Proposed Rule Gives Patients Right to Know Who Viewed Records
As required by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, covered entities must make available, upon request, an accounting of certain disclosures of the individual’s protected health information (PHI) made during the six years prior to the request. Under a proposed rule change, patients could also request and receive an “access report” to provide an accounting of who accessed and viewed their electronic PHI.
The proposed rule, released by the U.S. Department of Health and Human Services (HHS) in the May 31 Federal Register, explains:
“The right to an access report would provide information on who has accessed electronic protected health information in a designated record set (including access for purposes of treatment, payment, and health care operations) … The intent of the access report is to allow individuals to learn if specific persons have accessed their electronic designated record set information (it will not provide information about the purposes of the person’s access).”
As noted in an HHS press release announcing the proposed rule, covered entities are already required by the HIPAA Security Rule to track access to electronic PHI, but are not required to share this information with patients.
Under the current rule, a disclosure is defined as “the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.” For each disclosure, the accounting must include:
- the date of the disclosure;
- the name (and address, if known) of the entity or person who received the PHI;
- a brief description of the information disclosed; and
- a brief statement of the purpose of the disclosure (or a copy of the written request for the disclosure).
For multiple disclosures to the same person for the same purpose, the accounting requires only:
- for the first disclosure, a full accounting, with the elements described above;
- the frequency, periodicity, or number of disclosures made during the accounting period; and
- the date of the last such disclosure made during the accounting period.
The proposed rule shortens the length of time for which providers must report such an accounting for disclosures, from six to three years.
If the rule takes effect as written, covered entities and business associates would have to provide individuals with access reports beginning Jan. 1, 2013 for electronic designated record set systems acquired after Jan. 1, 2009, and beginning Jan. 1, 2014, for electronic designated record set systems acquired as of Jan. 1, 2009. HHS is taking public comments on the proposed rule through Aug. 1, 2011.