Skip to Content

Proposed Rule

HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act; Request for Information

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Office for Civil Rights, Department of Health and Human Services.

ACTION:

Request for information.

SUMMARY:

Section 13405(c) of the Health Information Technology for Economic and Clinical Health (HITECH) Act expands an individual's right under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to receive an accounting of disclosures of protected health information made by HIPAA covered entities and their business associates. In particular, section 13405(c) of the HITECH Act requires the Department of Health and Human Services (“Department” or “HHS”) to revise the HIPAA Privacy Rule to require covered entities to account for disclosures of protected health information to carry out treatment, payment, and health care operations if such disclosures are through an electronic health record. This document is a request for information (RFI) to help us better understand the interests of individuals with respect to learning of such disclosures, the administrative burden on covered entities and business associates of accounting for such disclosures, and other information that may inform the Department's rulemaking in this area.

DATES:

Submit comments on or before May 18, 2010.

ADDRESSES:

Written comments may be submitted through any of the methods specified below. Please do not submit duplicate comments.

  • Federal eRulemaking Portal: You may submit electronic comments at http://www.regulations.gov. Follow the instructions for submitting electronic comments. Attachments should be in Microsoft Word, WordPerfect, or Excel; however, we prefer Microsoft Word.
  • Regular, Express, or Overnight Mail: You may mail written comments (one original and two copies) to the following address only: U.S. Department of Health and Human Services, Office for Civil Rights, Attention: HITECH Accounting of Disclosures, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, SW., Washington, DC 20201.
  • Hand Delivery or Courier: If you prefer, you may deliver (by hand or courier) your written comments (one original and two copies) to the following address only: Office for Civil Rights, Attention: HITECH Accounting of Disclosures, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, SW., Washington, DC 20201. (Because access to the interior of the Hubert H. Humphrey Building is not readily available to persons without Federal government identification, commenters are encouraged to leave their comments Start Printed Page 23215in the mail drop slots located in the main lobby of the building.)

Inspection of Public Comments: All comments received before the close of the comment period will be available for public inspection, including any personally identifiable or confidential business information that is included in a comment. We will post all comments received before the close of the comment period at http://www.regulations.gov. Because comments will be made public, they should not include any sensitive personal information, such as a person's social security number; date of birth; driver's license number, state identification number or foreign country equivalent; passport number; financial account number; or credit or debit card number. Comments also should not include any sensitive health information, such as medical records or other individually identifiable health information, or any non-public corporate or trade association information, such as trade secrets or other proprietary information.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Andra Wicks, 202-205-2292.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

I. Background

Covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Title II, Subtitle F—Administrative Simplification, Public Law 104-191, 110 Stat. 2021, are currently required by the HIPAA Privacy Rule at 45 CFR 164.528 to make available to an individual upon request an accounting of certain disclosures of the individual's protected health information over the past six years. For each disclosure, the accounting must include: (1) The date of the disclosure; (2) the name (and address, if known) of the entity or person who received the protected health information; (3) a brief description of the information disclosed; and (4) a brief statement of the purpose of the disclosure (or a copy of the written request for the disclosure). For multiple disclosures to the same person for the same purpose, the accounting is only required to include: (1) For the first disclosure, a full accounting, with the elements described above; (2) the frequency, periodicity, or number of disclosures made during the accounting period; and (3) the date of the last such disclosure made during the accounting period. Section 164.528(a)(1)(i) of the Privacy Rule currently exempts disclosures to carry out treatment, payment, and health care operations from these accounting requirements.[1]

Section 13405(c) of the Health Information Technology for Economic and Clinical Health (HITECH) Act, Public Law 111-5, 123 Stat. 265-66, provides that the exemption at § 164.528(a)(1)(i) of the Privacy Rule for disclosures to carry out treatment, payment, and health care operations no longer applies to disclosures “through an electronic health record.” Under section 13405(c), an individual has a right to receive an accounting of such disclosures that covers disclosures made during the three years prior to the request. Section 13400 of the statute defines “electronic health record” as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.” We take the opportunity in this RFI to request public comment to inform our regulations under the HITECH Act, which requires that we take into account both the interests of individuals in learning the circumstances under which their protected health information is being disclosed and the administrative burden of accounting for disclosures for treatment, payment, and health care operations through an electronic health record.

We request comments specifically on the questions below. The Department welcomes comments from all stakeholders on these issues, but in addition to hearing from covered entities, is particularly interested in hearing from individuals, consumer advocates and groups, and, regarding technical capabilities, from vendors of electronic health record systems.

