The Office for Civil Rights of the U.S. Department of Health and Human Services published a Request for Information on the HITECH Act provisions that require HIPAA covered entities to account for disclosures of protected health information through an electronic health record for treatment, payment and health care operations purposes to facilitate its issuance of a proposed regulation implementing the HITECH provisions.
On May 3, 2010, the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) issued a Request for Information on the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act that expand the requirements for accounting of disclosures of patients’ protected health information (PHI) to include disclosures made through an electronic health record (EHR) for treatment, payment and health care operations purposes. The HITECH Act requires HHS to issue rules governing this expansion and, in doing so, to balance the interest of individuals in learning the circumstances under which their protected health information is being disclosed and the administrative burden of accounting for disclosures for treatment, payment and health care operations through an EHR. Comments received by May 18, 2010, in response to the RFI will assist HHS in developing a proposed rule on this topic.
The RFI is available here.
Current Accounting Standard Under the HIPAA Privacy Rule
The current standards for the privacy of individually identifiable health information (Privacy Rule) adopted by HHS under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) grant patients the right to receive an accounting of certain non-routine disclosures of their PHI, within 60 days of the patient’s request (with one 30-day extension available) from a covered entity or its business associate. This accounting right is limited to PHI disclosures made by a covered entity (and its respective business associates) for a maximum period of six years prior to the patient’s request. Under the current Privacy Rule, a covered entity is not required to account for disclosures that are:
- For treatment, payment or health care operations
- To the patient or the patient’s personal representative
- Incident to otherwise permitted or required uses or disclosures
- Pursuant to a patient authorization
- For the covered entity’s facility directory or to persons (e.g., family members) involved in the patient’s health care or health care payment
- For disaster relief
- For national security or intelligence purposes
- To correctional institutions or law enforcement officials for certain purposes
- Part of a limited data set or
- Made prior to the HIPAA compliance date for the covered entity or business associate
The accounting of disclosures report must include the date of the disclosure; the name of the entity or person who received the PHI, and if known, the address; a brief description of the PHI disclosed; and a brief statement of the purpose of the disclosure or a copy of the request for the disclosure. For disclosures related to research projects involving more than 50 individuals, the covered entity may opt to provide a general summary about the disclosures (which may or may not include details about the patient’s own PHI) and the research and research sponsor’s contact information. Multiple disclosures to the same entity or person may be aggregated.
Covered entities must provide the first accounting of disclosures report free of charge but may charge patients a reasonable cost-based fee for additional requests by the same individual within the same 12-month period, provided the individual is informed in advance of the fee and is given the opportunity to withdraw or modify the request.
Expanded HITECH Accounting Requirements
The HITECH Act requires HHS to revise the Privacy Rule’s current standard for accounting of PHI disclosures to require covered entities and business associates to account for treatment, payment and health care operations disclosures of PHI made through an EHR. This expanded accounting requirement is limited to disclosures made up to three years prior to the patient’s request. Covered entities have the option of either including the EHR disclosures made by their business associates in the same accounting of disclosures report or providing patients with a list of their business associates who would then be required to provide an accounting directly to the patient. The list of business associates must include the contact information for each such associate (e.g., mailing address, phone number and email address).
The compliance dates for this new EHR accounting requirement are staggered—a covered entity’s compliance date will depend on when it acquired its EHR. A covered entity with an EHR as of January 1, 2009, must be able to provide an accounting of disclosures of PHI for treatment, payment and health care operations made on or after January 1, 2014, but the Secretary of HHS has the discretion to delay this compliance date until a date no later than January 1, 2016. A covered entity that acquired an EHR after January 1, 2009, must be able to honor requests for an accounting of disclosures of PHI for treatment, payment and health care operations made on or after the later of January 1, 2011, or the date the covered entity acquires the EHR, but the Secretary of HHS has the discretion to delay this compliance date to a date no later than January 1, 2013.
The expansion of the current Privacy Rule to cover treatment, payment and health care operations disclosures requires covered entities and their EHRs to have the capacity to track, store and compile a vast amount of information. Producing an accounting of disclosures report under the new HITECH rules will be technically challenging and operationally burdensome, particularly for early adopters of EHRs with multiple information systems. The Office of the National Coordinator of Health Information Technology (ONC), which is part of HHS, acknowledged that several significant challenges need to be addressed before it will be possible to record the necessary information about disclosures in an efficient manner in its January 13, 2010, interim final rule establishing the initial set of standards, implementation specifications and certification criteria for EHR technology. For example, the ONC noted the lack of any particular EHR technology for recognizing the difference between the internal use of PHI by a covered entity’s workforce members and a disclosure to third parties. One estimate of compliance costs for a large health system is in the tens of millions of dollars for programming, storage, infrastructure development and maintenance, as well as personnel costs. It will be important for covered entities and business associates who expect to experience a large compliance burden to respond to the RFI and to comment on the forthcoming proposed rule.
HHS Request for Information and Next Steps
The HHS Office of Civil Rights is in the process of meeting with various stakeholders on the administrative burdens and limitations of tracking EHR disclosures, as well as considering comments received from the general public through this RFI. After HHS reviews the responses to the RFI, a Notice of Public Rulemaking on the new accounting for disclosures regulations with a 60-day comment period is expected. Final rules would presumably follow shortly thereafter unless the Secretary utilizes her discretion to delay the effective dates by up to two years.