Changes to HIPAA Privacy Rule Proposed by HHS - Find Out Who Has Accessed Your Health Records

On May 31, 2011 the Department of Health and Human Services Office for Civil Rights issued a notice of proposed rulemaking that would add substantial data privacy requirements to the HIPAA Privacy Rule. One of the requirements the HHS proposed pursuant to both the HITECH Act and its more general authority under HIPAA is for individuals to have the right to request from a covered entity (such as a health care provider or a health plan) a list of any individuals or entities that have accessed the individuals’ electronic health records. Currently, HIPAA and HHS regulations require covered entities to track access to health records, but they covered entities are not required to provide that information to patients. The proposed rule would give patients the right to request an “access report” which would document the identities of those who electronically viewed their protected health information. “This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information,” said Georgina Verdugo, Director of the Office for Civil Rights. “We need to protect peoples’ rights so that they know how their health information has been used or disclosed.”

The right to an access report would apply only to health information that is maintained using an electronic system, as tracking access to paper records is not automated and would be unduly burdensome according to HHS. The proposed regulations would require covered entities to generate, upon request, an access report from access log data, which is collected by electronic record systems each time a user accesses protected health information. Access reports would detail the access by covered entities as well as business associates –entities that create, receive, maintain, or transmit certain health-related information on behalf of covered entities. The proposed rule requires covered entities and business to retain access logs for no less than three years so that an access reports can document access to the individual’s health information for the three years prior to the individual’s request for the report.

Covered entities and business associates are already required to comply with the HIPAA Security Rule, which obligates them to track access to protected health information. As such, HHS believes that the proposed rule will not be unduly burdensome. According to HHS, many electronic systems are already configured to log the activities that the proposed access reports would reference.

Under the proposed rule, access reports would include the date and time of access, and the name of the individual or entity accessing an individual’s health information. Additionally, if available, an access report would include a description of the information that was accessed and of the action taken by the user (e.g., whether they created, modified or deleted the information). Access reports also must include a statement informing individuals of their right to request access reports in their notices of privacy practices. Additionally, while individuals would be entitled to receive their first access report free of charge, the proposed rule would allow covered entities to charge reasonable, cost-based amounts for any subsequent reports requested within a 12-month period.

To minimize the volume of data in an access report, covered entities could give individuals the option to limit the coverage of the report by a specific date, time period, or person. For example, the individual requesting a report could elect to limit an access report to disclose only whether a particular family member accessed the individual’s health records within the last six months. Additionally, HHS is recommending – although not requiring in the proposed rule – that covered entities offer individuals the option to limit access reports to specific organizations. For example, if an individual does not wish to learn whether his or her health records were accessed by business associates, the covered entity would not need to obtain access logs from the relevant business associate to include in the access report the covered entity provides to the individual.

The proposed rule would require covered entities and business associates that implemented electronic record systems after January 1, 2009 to produce access reports beginning January 1, 2013. Entities that have implemented electronic record systems acquired on or before January 1, 2009 would be required to comply with the proposed rule beginning January 1, 2014. HHS has requested comments regarding a variety of issues the proposed rule has raised, and will receive comment submissions until August 1, 2011 (to submit a comment, click HERE ).

InfoLawGroup’s Nicole Friess and Boris Segalis collaborated on this blog post.