Prior to the Health Information Technology for Economic and Clinical Health (HITECH) Act becoming law, the HIPAA Privacy Rule required covered entities to provide individuals with an accounting of certain disclosures of their protected health information (PHI). HITECH enhances these accounting rules and requires that individuals be able to know who has accessed their electronic PHI. The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is proposing changes to the Privacy Rule to implement these new requirements and is seeking comments from the public to help shape the law so as to provide the greatest transparency for individuals with respect to access to and disclosures of their PHI, while minimizing the burden on covered entities and business associates. Remember, under HITECH, business associate are subject to nearly all of the requirements under the HIPAA Privacy and Security Rules as covered entities. The discussion below touches on some of the key proposals.

HHS’ Notice of Proposed Rulemaking would enhance the rules concerning the obligation to provide an accounting of certain disclosures of PHI and fleshes out the right of individuals to get a report on who has electronically accessed their PHI. These two rights, to an accounting of disclosures and to an access report, would be distinct but complementary. The right to an access report would provide information on who has accessed electronic PHI in a designated record set (including access for purposes of treatment, payment, and health care operations), while the right to an accounting would provide additional information about the disclosure of designated record set information (whether hard-copy or electronic) to persons outside the covered entity and its business associates for certain purposes (e.g., law enforcement, judicial hearings, public health investigations). The intent of the access report is to allow individuals to learn if specific persons have accessed their electronic designated record set information.  In contrast, the intent of the accounting of disclosures is to provide more detailed information (a “full accounting”) for certain disclosures that are most likely to impact the individual.

In general, designated record sets include the medical and health care payment records maintained by or for a covered entity, and other records used by or for the covered entity to make decisions about individuals. See the definition of “designated record set” at 45 CFR § 164.501. An example of PHI that is outside the designated record set are transcripts of customer calls that are used only for purposes of customer service review, rather than to make decisions about the individual.

HHS believes the access report requirement will not present an unreasonable burden on covered entities and business associates because by limiting the access report to information maintained in an electronic designated record set, the report will include information that a covered entity is already required to collect under the HIPAA Security Rule. That is, under §§ 164.308(a)(1)(ii)(D) and 164.312(b) of the HIPAA Security Rule, a covered entity is required to record and examine activity in information systems and to regularly review records of such activity. Access reports would cover a three-year period, and would provide the individual with information about who has accessed the individual’s electronic PHI held by a covered entity or business associate. They would not distinguish between “uses” and “disclosures,” and thus, would apply when any person accesses an electronic designated record set, whether that person is a member of the workforce or a person outside the covered entity. The report would be required to identify the date, time, and name of the person (or name of the entity if the person’s name is unavailable) who accessed the information, and potentially a description of the protected health information that was accessed and the user’s action, if that information is available.

The right to an accounting of disclosures would encompass disclosures of both hard copy and electronic PHI that is maintained in a designated record set. It would cover a three-year period (down from the current six year period), and would require a covered entity and its business associates to account for the disclosures of PHI believed to be of most interest to individuals. That is, the proposed rule explicitly lists the types of disclosures that are subject to the accounting requirement, rather than the previous approach of listing the types of disclosures for which an accounting was not required. In general, the proposed rule would continue to include in the accounting requirement, without limitation, disclosures for public health activities (except those involving reports of child abuse or neglect), for judicial and administrative proceedings, for law enforcement activities, to avert a serious threat to health or safety, for military and veterans activities, for the Department of State’s medical suitability determinations, to government programs providing public benefits, and for workers’ compensation.  Also, covered entities will continue to be required to account for disclosures that are impermissible under the Privacy Rule, even if those disclosures did not amount to a "breach" under the Breach Notification Rule at § 164.404.

While the proposed rules referenced above may vary when made final, they will require covered entities to re-examine their current practices to comply with the new rules. In addition, covered entities and business associates may need to make modifications to business associate agreements (as well as agreements with subcontractors and other vendors).  The Notice of Privacy Practices also will require modification to explain to individuals these new and modified rights concerning their PHI.

In regard to when action is needed, the rules propose that covered entities (including small health plans) and business associates comply with the modifications to the accounting of disclosures requirement beginning 180 days after the effective date of the final regulation (240 days after publication). As for the right to an access report, the rules propose that covered entities and business associates be prepared to make this available beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic designated record set systems acquired as of January 1, 2009.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP)…

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Joe served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.