Proposed Rule Requires Disclosure of Access to Patient Info

Mark Crane

June 01, 2011

June 1, 2011 — The US Department of Health and Human Services (HHS) is proposing a new privacy rule that would give patients the right to receive a detailed report on who has electronically accessed their protected health information.

Patients would obtain this information by requesting an access report, which would document the particular persons who electronically accessed and viewed their protected health information. Although covered entities, including physicians, hospitals, health plans, and other healthcare organizations, are currently required by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to track access to electronic protected health information, they are not currently required to share this information with patients.

Physicians and all healthcare organizations will need to update their privacy notices under HIPAA to inform patients about how they can request such access reports, an HHS spokesperson told Medscape Medical News. Patients are typically given a privacy notice when they first visit a physician's office. The new notices must be given to patients beginning January 1, 2013, assuming the rule takes effect.

"The changes being proposed will impact physicians," the HHS spokesperson said, who was not authorized to be quoted. "We strongly encourage them to read the rule in the Federal Register and give us their feedback during the comment period. We want to hear from small and mid-sized providers on what they expect the impact will be on their practices."

"This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information," HHS Office of Civil Rights Director Georgina Verdugo said in a news release. "We need to protect peoples' rights so that they know how their health information has been used or disclosed."

The Office of Civil Rights has proposed the changes to comply with the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009.

The proposed privacy rule is divided into 2 separate rights for individuals: the first sets forth an individual's right to an accounting of disclosures, the other focuses on the right to an access report.

"The right to an access report would provide information on who has accessed electronic protected health information in a designated record set (including access for purposes of treatment, payment, and health care operations), while the right to an accounting would provide additional information about the disclosure of...information (whether hard-copy or electronic) to persons outside the covered entity and its business associates for certain purposes (e.g., law enforcement, judicial hearings, public health investigations)," HHS notes in the Federal Register.

The intent of the access report is to allow individuals to learn whether specific persons have accessed their electronic designated record set information, but it won't provide information about the purposes of the person's access. "In contrast, the intent of the accounting of disclosures is to provide more detailed information for certain disclosures that are most likely to impact the individual," HHS notes.

Automated Process Should Provide More Comprehensive Information

Creating a full accounting of disclosures is generally a manual, expensive, and time-consuming process for covered entities. "In contrast, we believe that the process of creating an access report will be a more automated process that provides valuable information to individuals.... By limiting the access report to electronic access, the report will include information that a covered entity is already required to collect under HIPAA rules."

"Our proposal attempts to shift the accounting provision from a manual process that generates limited information to a more automated process that produces more comprehensive information," HHS notes. "We believe that these two rights, in conjunction, would provide individuals with greater transparency regarding the use and disclosure of their information than under the current rule."

As a practical matter, there have been relatively few requests for accountings of disclosures. "While the availability of access reports may lead to an increased number of requests, we would continue to expect that only a small minority of individuals would exercise this right," according to HHS. "Since covered entities should already be logging the information necessary for an access report, there should be minimal, if any, changes to existing information systems," the HHS spokesperson said.

The proposed rule would also reduce the timeframe for responding to an accounting request from 60 days to 30 days. The current requirement to report 6 years of disclosures would be reduced to 3 years under the proposed rule.

The accounting of disclosures would provide the date of the disclosure, what information was disclosed, the recipient of the information, and the purpose for the disclosure — for example, law enforcement.

HHS will be accepting public comments on the proposed rule, published in the Federal Register, through August 1, 2011.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.