On May 31, 2011, the U.S. Department of Health and Human Services (HHS) published a proposed rule adopting sweeping changes to the “accounting of disclosures” requirement under 45 C.F.R. § 164.528 that likely are to have a significant impact on the health information technology (HIT) systems being implemented by many healthcare providers, health plans (including employer-sponsored plans) and business associates. The proposed requirements will not become final until after comments are received and evaluated and a final rule is published by HHS later this year or next. Therefore, healthcare providers, health plans (including employers sponsoring health plans) and business associates should take this opportunity to carefully review the proposed rule’s provisions, send comments to HHS and consider the systematic changes that may be necessary when the rule becomes finalized.

The proposed rule changes the existing Health Insurance Portability and Accountability Act (HIPAA) accounting requirement in two very significant ways. First, it revises the accounting requirement to shorten the time period covered by the regulation to the three-year period prior to the request (previously six years) for all disclosures of protected health information (PHI) (paper and electronic), while removing the certain exceptions, including those for disclosures related to treatment, payment and healthcare operations. Second, in the interest of balancing the rights of individuals to learn about disclosures of their PHI, with the burden to covered entities of providing detailed accounting reports, the proposed rule creates a new “access report” requirement which enables covered entities to provide only the date, time and identity of the person who accessed an individual’s electronic PHI, but does not require tracking or reporting the purpose of the disclosure as required under the existing accounting requirement.

Existing HIPAA Accounting Requirement Expanded by HITECH Act

Under the existing HIPAA privacy regulations, individuals are entitled to receive an “accounting” of all disclosures of PHI made by the covered entity, including those through its business associates, for the six years preceding the individual’s request, excluding certain permissible disclosures, the most significant of which are (1) for treatment, payment and healthcare operations; (2) disclosures to the individual about him or her; and (3) disclosures to law enforcement. 45 C.F.R. § 164.528(a)(1). The accounting is required to be furnished to the individual no later than 60 days after receiving a written request.

When Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of the stimulus legislation known as the American Recovery and Reinvestment Act of 2009, it instructed HHS to adopt an accounting requirement specifically related to “electronic health records” (EHRs) by requiring the accounting of disclosures from an EHR to include all disclosures, without excluding those made for treatment, payment and healthcare operations and shortening the time period covered by an accounting of disclosures from an EHR to three years instead of six (paper records still would be subject to a six-year accounting period). The HITECH Act directed HHS to issue regulations by not later than June 18, 2010.

The changes put forth by HHS in the May 31 proposed rule go significantly beyond the requirements of the HITECH Act, but HHS asserts they are consistent with the major purpose of the Act which was to apply the accounting requirement to electronic PHI in an EHR.

Revisions to the Accounting of Disclosures of PHI Under § 164.528

Healthcare providers, health plans and employer-sponsored health plans may welcome some of the changes being proposed to the existing accounting of disclosures requirement, while finding other changes more burdensome. HHS proposes to shorten the time period covered by a request for an accounting to just three years, regardless of whether the records are paper or electronic. This should enable covered entities to apply accounting procedures consistently across all types of PHI. Additionally, HHS has chosen to focus more attention on accounting of disclosures that are presumed to be most important to individuals by removing some disclosures from the requirement, while adding specific requirements for other categories of disclosures. For example, on the one hand, disclosures for clinical research will be excluded from the accounting requirement (assuming that the IRB or research practitioner has followed HIPAA’s requirements for an authorization or research waiver), as will disclosures that are required by law. On the other hand, a full accounting will be required for all disclosures that are not permitted under HIPAA, including unauthorized disclosures that did not rise to the level of a “breach” under the Breach Notification Interim Final Rule published at 45 C.F.R. part 164, subpart D, disclosures for public health activities (such as infectious disease reporting) and for all disclosures made for law enforcement purposes and judicial or administrative proceedings (even though such disclosures in certain cases do not require an authorization).

Further, on the positive side, the proposed rule limits the accounting for disclosures requirement to only the PHI maintained in a “designated record set” instead of all PHI that may be scattered throughout an organization. Nevertheless, on the negative side, covered entities may find significant challenges in determining what exactly constitutes a “designated record set,” and will continue to be required to track the purpose of each disclosure subject to an accounting — a task many covered entities have found will add a significant level of complexity to the already expanding list of required features of HIT systems. Generally speaking, a “designated record set” is a group of records maintained by or for a covered healthcare provider that comprises the medical and billing records about individuals or maintained by a health plan (including an employer-sponsored health plan) comprising the enrollment, payment, claims adjudication and case or medical management record systems used, in whole or in part, by or for either type of covered entity to make decisions about individuals. The applicability and scope of the definition (i.e., what provider or health plan records fall within or outside of the definition) have perplexed some covered entities who may be particularly challenged by the existing requirement to maintain written or electronic documentation showing all designated record sets maintained within their organization, under 45 C.F.R. § 164.524. Additionally, the HHS preamble to the proposed rule specifically applies the accounting requirement to copies of designated record sets held by business associates, a factor likely to necessitate amendments to business associate contracts.

