entity (directly or through a business associate) has provided breach notice and disclosures for research purposes from the Privacy Rule’s accounting requirement, among others. As with the new access report, PHI that meets the definition of “patient safety work product” would be excluded.

The proposed rules also would make a number of changes to the time periods associated with the accounting of disclosures provision, such as reducing the time period for which covered entities and business associates must account for disclosures from six to three years prior to the individual’s request, among others. It would also make a few modifications to the elements that must be included in an accounting.

Disclosures Through Health Information Exchange

HHS considered, but ultimately decided against, providing individuals with the right to receive an accounting of disclosures for treatment, payment and health care operations through an EHR when such disclosures are made through electronic health information exchange. HHS describes these as “disclosures that originate from an EHR that are received by another electronic system.”

According to HHS, covered entities and their business associates would have to make substantial modifications to their existing EHR systems to track the purpose of a disclosure for treatment, payment and health care operations through electronic HIE, making such a requirement overly burdensome.

However, HHS intends to work with the Office of the National Coordinator for Health IT to assess whether the certification criteria it is adopting for certified EHR technology under the Medicare and Medicaid EHR incentive programs should require that certified EHR technology be able to track the purpose of disclosures through electronic health information exchange. Upon doing so, HHS will reconsider whether the Privacy Rule’s accounting of disclosures provision should be amended to require this activity.

Compliance Burden vs. Benefit to Individuals

HHS expects the proposed changes to the Privacy Rule’s current accounting of disclosures provision to benefit individuals by reducing the time it takes to receive an accounting while reducing the burden the current accounting provision imposes on covered entities and their business associates.  Likewise, HHS expects that provision of the new access report will require minimal, if any, changes to existing information systems because covered entities and their business associates who are compliant with the Security Rule or their business associate agreements should already be logging the information necessary for an access report.

HHS does recognize, however, that electronic designated record set information may often reside in a number of distinct systems that maintain separate access logs, and that covered entities and their business associates may experience a significant burden in aggregating these data into a single access report. HHS states that this administrative burden is reasonable in light of the interests of individuals in learning who has accessed their PHI.

HHS invites stakeholder input on these assumptions and on the capabilities of existing electronic information systems to satisfy the proposed requirements. The public is encouraged to submit comments by Aug. 1, 2011. 

Related Topics

Insight