HHS Issues Proposed Regulation Revising the PHI Disclosure Accounting Requirements under HIPAA
On May 31, 2011, the Department of Health and Human Services (“HHS”) issued a proposed regulation that changes the requirements under the Health Insurance Portability and Accountability Act (“HIPAA”) for health plans and other HIPAA covered entities to provide individuals with an accounting of disclosures of their Protected Health Information (“PHI”). Under the proposed regulation, individuals have the right to an accounting of disclosures of their PHI made by the covered entity or any of its business associates in either paper or electronic form during the three years prior to the individual’s request. Individuals also have the right to obtain an “access report” that provides them with information about who has accessed their electronic PHI. Unlike the current regulation, the proposed regulation applies only to information held in a “designated record set.” For purposes of the proposed regulation, a “designated record set” includes “the medical and health care payment records maintained by or for a covered entity, and other records used by or for the covered entity to make decisions about individuals.” The proposed regulation also eliminates an exception in the current regulation for disclosures made in connection with treatment, payment, and health plan operations. The new requirements will not be effective until 180 days after the effective date of the final rule.