June 9, 2011

HHS Releases HIPAA Privacy Rule Accounting of Disclosures

The Department of Health and Human Services (HHS) issued its notice of proposed rulemaking to modify the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information (PHI).

The current accounting provision applies to disclosures of paper and electronic PHI, regardless of whether such information is in a designated record set (DRS), for a six-year period prior to the request.  HHS is proposing to limit the accounting provision to PHI about the individual in a DRS for a three-year period prior to the request.

HHS is also proposing to revise §164.528 of the Privacy Rule by dividing it into two separate rights for individuals to receive information from covered entities, the rights to an “accounting of disclosures” and an “access report,” which would be distinct but complimentary.   The right to an access report would provide information on who has accessed PHI maintained in an electronic DRS for any purpose, but the report would provide limited information (e.g., date, name, address, purpose).  The right to an accounting of disclosures provides for a more detailed report, but would apply to disclosure of PHI maintained in a DRS (written or electronic) only to persons outside the covered entity and its business associates for certain purposes explicitly identified in regulation (e.g., law enforcement, judicial hearings, public health investigations).  It is important to note that the Breach Notification requirement under the Security Rule would continue to apply to all PHI in any form and regardless of where such information exists at a covered entity or business associates.

HHS is proposing that covered entities and business associates comply with the modifications for the “accounting of disclosures” within 240 days after publication of the final rule.  Additionally, HHS is proposing to require that covered entities and business associates provide individuals with an “access report” beginning January 1, 2013 for electronic DRS systems acquired after January 1, 2009, and beginning January 1, 2014 for electronic DRS systems acquired as of January 1, 2009.

This post was contributed by Charles Dunham.

Related Posts:
CMS Receives Failing Marks for HIPAA Enforcement
$4.3M Civil Monetary Penalty for HIPAA Privacy Violation