• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

HIPAA/HITECH Act Accounting of Disclosures NPRM: Redux?

October 14, 2014 By Privacy & Data Security Team

In May 2011, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services (HHS) issued a proposed rule to modify the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information (PHI). The proposed rule would have implemented the HITECH Act’s requirement for covered entities and business associates to account for disclosures of PHI to carry out treatment, payment and health care operations if the disclosures are through an electronic health record (EHR). HHS also proposed to expand the accounting provision to provide individuals with the right to receive an access report of all uses and disclosures of electronic PHI in a designated record set. Additionally, the proposed rule would have shortened the time period for which covered entities and business associates must account for disclosures (and provide an access report) to three years (instead of six years). However, the proposed rule would also have shortened the period of time which such entities have to respond to a request for an accounting (or for an access report) from 60 days to 30 days. We blogged about the proposed rule here, and issued an advisory which provides a section-by-section analysis of the proposed rule. The proposed rule generated significant comment, was criticized as impractical, and has not been finalized by OCR.

On October 10, 2014, Christina Heide, the Acting Deputy Director of OCR for Health Information Privacy, announced that, in the coming weeks, OCR will open another round of public comments on the accounting for disclosures proposed rule and would delay further rulemaking until 2015. Although OCR has not indicated whether it would propose or request comments on any new approaches to the issues raised in the proposed rule when it reopens the comment period, OCR may do so. Covered entities and their business associates should watch for OCR’s announcement of the re-opening of the comment period and be prepared to submit new or updated comments to OCR on such issues. Stay tuned to this blog for additional developments.

Written by Paula Stannard, Counsel, Health Care| Alston & Bird LLP

Filed Under: Advisories, Health Privacy Tagged With: HIPAA, HITECH

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • European Commission Adopts Draft UK Adequacy Decision
  • NYDFS Issues Best Practices for Cyber Insurance Risk Management
  • Fifth Circuit Decision Raises Cyber Enforcement Complications for the U.S. Department of Health and Human Services
  • Virginia Ready to Pass First State Privacy Statute after CCPA
  • The EDPB-EDPS Joint Opinion on Data Processing Standard Contractual Clauses: Key Takeaways
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.