On May 31, 2011, the Department of Health and Human Services (HHS) released a notice of proposed rulemaking (NPRM) to implement the statutory requirement under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), whereby covered entities and business associates must account for disclosures of protected health information (PHI) made through an electronic health record (EHR) to carry out treatment, payment, and health care operations (TPO). The NPRM expands upon this HITECH Act requirement, and also substantially revises the current HIPAA requirements related to accounting of disclosures of PHI under 45 C.F.R. § 164.528.
What Is The NPRM?
The NPRM is HHS’s current proposal for the new requirements. HHS is seeking comments from the public through August 1, 2011, which will be considered by HHS prior to finalizing the new requirements.
There are two main sections to the NPRM, which are separate, yet complementary – the first section proposes substantial revisions to the current accounting of disclosures requirement under 45 C.F.R. § 164.528, and the second proposes providing individuals with a right to receive an access report that indicates who has accessed their electronic designated record set information at a covered entity or business associate. The right to an access report would provide information on who has accessed electronic PHI in a designated record set (including access for TPO), while the right to an accounting would provide additional information about the disclosure of designated record set information (whether hard-copy or electronic) to persons outside the covered entity and its business associates for certain purposes. Each proposal has a separate effective date: the revisions to the accounting of disclosures requirement become effective 180 days after the effective date of the final rule, and the new access report requirement becomes effective January 1, 2013 for electronic designated record set systems acquired after January 1, 2009, and January 1, 2014 for electronic designated record set systems acquired prior to or as of January 1, 2009.
What You Need To Do If NPRM Becomes a Final Rule
Because the NPRM is a proposed rule, no actions are currently required to be taken by covered entities and business associates. However, it is likely that actions would need to be taken by such entities in the future upon the promulgation of a final rule. Such actions may include:
- Revisions to current HIPAA policies and procedures to reflect revised accounting for disclosures requirements, and the implementation of new policies and procedures to address the access report requirement
- The implementation of standardized request forms that an individual may use to request an accounting of disclosures or an access report, and which allow the individual to limit his or her request to certain disclosures, time frames, etc.
- Modifications to systems and processes, such as creating a process to aggregate data from multiple access logs into a single access report
To read the full details of the NPRM, click here.
For More Information
If you would like more information on this topic, please contact:
|
