HHS Pulled a Fast One – Proposed Expansion of HIPAA’s Accounting Requirements
Health Law Update 06/01/11 Sarah E. Coyne
On May 31, 2011, the Department of Health and Human Services ("HHS") issued a much anticipated proposed rule (the "Proposed Rule") to modify the HIPAA Privacy Rule provisions on accounting of disclosures ("Accounting Rules") of Protected Health Information ("PHI"). The purpose of the Proposed Rule is to take the first steps towards implementing changes to the Accounting Rules required pursuant to the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"). To refresh everyone's memories, the HITECH Act was enacted as part of the American Recovery and Reinvestment Act of 2009. Among the other changes to HIPAA, the HITECH Act expanded the HIPAA accounting of disclosures provisions to require entities covered under HIPAA ("Covered Entities") to log and account for disclosures made for purposes of treatment, payment and health care operations if such disclosures are made through an electronic health record ("EHR"). The HITECH Act broadly defined an EHR as an electronic record of health-related information on an individual that is created, gathered, managed and consulted by authorized health care clinicians and staff. This HITECH Act provision created an uproar among the health care community because to implement such requirement would require significant resources.
On May 3, 2010, HHS published a request for information (the "RFI") seeking input from the industry and public on the interests of individuals in receiving information on disclosures of their PHI made for purposes of treatment, payment and health care operations, as well as the burden on Covered Entities to make such accountings and the capability of technology to assist. Based upon these comments, HHS took an unexpected approach to implement the accounting requirements of the HITECH Act.
HHS's approach in the Proposed Rule divides the right to an accounting into 2 separate rights: (1) the right to an accounting of disclosures, and (2) the right to an "access report." HHS did so based upon feedback that it received from the RFI that the public wants to know who accessed their information even more than they are interested in knowing who ultimately received their PHI.
To implement these goals - while not taking away rights already accorded under the Accounting Rules - HHS maintains the current right to an accounting of disclosures, but proposes certain modifications to such right. These modifications include limiting the scope of PHI subject to the accounting right to only PHI contained in a designated record set, which is PHI that is used to make decisions about the individual ("Designated Record Set"). The modifications also include explicitly listing the types of disclosures that must be accounted for and proposing new exceptions. However, in a surprise move and contrary to the HITECH Act, HHS proposes NOT to require Covered Entities (and business associates) to account for disclosures made for purposes of treatment, payment and health care operations. Rather, to address that HITECH Act requirement, HHS proposes an entirely new right, the right to an "access report," which only applies to electronic PHI ("e-PHI").
An "access report" must provide information on who accessed an individual's e-PHI that is part of the Designated Record Set, and such information must be in human readable format. The access report will be generated from an "access log," which is defined as the raw data that an electronic system containing e-PHI collects (or should collect) each time a user accesses the e-PHI (i.e., the audit log). So, each time anyone (internal employees or outside third parties) accesses e-PHI that is part of the Designated Record Set for any purpose, the system maintaining that information is supposed to log such access. This log must be turned into a readable format and provided to individuals upon their request. HHS believes that including both internal access or "uses" and external access or "disclosures" in the access report significantly increases the benefits to individuals by providing a more complete picture of who has accessed their information. This would be a significant change to the accounting requirements because it does not matter whether the e-PHI was disclosed or simply used; if it was accessed, then it will be part of the report which the patient has the right to obtain.
According to HHS (so please don't shoot the messenger), providing individuals with an access report should be easy for Covered Entities to do if they are in compliance with the HIPAA Security Rule, because the HIPAA Security Rule requires all electronic systems containing e-PHI to have audit logs. HHS acknowledged that Covered Entities may have multiple electronic systems, and said it expects Covered Entities to gather the data from each access log and aggregate it to generate one single access report.
Many in the industry were hoping that the Proposed Rule would clarify that the changes to the Accounting Rules under the HITECH Act would ONLY apply to those EHR systems qualified to receive federal incentive payments under the Meaningful Use Rules ("Qualified EHR System"). HHS considered, but declined to adopt that approach. Rather, HHS clarified that the proposed access report requirements apply to all e-PHI that is part of a Designated Record Set maintained by a Covered Entity (and business associate), not just e-PHI that is contained in a Qualified EHR System. This may be problematic to many health care provider Covered Entities who have electronic databases outside of their "official" electronic medical record because such databases may have less robust audit log capabilities. This will certainly be troubling to health plan Covered Entities who thought they would not be impacted by the HITECH Act accounting requirements since they do not maintain EHRs. Although health plans would not typically maintain EHRs as defined in the HITECH Act, they do maintain Designated Record Sets and would be subject to the access report requirements of the Proposed Rule.
