HHS Announces Additional Protections for Patient Privacy

The Department of Health and Human Services (HHS) issued today its intended regulations to modify the Privacy Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The new standards relate to how these Privacy Rules account for disclosures of protected health information (PHI). HHS would like to require covered entities and business associates to account for disclosures of protected health information as it relates to treatment, payment, or even health care operations in general, provided such disclosures occur in connection with the patient’s electronic record.

An extension of the Health Information Technology for Economic and Clinical Health Act (HITECH) and HIPAA, these proposed regulations would entitle individuals to an access report identifying exactly who accessed the electronic protected health information in the particular context.   Present requirements under the Privacy Rule (45 C.F.R. § 164.528) require covered entities to make available (at an individual’s request) certain disclosures of health information.  A disclosure is defined at Section 160.103 as “the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.”

For each disclosure, the accounting must include:

  • The date of the disclosure
  • The name (and address, if known) of the entity or person who received the protected health information
  • A brief description of the information disclosed
  • A brief statement of the purpose of the disclosure

Existing law, however, provides for a number of exceptions from the disclosure requirements, including:

  • To carry out treatment, payment and health care operations
  • Pursuant to an authorization
  • For the facility’s directory or to persons involved in the individual’s care

Section 13405(c) of the Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA) provides that the exemption of the Privacy Rule for disclosures to carry out treatment, payment, and health care operations no longer applies to disclosures “through an electronic health record.” Section 13400 of the HITECH Act defines an electronic health record (“EHR”) as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.”

If enacted without further modifications, an individual will have a right to receive an accounting of such disclosures made during the three years prior to the request.  HHS has proposed that these new requirements take effect January 1, 2013 (for EHR systems acquired after January 1, 2009) and January 1, 2014 (for EHR systems acquired before January 1, 2009).

Additional information about these changes in patient privacy rights can be found at the Federal Register Website.