On May 31, 2011, the Department of Health and Human Service (HHS) published its proposed revisions to the accounting of disclosures requirements, one of the more controversial mandates under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
In short, the proposal would provide patients and enrollees with the ability to learn who has seen their records, through an “access report” (without providing information about the reason), and would provide more detailed information for disclosures of information that are most likely to be of interest to the individual (such as disclosures to law enforcement).
HIPAA-covered entities should remember that this is a proposed rule and, therefore, should not rush to make costly changes to systems and processes based on this proposal. Nonetheless, they should understand the proposal and its possible implications, and proactively address some basic issues.
This is a good time for covered entities to:
• Comment on the proposed rule (comments are due Aug. 1, 2011), both with respect to provisions that may be overly burdensome and those that may prove beneficial.
• Assess their electronic auditing of information system activity to ensure that they are comprehensively logging user access to electronic protected health information in designated record sets.
• Revisit and, if necessary, update their documentation relating to designated record sets (generally medical and billing records).
• Verify (and reassess, if necessary) which business associates have access to designated record sets.
Source: Davis Wright Tremaine LLC