Of some relief to Covered Entities, under the Proposed Rule both the accounting of disclosures and access reports would only require Covered Entities to log disclosures and retain documentation necessary to provide access reports for a period of three years prior to a request. However, actual accountings or access reports provided to individuals must be maintained for six years.
The Proposed Rule would require a number of additional steps, including revision of the Notice of Privacy Practices to inform individuals about their right to receive access reports and to notify them of the changes to the accounting of disclosures requirements.
The effective date for the changes to the accounting of disclosures requirements would be 180 days after the effective date of the final version of the Proposed Rule (240 days after it is issued). The effective dates for the new right to access reports would be 1-1-2013 for electronic systems acquired after 1-1-2009, and 1-1-2014 for electronic systems acquired as of 1-1-2009.
If you want the "nitty-gritty" on the Proposed Rule, read on.
More Details on the Proposed Rule
Proposed Changes to Accounting of Disclosures Requirements
HHS proposes to make modifications to the right to an accounting of disclosures, which include the following:
- The scope of PHI subject to the accounting requirements will shrink from all PHI to only PHI contained within a Designated Record Set.
- The rules would be clarified to specifically include business associates who maintain Designated Record Sets.
- Disclosures must be logged for a period of three years prior to a request for an accounting rather than the current six years.
- Under the Proposed Rule, the types of disclosures subject to an accounting are explicitly listed, and there would also be new exceptions.
- The content of an accounting would change.
Proposed Disclosures Explicitly Subject to an Accounting
The types of disclosures that would be subject to accounting include the following:
- Impermissible disclosures unless such disclosure was a breach about which the individual was notified under the HIPAA Security Breach Notification regulations;
- Public health disclosures not required by law, except for reports of child abuse or neglect;
- Disclosures for judicial and administrative proceedings, law enforcement purposes even if such disclosures are otherwise required by law, and disclosures to avert a serious threat to health and safety;
- Certain disclosures related to the military and veterans; and
- Disclosures to government programs providing public benefits and for workers' compensation purposes.
Exceptions to the Right to an Accounting
The exceptions would include the following:
- Same exceptions as currently provided, including disclosures for purposes of treatment, payment and health care operations.
- New exceptions, including disclosures regarding victims of abuse, neglect or domestic violence, disclosures for health oversight purposes, disclosures for research purposes, disclosures regarding decedents to coroners, medical examiners, funeral directors and for organ donation. Also excepted would be disclosures for protective services for the President and most disclosures required by law.
- PHI that meets the definition of "patient safety work product" under 42 C.F.R. § 3.20 would also be excluded.
It is important to note that to the extent that PHI being accessed for any of the above excepted purposes is part of an electronic Designate Record Set, then access to that e-PHI must be logged as part of the "access log." Accordingly, if an individual requested an access report, then the individual would know that the e-PHI was accessed even though the disclosures for such purposes would not be part of an accounting report.
Proposed Content of an Accounting
- Would permit providing an approximate date or period of time during which the disclosures occurred if the exact date is not known.
- Would still require the name of recipient of the PHI, except if disclosure of the name would be a disclosure of PHI (e.g., if the recipient is also a patient of a health care provider).
- Would clarify that only minimum description of the purpose for the disclosure is required.
Proposed Right to an Access Report
An individual would have the right to an access report listing each time his or her Designated Record Set maintained in any electronic system (not just a Qualified EHR System) was accessed for a period going back three years. The access report would be generated from access logs, which are proposed to be defined as raw data that an electronic system containing PHI collects each time a "user" (as such term is defined in the HIPAA Security Rule) accesses the information. According to HHS, the administrative burden on Covered Entities who are complying with the HIPAA Security Rule will be reasonable in light of their existing obligation under the Security Rule to log access to all e-PHI.
Covered Entities would have to take their own access log information and generate access reports in a readable format. They also would have to obtain access reports from their business associates who maintain Designated Record Sets and combine that information into a single access report. This is a change from the HITECH Act, which would have permitted Covered Entities to simply provide individuals with a list of business associates who may have made accountable disclosures.
