Proposed HIPAA Privacy Rule Provisions Require Accounting of Electronic Disclosures
The Department of Health and Human Services has issued a proposed Rule modifying the Health Insurance Portability and Accountability (HIPAA) Act Privacy Rule to require an accounting of electronic disclosures of protected health information and extend its application to business associates.
The Health Information Technology for Economic and Clinical Health Act (HITECH) required the amendment of the Privacy Rule. Under the HITECH Act, health care providers must account for disclosures of protected health information through an electronic health record. The accounting for disclosures under traditional medical records has long been required.
Not only is HHS implementing the required HITECH accounting requirements, but it is also revising the accounting disclosure requirements. Specifically, the proposed Rule does not permit an individual to obtain a report of every access to their protected health information. Instead, they are entitled to an accounting of only those disclosures of their electronic health records. The Department believes that this will minimize the burden on health care providers.
Also consistent with the HITECH Act, HHS is broadening the accounting and disclosure requirements to business associates in its newly proposed Rule.
Health care providers and business associates should continue to monitor these new privacy-related developments.