This post was originally written for the Life Sciences Legal Update blog by Gina M. Cavalier, Vicky G. Gormanly and Brad M. Rostolsky.
Pursuant to the HITECH Act, covered entities and business associates must account for disclosures of PHI for treatment, payment and health care operations if the disclosures are through an electronic health record. This represents a significant change to the requirements under the current HIPAA Privacy Rule. The Department of Health and Human Services (HHS) published a notice of proposed rulemaking on May 31, 2011 to modify the Privacy Rule’s standard for accounting of disclosures of protected health information.
HHS proposes to expand the accounting requirements of the Privacy Rule to provide individuals with the right to receive an access report detailing who has accessed their electronic PHI in a designated record set. Accordingly, HHS proposes to revise an individual’s right to an accounting under the Privacy Rule by separately setting forth an individual’s right to (a) an accounting of disclosures and (2) an access report. HHS has also proposed other changes designed to improve the workability and effectiveness of the existing accounting of disclosures requirements. Comments are due August 1, 2011.