HITECH Disclosures Rule Proposed

Guidelines for Revealing Who Accesses Patient Data
HITECH Disclosures Rule Proposed
Federal authorities have issued a detailed notice of proposed rulemaking that sets out guidelines for how patients must be provided with an accounting of who has viewed their protected health information.

The HITECH Act mandated the accounting of disclosures rule, which would modify the HIPAA privacy rule.

The Department of Health and Human Services' Office for Civil Rights, which drafted the proposal, says it provides two separate rights for individuals.

The proposal would give patients the right to obtain an "access report" for electronic health records. Such a report would identify "electronic access by both workforce members and persons outside the covered entity." The access report would "provide information on who has accessed electronic protected health information in a designated record set, including access for purposes of treatment, payment and healthcare operations."

In addition, the rule would provide patients with the separate right to an "accounting of disclosures" that "would provide additional information about the disclosure of designated record set information, whether hard-copy or electronic, to persons outside the covered entity and its business associates for certain purposes (e.g. law enforcement, judicial hearings, public health investigations)."

In explaining the difference between these two provisions, the proposal states: "The intent of the access report is to allow individuals to learn if specific persons have accessed their electronic designated record set information (it will not provide information about the purposes of the person's access.) In contrast, the intent of the accounting of disclosures is to provide more detailed information ... for certain disclosures that are most likely to impact the individual."

A Reasonable Burden?

Summing up the two-pronged approach, OCR states: "We believe that these changes to the accounting requirements will provide information of value to individuals while placing a reasonable burden on covered entities and business associates."

OCR notes that it plans to work with the Office of the National Coordinator for Health IT to ensure that certification standards for electronic health record software that qualifies for future stages of the HITECH Act EHR incentive program will align with the new disclosure requirements.

The notice of proposed rulemaking was published in the Federal Register May 31. OCR will accept comments on the notice for 60 days before it begins work on finalizing the rule.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.