Updates to the HIPAA Privacy Rule: Accounting of Disclosure

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule gives patients the right to receive a listing, known as an accounting of disclosure, of their information that is disclosed to others by their physician.

However, the Privacy Rule does not require physicians to list disclosures carried out for treatment, payment, or health care operations (45 CFR 160.528(a)(i)). As a consequence, the rule applies only to a limited range of disclosures, such as those made to law enforcement agencies, the courts, public health authorities, and the like.

The Health Information Technology for Economic and Clinical Health (HITECH) Act has asked Health and Human Services (HHS) to expand the accounting to include any access to or disclosure of health information in an electronic health record. In 2011, HHS issued a proposed rule, which would give patients the right to an “access report” containing the following information for each access to the EHR:

  • The date and time of access
  • The name of the person or entity accessing the EHR
  • A description of the information that was accessed
  • A description of what the user did, e.g., “create,” “modify,” “access,” or “delete”

Under the proposed rule, this report would include access for treatment, payment and health care operations – for example, whenever anyone in the physician’s office reviewed an electronic health record for any purpose.

HHS has not issued a final rule. This is due to the difficulties in striking a balance between the interest of individuals and the administrative burden for HIPAA covered entities.

HHS has requested public feedback via comments on this blog post to better understand the interest of individuals, burden of covered entities, and ways to implement the “Access Report.” They have asked for input to gain clarity on the following:

  1. What patients would like to know about uses, accesses, and disclosure of their health information.
  2. The abilities of currently available and affordable technology that can be leveraged to provide greater transparency of electronic health information.
  3. How record access transparency technologies are currently being used by health care providers, health plans, and their business associates.
  4. Any other issues raised as part of the initial proposed rule.

How should HHS proceed from the proposed rule on access reports to create and implement a balanced final rule? How much transparency do you think patients need? When does transparency place unnecessary burden on the provider? Where is the middle ground? Share your perspective below.