II. Questions

1. What are the benefits to the individual of an accounting of disclosures, particularly of disclosures made for treatment, payment, and health care operations purposes?

2. Are individuals aware of their current right to receive an accounting of disclosures? On what do you base this assessment?

3. If you are a covered entity, how do you make clear to individuals their right to receive an accounting of disclosures? How many requests for an accounting have you received from individuals?

4. For individuals that have received an accounting of disclosures, did the accounting provide the individual with the information he or she was seeking? Are you aware of how individuals use this information once obtained?

5. With respect to treatment, payment, and health care operations disclosures, 45 CFR 170.210(e) currently provides the standard that an electronic health record system record the date, time, patient identification, user identification, and a description of the disclosure. In response to its interim final rule, the Office of the National Coordinator for Health Information Technology received comments on this standard and the corresponding certification criterion suggesting that the standard also include to whom a disclosure was made (i.e., recipient) and the reason or purpose for the disclosure. Should an accounting for treatment, payment, and health care operations disclosures include these or other elements and, if so, why? How important is it to individuals to know the specific purpose of a disclosure—i.e., would it be sufficient to describe the purpose generally (e.g., for “for treatment,” “for payment,” or “for health care operations purposes”), or is more detail necessary for the accounting to be of value? To what extent are individuals familiar with the different activities that may constitute “health care operations?” On what do you base this assessment?

6. For existing electronic health record systems:

(a) Is the system able to distinguish between “uses” and “disclosures” as those terms are defined under the HIPAA Privacy Rule? Note that the term “disclosure” includes the sharing of information between a hospital and physicians who are on the hospital's medical staff but who are not members of its workforce.

(b) If the system is limited to only recording access to information without regard to whether it is a use or disclosure, such as certain audit logs, what information is recorded? How long is such information retained? What would be the burden to retain the information for three years?

(c) If the system is able to distinguish between uses and disclosures of information, what data elements are automatically collected by the system for disclosures (i.e., collected without requiring any additional manual input by the person making the disclosure)? What information, if any, is manually entered by the person making the disclosure?

(d) If the system is able to distinguish between uses and disclosures of information, does it record a description of disclosures in a standardized manner (for example, does the system offer or require a user to select from a limited list of types of disclosures)? If yes, is Start Printed Page 23216such a feature being utilized and what are its benefits and drawbacks?

(e) Is there a single, centralized electronic health record system? Or is it a decentralized system (e.g., different departments maintain different electronic health record systems and an accounting of disclosures for treatment, payment, and health care operations would need to be tracked for each system)?

(f) Does the system automatically generate an accounting for disclosures under the current HIPAA Privacy Rule (i.e., does the system account for disclosures other than to carry out treatment, payment, and health care operations)?

i. If yes, what would be the additional burden to also account for disclosures to carry out treatment, payment, and health care operations? Would there be additional hardware requirements (e.g., to store such accounting information)? Would such an accounting feature impact system performance?

ii. If not, is there a different automated system for accounting for disclosures, and does it interface with the electronic health record system?

7. The HITECH Act provides that a covered entity that has acquired an electronic health record after January 1, 2009 must comply with the new accounting requirement beginning January 1, 2011 (or anytime after that date when it acquires an electronic health record), unless we extend this compliance deadline to no later than 2013. Will covered entities be able to begin accounting for disclosures through an electronic health record to carry out treatment, payment, and health care operations by January 1, 2011? If not, how much time would it take vendors of electronic health record systems to design and implement such a feature? Once such a feature is available, how much time would it take for a covered entity to install an updated electronic health record system with this feature?

8. What is the feasibility of an electronic health record module that is exclusively dedicated to accounting for disclosures (both disclosures that must be tracked for the purpose of accounting under the current HIPAA Privacy Rule and disclosures to carry out treatment, payment, and health care operations)? Would such a module work with covered entities that maintain decentralized electronic health record systems?

9. Is there any other information that would be helpful to the Department regarding accounting for disclosures through an electronic health record to carry out treatment, payment, and health care operations?

Start Signature

Dated: April 26, 2010.

Georgina Verdugo,

Director, Office for Civil Rights.

End Signature End Supplemental Information

Footnotes

1.  The core health care activities of “Treatment,” “Payment,” and “Health Care Operations” are defined in the Privacy Rule at 45 CFR 164.501.

Back to Citation

[FR Doc. 2010-10054 Filed 4-30-10; 8:45 am]

BILLING CODE 4153-01-P