The health sector is under siege with cybersecurity threats. Some of the largest announced cyber attacks in U.S. history have targeted organizations in the health industry. Regulators have...02 May 2016
HHS issues new HIPAA accounting of disclosures rule
The Department of Health and Human Services (HHS) has issued a proposed rule implementing changes to the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information. This proposed rule addresses the changes required by the HITECH Act, which requires HIPAA covered entities and business associates to account for disclosures of protected health information made through an electronic health record that are for treatment, payment, and health care operations purposes.
The proposed rule divides the accounting rights into two distinct individual rights. The first right follows the long-standing accounting of disclosure rules, modifying the existing rule to require an accounting for three years prior to an individual’s request instead of the current six years. The second provides a individuals with a new right to receive a written “access report” that describes uses and disclosures of their PHI made through an “electronic designated record set.” This new access report would include information on a covered entity’s workforce members who have accessed information and would apply to information in an electronic designated record set, not only information in an electronic health record, as required by HITECH.
The proposed rule is available today at http://www.ofr.gov/OFRUpload/OFRData/2011-13297_PI.pdfand will be published in the Federal Register on Tuesday, May 31.