Technology
e-Newsletter
Intelligence Unit Special Reports Special Events Subscribe Sponsored Departments Follow Us

Twitter Facebook LinkedIn RSS

Proposed HIPAA Disclosure Rule, Explained

Dom Nicastro, for HealthLeaders Media, June 2, 2011

DRS definition: According to the HIPAA Privacy Rule, a DRS is a group of records maintained by or for a CE which:

  • Consists of medical records and billing records about individuals maintained by or for a CE
  • Contains enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  • Is used, in whole or in part, by or for the CE to make decisions about individuals

Comment period: Comments on this proposed rule must be submitted on or before August 1, 2011.

New rule a burden for providers and BAs? Yes, according to HHS itself in the proposed rule. Adam H. Greene, JD, MPH, of Davis Wright Tremaine LLP, based in Seattle, adds that healthcare providers who do not maintain comprehensive audit logs will be required to do so and the proposed rule may represent a significant burden. "For health plans, this proposed rule most likely represents an unwelcome surprise since it encompasses their systems, rather than only 'electronic health records,' " said Greene, a 12-year health law veteran and key regulator for HHS who left the government agency last month, but not before helping author this proposed rule published this week.

Is this accounting completely new? No. The HIPAA Security Rule already requires audit tracking: Rule 45 CFR 164.312, technical safeguards, requires CEs (and now BAs, per HITECH) to "implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI."

Chris Apgar, CISSP, president, Apgar & Associates, LLC, in Portland, OR, points out that 45 CFR 164.308 includes two periodic audits (user login monitoring and information systems activity review) that rely or should rely on generated audit logs. Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, in Des Moines, IA, says she doubts if more than 40% of CEs and BAs combined actually have such logging in place.

1 | 2 | 3 | 4

Comments are moderated. Please be patient.

2 comments on "Proposed HIPAA Disclosure Rule, Explained"


Dan Berger (6/9/2011 at 11:37 PM)
In mid-to-late 2012, business associates and their subcontractors will have the same obligations as covered entities under the HIPAA Security Rule [INVALID] and therefore must conduct their own HIPAA security risk assessments. Sue McAndrew, Deputy Director for Health Information Privacy at the Office of Civil Rights (OCR), has called the extension of direct liability to business associates "a sea change" in the regulations. http://wp.me/pymfm-J2

Kim Corrigan (6/3/2011 at 10:34 AM)
The intent of HIPAA was to protect individuals' health care information. The intent of EMR was to streamline and coordinate care across systems. The concept of disclosure should already have been built into the systems if the true intent was/is to protect the individual. Any other intent would defer on the side of government and/or for-profit health care plans having access and ability to manipulate the delivery of care without an individual's knowledge. Any access/changes/decisions to an individual's health records in any form should be visible to the individual (and any designee) with a look back period of 3 years. If we can see who accessed a credit report, we should certainly be able to see who accessed our health records.