Benefits and Compensation, HR Management & Compliance

New HIPAA Rules Proposed for Disclosure Accounting

A dreaded accounting-of-disclosure rule for electronic protected health information (ePHI) will require action by many employers, in their roles of health plan sponsors. (Employers are not technically “covered entities” under HIPAA privacy but, in effect, must comply if they’re involved in plan administration.) The rule came out in proposed form on May 31. It would expand accounting of disclosures by requiring covered entities to create access reports for electronic releases — including releases for treatment, payment and “health care operations” (TPO). Those reports would have to be available to patients and plan members on demand. (Much opposition to the rule will be based on the paucity of such demands.) Plan sponsors will have to let individuals know about their expanded rights in an updated HIPAA privacy notice. The silver lining is that plans will not have to rush: the reporting requirements won’t begin until Jan. 1, 2013, so the notices can be tucked in with all other modifications during normal plan renewal time, writes David Slaughter, editor of the Employer’s Guide to HIPAA Requirements. See below.

The changes were proposed this week by the Department of Health and Human Services. The proposal includes a new “access report” right that incorporates, and actually expands on, the accounting requirements added to HIPAA by the 2009 HITECH Act.

The existing right to an accounting of disclosures of one’s protected health information would remain in effect, with certain modifications. The two requirements “would be distinct but complementary,” according to HHS’ preamble to the proposed rules, which appeared in the May 31 Federal Register (76 Fed. Reg. 31426).

HIPAA’s disclosure accounting requirement has been controversial in the past. Health care organizations have cited the administrative burden of tracking and retaining disclosures and the infrequency of actual requests for these reports.

Nonetheless, the HITECH Act actually expanded this requirement to cover disclosures for “treatment, payment and health care operations” (TPO), which were exempt under the prior HIPAA law, if such disclosures were made from an electronic health record. Congress’ assumption was that EHRs would make disclosures easier to track and compile.

HHS’ proposal actually goes farther than this HITECH provision in some respects, while making the existing accounting requirements less stringent in others. The agency envisions a two-tiered system of:

  • access reports, which include certain basic information on most instances of access to electronic PHI (internal or external); and
  • more traditional HIPAA accountings, which focus on certain types of disclosures likely to be of greatest interest to the individual, but include a more detailed description.

Of particular note to employers and health plans, HHS would extend the access report requirement to any electronic “designated record set” — a HIPAA term that includes plans’ enrollment and claims records — not just “electronic health records,” which arguably could be limited to health care provider systems.

HHS’ Office for Civil Rights is accepting comments on the proposed rules until Aug. 1.