In May 2011, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services (HHS) issued a proposed rule to modify the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information (PHI). The proposed rule would have implemented the HITECH Act’s requirement for covered entities and business associates to account for disclosures of PHI to carry out treatment, payment and health care operations if the disclosures are through an electronic health record (EHR). HHS also proposed to expand the accounting provision to provide individuals with the right to receive an access report of all uses and disclosures of electronic PHI in a designated record set. Additionally, the proposed rule would have shortened the time period for which covered entities and business associates must account for disclosures (and provide an access report) to three years (instead of six years). However, the proposed rule would also have shortened the period of time which such entities have to respond to a request for an accounting (or for an access report) from 60 days to 30 days. We blogged about the proposed rule here, and issued an advisory which provides a section-by-section analysis of the proposed rule. The proposed rule generated significant comment, was criticized as impractical, and has not been finalized by OCR.
On October 10, 2014, Christina Heide, the Acting Deputy Director of OCR for Health Information Privacy, announced that, in the coming weeks, OCR will open another round of public comments on the accounting for disclosures proposed rule and would delay further rulemaking until 2015. Although OCR has not indicated whether it would propose or request comments on any new approaches to the issues raised in the proposed rule when it reopens the comment period, OCR may do so. Covered entities and their business associates should watch for OCR’s announcement of the re-opening of the comment period and be prepared to submit new or updated comments to OCR on such issues. Stay tuned to this blog for additional developments.
Written by Paula Stannard, Counsel, Health Care| Alston & Bird LLP