6 Things to Know About the HIPAA Disclosures Proposed Rule

HIPAA experts say the major take-away from the HIPAA Privacy Rule disclosures proposed rule published May 31 in the Federal Register is the need to revisit existing auditing methods for disclosures of protected health information.

But let's take a closer look. For starters, it's already mandatory– regardless of what the proposed rule says.

The HIPAA Security Rule already requires audit tracking: Rule 45 CFR 164.312, technical safeguards, requires covered entities (CEs) (and now business associates, per HITECH) to "implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI."

Adam H. Greene, JD, MPH, of Davis Wright Tremaine LLP, based in Seattle, helped author the proposed rule during his time at the Office for Civil Rights (OCR). The 12-year health law veteran and key regulator for the Department of Health & Human Services (HHS), who left the government agency in April, says covered entities "are going to need to take a fresh look at their auditing procedures and what systems qualify as 'designated record sets (DRS).'"

The HITECH Act requires CEs and BAs to provide an accounting of disclosures of PHI through an electronic health records system for treatment, payment, and healthcare operations (TPO) dating back three years from such a request.

The proposed rule implements this requirement through the right to an "access report," which includes an accounting of who accessed electronic health information in a DRS, for any reason. This includes both uses and disclosures, regardless of the purpose.

While it is a great time to review existing auditing procedures, remember that this is a proposed rule, subject to change.  Privacy and security officers "may want to sit tight and not act prematurely in response to a proposed, rather than final, rule," Greene says.

1.       Expansion of the accounting of disclosures details. This will require changes to the corresponding policies and/or procedures that cover accounting for disclosures, in addition to possible changes in the applications being used to log and track these types of disclosures, and the ways in which this accounting is provided to individuals requesting to see it, says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, in Des Moines, IA.

2.       The creation of a new DRS (containing ePHI) access report. This data is likely already collected somewhere, but CEs and BAs (who have DRS's) will need to create reports that are readable by all individuals, and are not just a listing of raw log data, says Herold.

3.       Updates to Notice of Privacy Practices (NPPs). The need to let individuals know their new, expanded rights will result in the need for CEs to update their NPPs and then ensure the updated NPPs are provided to patients according to the new requirements and within the indicated timeframes; they do seem to try and accommodate the CEs according to current requirements for at least annual notices.

4.       The change of six years to three years for accounting of disclosures. This is likely meant to help save storage space for CEs and BAs, in addition to the stated reasons within the NPRM. "However, an impact already being heard is the concern that there are still other standing requirements to maintain certain other documentation, such as policies/procedures, for at least six years," Herold says. "CEs and BAs now wonder if they HAVE to change the disclosures to three years, or can keep current logging practices the same (at six years) so they can have one less thing to do with implementing the final version of this NPRM."

5.       New duties for BAs. Herold cites the need for BAs to not only get into compliance with the accounting for disclosures requirements, but also to create new ePHI access reports. They have to do this while they are still trying to get into compliance with the other HITECH requirements that most have not made much progress with to date, she adds. BAs must now comply, per HITECH, with the HIPAA Security Rule.

6.       It's not too soon to start. These changes would go into effect, if accepted as proposed, for the access reports beginning January 1, 2013, for electronic DRSs acquired after January 1, 2009, and beginning January 1, 2014, for electronic DRSs acquired as of January 1, 2009. "So, with all the probably programming/systems changes these will bring, CEs and BAs will need to get started on the changes sooner rather than later," Herold says. "Certainly as soon as the final version of the Accounting for Disclosures NPRM is released. Determining where all DRSs exist now would be prudent; even if the NPRM is not finalized as is, entities need to have this information documented any way, and most do not."