HIPAA Regulatory Alert
Know specifics of proposed rule
Unlike the current privacy rule which identifies purposes that might be omitted from disclosure accounting reports, the proposed rule published on May 31, 2011, identifies those purposes for which disclosures must be tracked and reported.
"Listing what must be included in a disclosure accounting is better because a covered entity doesn't have to make their own decision about what is intended to be included or excluded," says Kate Borten, CISSP, CISM, president of The Marblehead Group, a privacy and information security consulting firm in Marblehead, MA.
The current privacy rule states an accounting of disclosures of protected health information must include all disclosures except in the case of disclosures made for treatment, payment, and healthcare operations; to the individual; incident to a permitted use or disclosure; per an authorization; and for various public policy and other enumerated reasons, explains Gina M. Cavalier, Esq., Partner, Reed Smith in Washington, DC.
"Covered entities will only be required to account for disclosures made in seven circumstances," Cavalier says. "As a general matter, this is likely a smaller universe of disclosures for which a covered entity must account." The disclosures that must be included in a disclosure accounting are:
an impermissible purpose (unless a breach notice has been provided);
judicial and administrative proceedings;
to avert a serious threat to health or safety;
military and other government activities;
The proposed rule is also specific about what should be included in the access reports, says Cavalier. An access report must include:
the date the electronic designated record set (eDRS) was accessed;
time of access;
name of the person, if available, and if not, the name of the entity accessing the eDRS;
a description of what information what accessed, if available;
a description of the action taken by the user, if available; for example, "create," "modify," "access," or "delete."