Tuesday, May 31, 2011

HIPAA Privacy Rule Accounting of Disclosures under HITECH

Today's Federal Register includes the Office of Civil Rights (OCR) Notice of Proposed Rulemaking (NPRM) modifying the HIPAA Privacy Rule's Accounting of Disclosure requirements for protected health information. OCR was required to make these modifications to the HIPAA Privacy Rule to implement the requirements under the Health Information Technology for Economic and Clinical Health Act (HITECH) section of the ARRA.
HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act, Office for Civil Rights, Notice of Proposed Rulemaking (76 FR 31426, May 31, 2011)
The regulations greatly expand the responsibility for health care covered entities and business associates to document and track the use and disclosure of health information held in an electronic health record (EHR). Health care providers and business associates should plan to thoroughly review these new regulations to understand the impact on their existing policies and procedures.

The regulations outline new procedures for accounting of disclosures of health information held in an electronic health record and disclosed for treatment, payment, and health care operations (as defined under HIPAA). The accounting period under the proposed regulations is three years. The proposed regulations focus on two rights for individuals -- a right to an accounting of disclosure and a "new" right to an access report. The new access report does not distinguish between a use (think internal use by a health care provider) and disclosure (providing the information to a third party). Instead the new right to an access report focuses on whether someone "accessed" the information in the EHR.

Previously under HIPAA, uses and disclosures for treatment, payment, and health care operations (commonly referred to as "TPO") were exempt from the accounting of disclosures requirements. The requirement for accounting for some limited uses and disclosures has always been a part of the HIPAA Privacy Rule.

The rule proposes separate compliance dates for the changes to the accounting of disclosures requirements (180 days after the effective date of the final rule - 240 days after publication of the final rule) and for the right to receive an access report (beginning January 1, 2013, for any EHR system acquired after January 1, 2009 and January 1, 2014, for any EHR system acquired on or before January 1, 2009).

My initial comments above are based upon a quick review of the proposed regulations. Official comments on the NPRM must be submitted on or before August 1, 2011.

No comments: