HIPAA Accounting of Disclosures Proposed Regulations Published
UPDATED JULY 25, 2011
Proposed regulations to implement the Accounting of Disclosures changes mandated by the HITECH Act of 2009 have been published by the Department of Health and Human Services.
HHS adds a new patient right to HIPAA regulations
As is usual with HHS regulations to implement HITECH changes, there are some surprises. HHS added a new Right to an Access Report which they determined was necessary to comply with the HITECH direction on Accounting of Disclosures for the patient to know of disclosures for purposes of treatment, payment and operations. Access by workforce members of practices and business associates must be included in the access report under the new regulations in addition to access by outsiders.
HHS also extends the Right to an Access to any electronic designated record set, not just access to PHI in an electronic medical record (EMR). You may have multiple electronic systems that house PHI – billing systems, patient management systems, EMR, etc. – acquired at different times. This would create a situation where you would be required to produce access reports for some but not all systems in 2013. HHS encourages all practices to prepare for implementation of all systems by January 1, 2013 to avoid patient confusion.
The Access Report will need to identify the person accessing the data, when, action the user took in the system and the data accessed if available. The purpose of the access is not a required part of the report. Additionally it applies solely to electronic information access, not access to paper records. Generally it requires information that can be produced by the systems.
Accounting of Disclosure VS Access Reports
Account of Disclosure Reports cover both paper and electronic information and require the inclusion of more detailed information on the report.
Compliance date was extended for some parts as allowed by HITECH
Practices with electronic medical record (EMR) systems acquired after January 1, 2009 are required to produce the new access reports and disclosure reports by January 1, 2013, extending the time from January 1, 2011. If your system was acquired before 2009, the January 1, 2014 date remains the same.
But don’t think this allows you extra time. You must be able to produce a report on data for the previous 3 years which means you need to have been accumulating data on disclosures AND accesses since January 1, 2010. HHS says; “Covered entities and business associates should already be logging access to electronic PHI and should have the ability to generate access reports now pursuant to other requirements of the Security Rule.” Basically the extra time is to develop the capability to aggregate data from multiple sources and access logs.
HHS is asking for comments on the industry capability to produce access reports across all systems by this date. The possibility of some breathing room on this exists but I would not wait to begin by counting on that. It will be much better to be able to produce reports and not have to than the reverse.
Can you produce access reports today for any access to any electronic patient information? Does every system record every access? If unsure talk with your IT team or system providers.
The proposed regulations were published in the Federal Register May 31, 2011.
How can you get the details about what this means?
TMC has just begun the analysis of this proposed regulation. We will publish more detailed information over the coming days and weeks in multiple instructional documents. Check the website HIPAA Information page and the Latest News for these documents. TMC webinars will cover this proposed new material as well.
Even though this is a proposed regulation, most requirements will be implemented as written. Where there is uncertainty, HHS asks for guidance in the document.
TMC clients will receive procedural and policy inclusions for their HIPAA Manuals as usual along with recommended terminology changes and timing for the Notice of Privacy Practices document, updates the Business Associate Agreements if necessary and training material to ensure employees are aware of this required reporting.
Download the HIPAA Accounting of Disclosures Proposed Regulations
July 26th, 2011 at 1:08 PM
As of July 25, 2011, we are still awaiting the publication of the final regulations. After they are posted by HHS we will be able to determine new wording for the Notice of Privacy Practices, BAAs and determine policy additions and changes necessary.