HIPAA Privacy: PHI Disclosure Accounting (Changes) and Access Report (New)

Transcription

1 Issue HIPAA Privacy: PHI Disclosure Accounting (Changes) and Access Report (New) The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) issued new proposed privacy regulations on May 31, The purpose of the newly proposed regulations is to implement the HIPAA privacy changes made by the Health Information Technology for Economic and Clinical Health Act (HITECH). The proposed regulations make several significant changes to the current accounting of disclosure requirements and add a new right for individuals to receive a report showing who has accessed their electronic protected health information. Comments on the proposed regulations may be submitted to OCR no later than August 1, This Technical Bulletin focuses on the potential impact of these new regulations on employer-sponsored health plans. Accounting of Disclosures of PHI Covered entities such as employer-sponsored health plans have been required to provide an accounting of certain disclosures of protected health information (PHI) since HIPAA privacy rules became effective in 2003 (2004 for small employers). Business associates are required to provide information about their disclosures to covered entities for inclusion in any required accounting. Prior to the passage of HITECH in 2009, covered entities were not required to provide an accounting of disclosures of PHI that were for treatment, payment or health care operations. HITECH eliminated this exception for any disclosures of PHI for treatment, payment and health care operations where the disclosure is made through an Electronic Health Record (EHR). An Electronic Health Record (EHR) is defined as an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. Current Regulations on the Accounting of Disclosures of PHI Regulations currently require an accounting of disclosures of PHI both electronic and paper -- using a general requirement to provide the accounting for all disclosures of PHI with a list of exceptions. The exceptions listed in the current regulations are disclosures: To carry out treatment, payment or health care operations; To individuals about their own PHI; That are incident to an otherwise permitted use or disclosure; That are pursuant to an authorization; To persons involved in a patient s care or for other notification purposes; 2011 Gallagher Benefit Services, Inc.

2 For specific national security or intelligence purposes; To correctional institutions or law enforcement when the disclosure is permitted without authorization; and As part of a limited data set. The accounting of PHI disclosures must include the following information: The date of the disclosure; The name of the person or entity who received the PHI, including the address if known; A brief description of the type of PHI disclosed; and A brief description of the purpose of the disclosure. The covered entity is required to provide the accounting. If the disclosure involves a business associate, the business associate is required to provide the necessary information to the covered entity which the covered entity would include in the accounting. The covered entity may require an individual to request an accounting in writing, but only if the individual is advised of this requirement. The accounting is for a 6-year time period, however, the individual may specify a shorter time period. The covered entity has 60 days after receipt of the request to provide the accounting. The covered entity may extend this initial time period by 30 days, if necessary, as long as the individual is notified of the reason for the delay during the initial 60-day period and given the date on which the accounting will be provided. There is a temporary delay for reporting about disclosures to law enforcement (or a health oversight agency) where a law enforcement (or health oversight agency) official states that the disclosure would be reasonably likely to impede the agency s activities. The individual is entitled to receive one accounting in a given 12-month time period at no cost. The individual must be notified if there will be a charge for additional accountings during the 12-month period. A covered entity may charge for additional disclosures during this 12-month period, but only if: (1) the charge is reasonable and cost-based, (2) the individual is notified of the amount to be charged, and (3) the individual is given an opportunity to withdraw or modify the request to reduce or eliminate the charge. Covered entities are required to retain written documentation of the information required to be in the accounting, a copy of the written accounting that is provided to the individual, and the title of the person (or office) responsible for receiving and processing requests for accounting. Documentation must be maintained for six years. Proposed Regulations on Accounting of Disclosures of PHI The proposed regulations would make seven significant changes to the current accounting of disclosures requirements. First, the proposed regulations list the required disclosures rather than the exceptions. The proposed regulations contain the following list of disclosures that would be required in an accounting: 1. Disclosures not permitted by HIPAA privacy rules unless the individual has received a notification of the impermissible disclosure (e.g., the covered entity has sent a breach notification); 2. For public health activities, except to report child abuse or neglect; 3. For judicial and administrative proceedings; 4. For law enforcement purposes; 5. To avert a serious threat to health or safety; Page 2 Issue

