HHS Proposes Changes To HIPAA Privacy Rule

The U.S. Dept. of Health and Human Services has proposed changes to the Health Insurance Portability and Accountability Act privacy rule that would provide individuals with more details about who accessed their electronic health information and disclosures of the e-health data.

The changes to the HIPAA privacy rule are being proposed by HHS' Office for Civil Rights in accordance with accounting disclosure requirements mandated by the HITECH Act.

The proposed changes would revise HIPAA's privacy rule by dividing it into two separate rights for individuals: "an individual's right to an accounting of disclosures" and "individual's right to an access report, which would include electronic access by both workforce members and persons outside the covered entity."

The proposed rule said "the purpose of these modifications is, in part, to implement the statutory requirement under the HITECH Act to require covered entities and business associates to account for disclosures of protected health information to carry out treatment, payment, and health care operations if such disclosures are through an electronic health record," said the proposed rule.

Under the proposed changes, individuals could request a report on who accessed their health information.

"The access report documents the particular persons who electronically accessed and viewed an individual's protected health information," said HHS in a statement.

The proposed rule also requires a more detailed accounting of certain disclosures of health information that could affect an individual, whether it was hard copy or electronic.

"Although covered entities are currently required by the HIPAA Security Rule to track access to electronic protected health information, they are not required to share this information with people," said HHS.

"The proposed rule requires an accounting of more detailed information for certain disclosures that are most likely to affect a person's rights or interests," said HHS.

The proposed changes to the accounting requirements provide information of value to individuals "while placing a reasonable burden on covered entities and business associates."

For instance, the 95-page notice of proposed rulemaking requires healthcare providers, health plans, health care clearing houses and business associates to provide patients upon request an accounting of data disclosures from the patient's e-health records for treatment, payment, as well as for public health investigation and law enforcement.

OCR will accept public comments on the proposed rule untill July 31 before work begins on the final rule.

In the new, all-digital InformationWeek Healthcare: iPads are leading a new wave of devices into the exam room. Are security, tech support, and infection control up to the task? Download it now. (Free registration required.)