OCR to Revisit “Accounting of Disclosures” Proposed Rule

This fall, the Office for Civil Rights (OCR) will again solicit public comment on a proposed rule that would modify HIPAA’s privacy regulations as necessary to implement the accounting of disclosures provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH). OCR will withdraw the previous notice of proposed rulemaking (76 FR 31426) that was published in 2011.

Under HIPAA’s Privacy Rule, individuals have a right to an accounting of disclosures of their protected health information (PHI) made by a covered entity to outside persons or entities. This accounting must include the date of the disclosure; the name of the entity or person who received the PHI and, if known, the address of such entity or person; a brief description of the PHI disclosed; and a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure. The accounting of disclosures provision does not, however, apply to disclosures a covered entity makes for purposes of treatment, payment, or health care operations (commonly referred to as TPO).

Enacted in 2009, HITECH changed the accounting right so that it no longer includes an exception for TPO disclosures if those disclosures are made through an electronic health record (EHR), and mandated that OCR update the Privacy Rule to reflect this change. To comply with this mandate, OCR published in May 2011 a proposed rule that would have required covered entities not only to provide an accounting of TPO disclosures made through an EHR, but to provide patients, upon request, with an “access report” listing all persons within the covered entity who had viewed their electronic health records.

Such reports would thus have to include not only outside disclosures as provided for in the Privacy Rule, but also legitimate and permissible accesses by a covered entity’s or business associate’s own workforce members. Not surprisingly, this “access report” provision was widely criticized by the healthcare industry, with opponents arguing that it would be overly burdensome and went well beyond what HITECH requires.

Although OCR never finalized the 2011 proposed rulemaking, it is still obligated by HITECH to promulgate a final regulation allowing individuals to receive an accounting of TPO disclosures through an EHR. It has indicated that it will do this through an Advance Notice of Proposed Rulemaking (ANPRM), which is not a required part of the rulemaking process but a voluntary means of engaging the public at an early stage in order to seek input from interested parties before formal regulatory action is taken. The ANPRM may solicit general information or ask the public to respond to specific questions and will likely allow for a 30- to 60-day comment period.

MagMutual will continue to monitor developments related to the issuance of the ANPRM and will provide information on how PolicyOwners may participate in the public comment process. If you have questions, please contact The Institute at MagMutual® at 404-842-5600.