3 6. For military and veterans activities, the Department of State s medical suitability determinations, and government programs providing public benefits; and 7. For workers compensation. A covered entity is not required to account for disclosures required by law except for disclosures under (3) judicial and administrative proceedings or (4) law enforcement purposes. Covered entities would still be able to exclude certain disclosures from the accounting such as those incidental to a permitted use or disclosure, pursuant to an authorization, or as part of a limited data set. OCR is considering additional exceptions such as reports about adult abuse and disclosures about decedents to funeral directors and has requested comments. Second, HITECH eliminated the exception for disclosures to carry out treatment, payment and health care operations where the disclosure of PHI is through an Electronic Health Record (EHR). The proposed regulations would modify this to limit the accounting to PHI that is contained in a designated record set (defined below) held by the covered entity (or business associate). Currently the covered entity is required to provide the accounting regardless of the location of the PHI. Designated Record Set means: a group of records maintained by, or for, a covered entity that is: the medical and billing records about individuals maintained by, or for, a covered health care provider; enrollment, payment, claims adjudication, and case or medical management record systems maintained by, or for, a health plan; or used in whole or in part, by or for the covered entity to make decisions about individuals. For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity. Third, under the proposed regulations, the covered entity would have the option to provide an accounting of only its own disclosures accompanied by the name and contact information for its business associate. The business associate must then provide any required accounting of their disclosures of PHI directly to the individual. The covered entity would still be permitted to provide both accountings its own and the business associate s disclosures. Fourth, the proposed regulations would make modest changes to the required contents. The proposed modifications are: The disclosure date could be limited to the month and year. Alternatively, the accounting could use a description of when the disclosure occurred if the individual can readily determine the month and year from the description (e.g., within 15 days after an inpatient discharge). For multiple disclosures for the same purpose to the same person or entity, the covered entity could use the beginning and ending disclosure dates with information on the number or frequency of the disclosures. The name of the person or entity who received the PHI, including the address if known, would be required. However, the covered entity could use a description such as another enrollee or another patient where the name and address of the recipient is itself PHI. The covered entity could provide a copy of the written request for the disclosure in lieu of a description of the disclosure. Page 3 Issue

4 Fifth, the individual would also be permitted to restrict the accounting to a specific time frame, a specific recipient, or a type of disclosure (e.g., a disclosure for judicial proceedings). One helpful change in the regulations would be a reduction in the maximum time period from six years to three years. Sixth, the proposed regulations would reduce the time frame for providing the accounting from 60 days to 30 days (the 30-day extension and law enforcement delay rules would still apply.). Seventh, the covered entity would be required to provide the individual with an accounting in the form or format requested if it is readily producible in that form or format. An example included in the preamble is a request for an accounting in a PDF or specific word processor format. Covered entities would be encouraged, but not required, to provide the accounting in an electronic format. (Note: the covered entity must take reasonable and appropriate safeguards when delivering the accounting regardless of the format used. For example, the covered entity could encrypt or use password protection when providing an electronic accounting.) PHI Access Report New Requirement Currently, an individual has the right to an accounting of disclosures of PHI and notification in the event of a breach in unsecured PHI. The individual does not currently have the right to find out who has accessed his PHI. Under the proposed regulations the individual would gain the right to receive a report showing who accessed his PHI. This new proposed right to an access report would: Apply to all electronic PHI in any designated record set. It would not be limited to information maintained in an Electronic Health Record (EHR). It would not, however, apply to PHI maintained in paper format. Include both uses (e.g., access by a member of the covered entity s workforce) and disclosures (e.g., access by a business associate). The accounting requirement only applies to disclosures. Include uses and disclosure for treatment, payment and health care operations including information not contained in an EHR. Because the right to an access report would apply to all PHI in electronic format rather than just PHI in an EHR, covered entities that do not use EHRs would still be required to provide an access report upon request. OCR believes this would improve transparency and facilitate compliance and points out that existing HIPAA security rules require covered entities (and business associates) to capture this information in system-generated access logs. The covered entity would have the obligation to provide the required access report. Business associates would be required to provide information about access to PHI in their designated record set(s) to the covered entity. Unlike the proposed regulations for an accounting of disclosures, the covered entity would not have the option to provide its own access report accompanied by contact information for its business associate. Content and Format of the Access Report The access report would be required to contain significantly less information than an accounting of disclosures. The information that would be required in an access report is: Date of access; Time of access; Name of the person accessing the information, if available, otherwise the name of the entity; Description of what information was accessed (if available); and A description of the user s action e.g., create, modify, access or delete. Page 4 Issue

5 Information such as the address of the person accessing the information or the purpose of the access would not be required. The covered entity would be required to provide information for up to three years prior to the date on which the access report is requested. The individual would be given an option to limit the access report to a specific date, time period shorter than three years, or specific person. The covered entity could, but would not be required to, permit the individual to limit the access report to a specific organization such as a particular business associate. The report must be provided in a format that is understandable to the individual. The report must also be provided in the electronic format requested by the individual if it is readily producible in that format. If it is not readily producible in the requested format, the covered entity would be permitted to provide the report in a different electronic format that is acceptable to the individual or in a readable hard copy form. The covered entity must provide a readable hard copy report if requested. OCR provided one example of a readable format and one of an unreadable format and listed several common software formats -- text in PDF format, MS Word or Excel, and HTML in the preamble to the regulations. Information such as JOHNANDREW3 is an example of an unreadable format. Following is OCR s example of a readable format: Date Time Name Action 10/10/ :30 p.m. John, Andrew Viewed Cost and Timing for Access Reports Similar to the accounting of disclosures, the covered entity would be permitted to require the individual to request an access report in writing as long the individual is advised of the requirement. An individual would be able to receive one free access report in a given 12-month time period. The individual must be notified if there would be a charge for additional accountings during the 12-month period. A covered entity would be permitted to charge for subsequent reports during the 12-month period as long as: (1) the charge is reasonable and cost-based, (2) the individual is notified of the amount that will be charged, and (3) the individual is given an opportunity to withdraw or modify the request to reduce or eliminate the charge. The timing requirements for access reports would the same as for the accounting of disclosures i.e., 30 days with a one-time extension provided subject to same notice requirements (written notice of the delay within the initial 30-day time period and the expected delivery date). Documentation of Access Reports The covered entity would be required to retain the information needed for an access report for three years from the date of the use or disclosure. The covered entity would also be required to retain a copy of any access reports provided for three years and maintain documentation of the titles of person (or office ) responsible for receiving and processing requests for access reports. Finally, OCR proposed revising the content requirements for the Notice of Privacy Practices to add a statement describing an individual s right to receive an access report. However, covered entities would not be required to modify their Notice of Privacy Practices until the new regulations become effective. Effective Dates OCR proposes separate compliance dates for the changes in the accounting of disclosures requirements and the new right to receive an access report. Page 5 Issue

