On May 31, 2011, the Office of Civil Rights (OCR) and Department of Health and Human Services (DHHS) issued a Notice of Proposed Rulemaking that modifies the HIPAA Privacy Rule’s Accounting of Disclosure requirements. The new rule implements stricter disclosure requirements, as mandated by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).
Under the proposed rule, a covered entity or business associate must, upon request, provide a patient with an accounting of protected health information disclosures in connection with treatment, payment, and health care operations (“accounting report”). The accounting report should include the date and time a record set was accessed, as well as the name of the person or entity accessing the record set. Covered entities and business associates must maintain this information for three years. The proposed rule is scheduled to become effective on January 1, 2013.
The proposed regulations expand significantly the responsibility of both covered entities and their business associates to document and track the use and disclosure of protected health information. While these new rules will be burdensome to implement, DHHS believes they are vital to increasing transparency and patient trust, as well as discouraging inappropriate behavior. In recent years, several high profile cases in Los Angeles alone have demonstrated the need for such protections due to the unlawful use and disclosure of protected health information of celebrities.
In light of these new developments, early adopters of electronic health records (EHR) should check whether their current systems are compliant with these new disclosure requirements and whether they have the capability to produce an accounting report. Providers that are considering the adoption of electronic health records should request that any potential electronic records system have an audit trail feature that is capable of producing compliant audit reports.
Nelson Hardiman has helped many providers transition from paper to EHR. Nelson Hardiman regularly counsels providers on HIPAA compliance and develops customized compliance plans based on a provider’s individual needs. Please contact Nelson Hardiman if you have any questions about this new rule or HIPAA compliance in general.
Reference:http://www.gpo.gov/fdsys/pkg/FR-2011-05-31/pdf/2011-13297.pdf