No Significant Exceptions
Unlike the accounting for disclosures requirements, there are no exceptions to the right of access, except for e-PHI that meets the definition of "patient safety work product" under 42 C.F.R. § 3.20. According to HHS, the HIPAA Security Rule currently requires the logging of any access to e-PHI in an electronic system. As a result, each time e-PHI is accessed it should be logged and would become part of an access report. However, in an attempt to somewhat narrow the scope of this new proposed requirement, access to e-PHI outside the Designated Record Set need not be included. For example, peer review information is usually not used to make decisions about individuals, thus, such information would not be considered part of a Designated Record Set. Accordingly, individuals would not have a right to receive an access report detailing access to peer review information.
Practically speaking, excluding e-PHI that is not part of the Designated Record Set from the access report requirements will likely not provide much relief to Covered Entities because the bulk of PHI that is maintained by Covered Entities will fall within the definition of a Designated Record Set. Nevertheless, this may provide some relief to business associates since many do not maintain a Designated Record Set on behalf of Covered Entities. Typically, only certain business associates, such as third party administrators to health plans, outside billing companies and third party medical record companies actually maintain a Designated Record Set. So the good news is that only a limited number of business associates will have to comply with the access report requirements if adopted as proposed.
Content of an Access Report
- Date of access;
- Time (only the start time is required);
- Name of person accessing, if available. Covered entities will need to be able to readily match user ID with name of the person accessing the e-PHI in order to meet this requirement;
- Description of the e-PHI that was accessed, if available; and
- Description of the action taken as part of the access (e.g., create, modify, access, delete, print).
What is not Required in an Access Report
- No need to include the postal address of the user who has accessed the e-PHI and no need to include a brief statement of the purpose for the access.
- No need to name the ultimate recipient of the e-PHI.
It is clear that HHS believes that Covered Entities' electronic systems already have the capability to capture the data points that would have to be in an access report. It is also clear that HHS believes that by not requiring access reports to contain user addresses, purpose for the access or the ultimate recipient of the e-PHI, that the new proposed access reports will require few, if any, changes to information systems. We suspect that some Covered Entities may not agree with HHS. If that is the case, it will be important for Covered Entities to provide comments to HHS on its assumptions. However, care should be taken in crafting such comments to avoid raising concerns about your Security Rule compliance.
HHS does acknowledge the burden on Covered Entities to aggregate access reports from multiple electronic systems and from business associates, but says such burden is reasonable in light of the interests of individuals in learning who accessed their e-PHI. Interestingly, HHS also noted that if few individuals exercise this right, then Covered Entities will rarely need to engage in such aggregation. This might lead one to question why this right was created in the first place (not us of course; we are just saying).
An access report must be readable. This means it must be either machine readable or in other electronic form or format requested by the individual if readily producible. So what the heck does this really mean? HHS provides the following as a "good" example of an access report that is formatted to be understandable to the individual:
Date Time Name Action
10/10/2011 02:30 p.m. John, Andrew Viewed
HHS views the following as a "bad" example of an access report that is NOT in a format understandable to the individual:
So check your current audit report capabilities to determine if you would be "good" or "bad" in the eyes of HHS and, if bad, what your organization would have to do to produce an access report in the format proposed by HHS.
Before the effective date of the final rule, if enacted as currently proposed, Covered Entities (and some business associates) will have to:
- Identify all electronic systems that maintain Designated Record Set e-PHI and assess their audit trail capabilities. Implement any necessary modifications and upgrades to electronic systems.
- Review policies and documentation defining PHI constituting the Designated Record Set;
- Revise their Notice of Privacy Practices to address the new accounting requirements and include the right to receive an access report;
- Revise their HIPAA Policies and Procedures, addressing the new accounting and access report requirements, including drafting a new right of access report request form;
- Revise their business associate agreements to address the new accounting and access report requirements; and
- Train their workforce on new accounting and access report requirements.
HOWEVER, BEFORE INVESTING RESOURCES OR DOLLARS IN ANY OF THE ABOVE TASKS, WAIT TO SEE WHAT THE FINAL VERSION OF THIS PROPOSED RULE SAYS!
If you do not like what you have just read or, on the other hand, if you feel that it is the best thing since HIPAA was enacted, then let HHS know your thoughts. You may submit comments by the internet, U.S. mail, hand delivery or courier to HHS by August 1, 2011. Instructions for submitting comments can be found in the Proposed Rule by clicking on the following link: http://www.gpo.gov/fdsys/pkg/FR-2011-05-31/pdf/2011-13297.pdf.
If you have any questions or would like assistance drafting your comments to HHS, please do not hesitate to contact Sarah Coyne at (608) 283-2435 / firstname.lastname@example.org or your local Quarles & Brady attorney. There will also be more HIPAA rules coming soon, and we will keep you informed.