HIPAA experts say the major take-away from the HIPAA Privacy Rule disclosures proposed rule published May 31 in the Federal Register is the need to revisit existing auditing methods for disclosures of protected health information.
But let's take a closer look. For starters, it's already mandatory– regardless of what the proposed rule says.
The HIPAA Security Rule already requires audit tracking: Rule 45 CFR 164.312, technical safeguards, requires covered entities (CEs) (and now business associates, per HITECH) to "implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI."
Adam H. Greene, JD, MPH, of Davis Wright Tremaine LLP, based in Seattle, helped author the proposed rule during his time at the Office for Civil Rights (OCR). The 12-year health law veteran and key regulator for the Department of Health & Human Services (HHS), who left the government agency in April, says covered entities "are going to need to take a fresh look at their auditing procedures and what systems qualify as 'designated record sets (DRS).'"
The HITECH Act requires CEs and BAs to provide an accounting of disclosures of PHI through an electronic health records system for treatment, payment, and healthcare operations (TPO) dating back three years from such a request.
The proposed rule implements this requirement through the right to an "access report," which includes an accounting of who accessed electronic health information in a DRS, for any reason. This includes both uses and disclosures, regardless of the purpose.