On May 31, 2011, the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS or “the Secretary”) published a notice of proposed rulemaking to modify the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information. The purpose of the proposed rule is, in part, to implement the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) requirement for covered entities and business associates to account for disclosures of protected health information (PHI) to carry out treatment, payment and health care operations if the disclosures are through an electronic health record (EHR). OCR also proposed to expand the accounting provision to provide individuals with the right to receive an access report for uses and disclosures of electronic PHI in a designated record set, in accordance with HITECH Act requirements.
Notably, OCR proposes to limit the time period for which covered entities and business associates are required to account for disclosures and provide an access report to three years prior to the date of the request. Exercising its authority under HIPAA and the HITECH Act, OCR proposes that the new right to an access report be applicable not just to PHI held in an EHR, but to all electronic PHI held in a designated record set. This means that all covered entities and business associates, not just those covered health care providers who maintain PHI in an EHR, will be subject to the requirement to provide access reports.
Comments on the proposed rule must be submitted by August 1, 2011. This Alston & Bird advisory provides a section-by-section summary of the key changes to the HIPAA Privacy Rule.