6 For the changes in the requirements for the accounting of disclosures, the proposed regulations would use a compliance date no later than 180 days after the effective date of the final rule. Since the effective date of the final rule would be 60 days after it is published in the Federal Register, covered entities and business associates would have 240 days after publication of the final rule to comply. (Note: the current regulations are proposed with a comment period ending on August 1, Final regulations are expected sometime after OCR has had an opportunity to consider the comments received.) OCR proposes requiring covered entities and business associates to provide an access report upon request beginning on January 1, 2013 for any electronic designated record set systems that were acquired after January 1, For covered entities and business associates that acquired an electronic designated record set system on or before January 1, 2009, OCR proposes an effective date of January 1, Impact on Employer-Sponsored Health Plans The impact of the proposed changes in the requirements for the accounting of disclosures will be significantly greater where the employer-sponsored health plan maintains PHI in Electronic Health Records (EHRs). The new proposed right to an access report would affect all employer-sponsored health plans. Accounting of Disclosures Changes The changes in the requirement for accounting of disclosures of PHI would have a modest impact on many employer-sponsored health plans. For employers that do not disclose information through an EHR, the major changes would be: The accounting and documentation time frame would be reduced from six years to three years; Required accountings would be required within 30 days rather than 60 days; The covered entity would be permitted to limit the covered entity s accounting to its own disclosures as long as it also provides contact information on its business associates (who would be required to provide their own accounting separately); and The accounting would be restricted based on a specific recipient or type of disclosure if requested by the individual. Employers whose health plans disclose information through an EHR would be required to make these changes and would also be required to provide an accounting of disclosures for treatment, payment or operations made through an EHR. Employers will want to discuss with each of their business associates who the covered entity or the business associate - would be expected to provide accountings for the business associate s disclosures. If the business associate is to provide its own accountings, the employer will want to obtain appropriate contact information from the business associate and determine if there is any cost impact. Employers that expect to provide all of the required accountings will want to ensure that their business associates will provide the needed information on a timely basis (and if determine there is any cost impact). New PHI Access Report The most significant proposed change is the new requirement for a report to individuals about who has accessed their PHI that is maintained in an electronic designated record set. The access report is: (1) not limited to information disclosed through an EHR, (2) required for both uses and disclosures, and (3) required for treatment, payment and health care operations. An access report is not required for information maintained in a paper format. Page 6 Issue

7 With respect to action steps, first employers will want to review their current electronic record keeping systems to identify their designated record sets and determine the date on which the system was acquired. With that information HR will want to obtain assistance from the IT department to ensure that the appropriate information is being captured and retained by the system and that the system will be able to generate access reports in compliance with the content, format and timing requirements by the applicable effective date (January 1, 2013 or January 1, 2014). Next, employers will want to determine which of their business associates maintain information electronically in designated record sets. Employers will need to discuss the proposed requirements with business associates (e.g., a third-party claim administrator) that maintain information in any electronic designated record set to ensure that the business associate is maintaining the needed data and can provide the information required on a timely basis in an acceptable format - along with cost impact, if any. What s Next? In developing this guidance, OCR also considered giving an individual the right to receive a full accounting of disclosures for treatment, payment and health care operations through an EHR when such disclosures are made through electronic health information exchange (i.e., disclosures that originate from an EHR that are received by another electronic system.) For example, this proposed right would have required a full accounting when a covered entity (or business associate) transmitted some or all of an EHR to another electronic system such as another covered entity s EHR, a pharmacy, laboratory or health plan. This would have included a health information exchange when the disclosure is in response to a query as well as an exchange that is initiated by the disclosing covered entity. OCR decided not include this requirement because it believes that the requirement would be overly burdensome compared to the benefit to the individual. However, OCR expects to revisit this issue in the future and may issue additional guidance at that time. Gallagher Benefit Services will continue to monitor developments and provide you with updated information as it becomes available. The intent of this Technical Bulletin is to provide general information on employee benefit issues. It should not be construed as legal advice and, as with any interpretation of law or regulations; plan sponsors should seek proper legal advice for application of these rules to their plans 2011Gallagher Benefit Services, Inc. Page 7 Issue