OCR Plans Do-Over for 'Accounting of Disclosures' ProposalAgency Will Ditch Previous HIPAA Privacy Rule Revamp Plan, Seek New Ideas
Federal regulators are going back to the drawing board to craft a new proposal for revamping a HIPAA Privacy Rule provision for "accounting of disclosures" of electronic patient records. Updating that rule was mandated under the HITECH Act of 2009, but it has been in limbo since 2011, when a controversial proposal stalled.
See Also: The Evolution of Email Security
The HITECH Act called for changing HIPAA's accounting of disclosures provision to require that covered entities and business associates reveal to patients, upon request, disclosures of protected health information to carry out treatment, payment and healthcare operations if such disclosures are through an electronic health record. But a rule carrying out that provision has never been finalized.
Under the current HIPAA Privacy Rule, patients can only get an accounting of disclosures of PHI made to third parties for certain purposes.
A recent entry on the Office of Management and Budget's regulations agenda website notes that the Department of Health and Human Services' Office for Civil Rights' intends in November to withdraw its previous proposal for how to carry out a modified HIPAA accounting of disclosures rule and start over by soliciting new suggestions from the public.
HHS' previous proposal for revamping accounting of disclosures was published in May 2011, but feedback from the healthcare sector was mostly negative.
Many of the 400-plus public comments - which were solicited by HHS through early August 2011 - complained that the proposed rule's "access report" provision would prove to be technically unfeasible, complex and expensive to implement, particularly with electronic health records technology available at that time (see EHR Access Report Objections Pour In).
The "access report" provision in the original proposal would have required healthcare organizations to provide patients, upon request, with a complete list of everyone who has electronically viewed their information.
As proposed, the access report would have needed to contain the date and time of access, name of the person or entity accessing protected health information, and a description of the information and user action, such as whether information was created, modified or deleted. The proposal was to provide patients with the right for an accounting of any disclosures of electronic PHI for the past three years.
In its recent entry on the OMB regulations agenda, OCR notes: "This advance notice of proposed rulemaking would solicit the public's views on modifying the HIPAA Privacy Rule as necessary to implement the accounting of disclosures provisions of the HITECH Act of 2009 and on certain workability changes to the accounting requirement. The previous notice of proposed rulemaking will be withdrawn."
Privacy attorney Iliana Peters, who joined the law firm Polsinelli earlier this year after serving more than a decade as an enforcement and compliance leader at OCR, notes that the HITECH Act "specifically tasks HHS with promulgating regulations regarding accounting of disclosures of protected health information contained in an electronic health record."
That requires that HHS "take into account the interests of the individuals in learning the circumstances under which their PHI is being disclosed while taking into account the administrative burden of accounting for such disclosures," she notes.
"Given this, I suggest that HHS ... consider the disclosures in which individuals are most interested, and techniques to account for such. For example, HHS could propose to require that entities do periodic audits to identify and account for impermissible disclosures to those within the entity who do not have a need to know the individuals' PHI. We hear most often from individuals that they are concerned about neighbors, family members, ex-family members, or coworkers accessing their PHI."
Peters adds that, given the statutory requirement for accounting of disclosures of only ePHI, "I suggest that HHS consider whether other accounting requirements that are applicable to paper, oral, and electronic PHI could be scaled back to those of most interest to individuals - for example, impermissible disclosures, disclosures pursuant to a court order and disclosures to law enforcement."
Such a revision would significantly reduce the burden on entities to comply with the requirement and would take into consideration the issues most important to individuals, particularly given that, based on anecdotal evidence from the industry and from consumers, individuals rarely request an accounting of disclosures, she notes.
The restart of the rulemaking process after years of delays is "the right move," Peter says. "It allows OCR to start over and ask questions that they didn't ask before."
Similarly, privacy attorney Kirk Nahra of the law firm Wiley Rein also says he's glad to see that HHS OCR is throwing out the proposed accounting rule.
"While I generally think OCR has done a good job on writing the privacy and security rules, the accounting rule proposal would have been an overall disaster for the healthcare system, with enormous cost and burden and very little benefit to individuals," he says. "Starting over from scratch is the right way to go."
HHS still has an obligation to implement the statutory requirement, but regulators need to find a way to implement it that isn't overly burdensome and where patient benefits are significant, he says.
"The earlier proposal took an already challenging HITECH statutory requirement and made it significantly worse," he says. The proposal from 2011 "to track all uses should be a nonstarter."
The premise of the changes to the accounting of disclosures requirements under HITECH was that fulfilling such requests involving ePHI would be as easy as "pushing a button," Nahra notes. The reality, the attorney asserts, was that fulfilling such requests under the provisions of the 2011 proposal would have been "much, much harder."
The goal for any new proposal should be to simplify requirements if possible so that compliance "would be analogous to pushing a button," he says.
OCR did not immediately respond to an Information Security Media Group request for comment on its plans.