As indicated by the brief highlights of the proposed rule described above, the new requirements contain a mixed bag of changes designed to enhance an individual’s right to learn where, by whom and for what purpose disclosures of their PHI have been made, lessening the burden on covered entities by reducing the types of disclosures and the time period covered by the accounting requirement.

Further helping to improve the individuals’ understanding of the types of disclosures made about them may be the new requirement for an access report, described below, which will allow covered entities to respond in a more narrow fashion to individuals’ requests for information on disclosures of their PHI maintained in an electronic designated record set.

New “Access Report” Will Be Required Upon Request by an Individual

Perhaps the most significant change proposed by HHS is the new right of individuals to receive an access report including, at a minimum, the date and time of access and the name of the user or entity that accessed or disclosed PHI maintained in an electronic designated record set. The report must include all access, including uses as well as disclosures, which is a significant expansion of the existing accounting requirement. There will be no distinction between access by internal employees and access by persons outside an organization. Additionally, the report must indicate the type of information accessed (e.g., diagnosis or medications) and the action taken (modify, transfer, etc.), but only if either of such information is available in the HIT system. Perhaps most significantly, the access report applies to all electronic PHI maintained in a designated record set, not just EHRs, and the exception for disclosures relating to treatment, payment or healthcare operations would not apply. Thus, while HHS points out that the new access report requirement satisfies the HITECH Act’s mandate to apply the accounting requirement to EHRs, in actual operation, the proposed rule expands the right to an accounting to cover a much wider variety of disclosures, including internal uses of PHI by employees. These changes would create significant new challenges for covered entities already grappling with the design and implementation of appropriate system activity logs and audit reporting technology to comply with existing privacy and security laws.

Impact on Covered Entities and Business Associates

The proposed accounting requirement changes published on May 31 will create significant new challenges to a wider spectrum of covered entities than previously expected by most experts. For example, the expansion of the access report to cover all electronic PHI, rather than merely EHRs, will sweep within the rule’s application many additional entities that customarily do not maintain EHRs, such as health plans and health insurers (including employers that sponsor such plans) and business associates working with electronic PHI. Additionally, the application of the new requirements specifically to designated record sets will highlight the need for covered entities and business associates to develop and document the types of PHI they routinely use or disclose, to ensure that designated record sets are appropriately tracked and oversight maintained (both human and electronic) for purposes of preparing an adequate accounting or access report within the time limits and other requirements under the regulation.

Keep in mind that the new requirements published on May 31 are only proposed. Nevertheless, assuming that many of the provisions are enacted in final rule, the following activities, among others described previously, will be needed. It may not be too early for covered entities and business associates to consider and plan for the following new requirements:

Business Associate Agreements

Healthcare providers, health plans and employers sponsoring health plans will need to amend their business associate agreements with business associates (such as billing companies and consultants, third-party administrators and other vendors handling PHI) to reflect and facilitate compliance with the new accounting and access reporting requirements. These amendments should include descriptions of the shortened timing and detailed content required for such reports. Business associate agreements should be amended to require that business associates take steps to gather the appropriate information and actively assist with compiling reports when and as requested by their covered entity customers.

Notice of Privacy Practices

Changes to covered entity Notices of Privacy Practices will be necessary to appropriately describe the new accounting and access report requirements and to inform individuals of the types of disclosures subject to the requirements. For health plans and employers, because these updates are considered material revisions to the notice, the revised Notices will need to be distributed within 60 days of the material revision.

Record Retention Policies

Covered entity and business associate record retention policies would need to be updated to reflect changes in the document retention rules as they apply to accountings of disclosures and the new access report requirement. Specifically, information that is required to be included in an accounting or access report must be retained for three years from the date of the disclosure, but the actual accounting or report must be retained for six years.

Enhanced Tracking of Disclosures and Access

The new rule will put greater urgency and emphasis on adopting reasonable and appropriate technical and administrative measures to log access, changes, uses and disclosures of electronic PHI, including those for public health, law enforcement, judicial or administrative proceedings, research and other permissible activities, which may become subject to the expanded reporting requirements.

HHS has asked that comments on the proposed rule be submitted by August 1, 2011. HIPAA-covered entities, including providers and employer health plan sponsors, should seriously consider submitting comments and questions to HHS in an effort to shape how these rules will ultimately affect them.

Authorship credit:

John S. Mulhollan, jmulhollan@bakerlaw.com

Susan Whittaker Hughes, shughes@bakerlaw.com

Lynn Sessions, lsessions@bakerlaw.com