Technology
e-Newsletter
Intelligence Unit Special Reports Special Events Subscribe Sponsored Departments Follow Us

Twitter Facebook LinkedIn RSS

Proposed HIPAA Disclosure Rule, Explained

Dom Nicastro, for HealthLeaders Media, June 2, 2011

"There is uncertainty about what qualifies as a breach since it's left up to the individual organization. That's a big loophole," Borten says. "The NPRM example of PHI outside a DRS (hence, not subject to this reporting) is PHI in a peer review report. But how confident are we that a covered entity would know of unauthorized use or disclosure of a peer review report and would deem it a breach?" 

A shorter reporting period? The proposed rule would have providers account for disclosures going back three years, instead of the current six. Herold says it's probably an attempt on the part of the lawmakers to help save storage space, about which many organizations have expressed concerns. The three-year timeframe was also established within Sec. 13405 (c) of HITECH, so it is not a new idea. Borten calls it "a bit puzzling."

Organizations already keep accounting information for six years, and since the statute of limitations for civil action is six years, Borten says, "I don't see a good reason to reduce the reporting period to only the past three years. Some hospitals with user access logs already keep them for at least six years and even longer. The hard part of meeting the current requirement is setting up and following the process, not data storage, and the process as stipulated in the privacy rule should already be in place."

See Also:
6 Things to Know About the HIPAA Disclosures Proposed Rule


Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
1 | 2 | 3 | 4

Comments are moderated. Please be patient.

2 comments on "Proposed HIPAA Disclosure Rule, Explained"


Dan Berger (6/9/2011 at 11:37 PM)
In mid-to-late 2012, business associates and their subcontractors will have the same obligations as covered entities under the HIPAA Security Rule [INVALID] and therefore must conduct their own HIPAA security risk assessments. Sue McAndrew, Deputy Director for Health Information Privacy at the Office of Civil Rights (OCR), has called the extension of direct liability to business associates "a sea change" in the regulations. http://wp.me/pymfm-J2

Kim Corrigan (6/3/2011 at 10:34 AM)
The intent of HIPAA was to protect individuals' health care information. The intent of EMR was to streamline and coordinate care across systems. The concept of disclosure should already have been built into the systems if the true intent was/is to protect the individual. Any other intent would defer on the side of government and/or for-profit health care plans having access and ability to manipulate the delivery of care without an individual's knowledge. Any access/changes/decisions to an individual's health records in any form should be visible to the individual (and any designee) with a look back period of 3 years. If we can see who accessed a credit report, we should certainly be able to see who accessed our health records.