AAMC Contact: Ivy Baer Accounting for Disclosures Under HIPAA Proposed Rule: 76 Federal Register 31426, May 31, 2011

Proposed rule implements § 13405(c) of the Health Information Technology for Economic an Clinical Health (HITECH) Act Creates 2 separate rights: 1.Accounting for disclosures is extended to electronic health records 2.Access report Two Separate Rights 2

30 days to respond to request (30 day extension possible) Accounting goes back 3 years; must retain copy of the accounting for 6 years Applies to protected health information in a designated record set— hard copy or electronic—of a covered entity or business associate Limited to the following disclosures: breaches (unless individual already notified); public health activities (except for child abuse or neglect); judicial and administrative hearings; law enforcement purposes; to avert a serious threat to public health or safety; for military and veterans activities, Department of State’s medical suitability determinations, and government programs providing public benefit; and for workers’ compensation 1. Accounting for Disclosures 3

Currently, there is an exemption for disclosure for research purposes (45 § (i)) Proposal is to retain this exemption Research Exemption 4

What’s in the access report? Covers disclosures and uses of information, including uses by the workforce and business associates Applies to all electronic protected health information about an individual in any designated record set! There is no exemption for research Comment: The government believes this will not be overly burdensome because the HIPAA Security Rule already requires that logs of access to electronic PHI be maintained 2. Access Report 5

Proposal: If you have multiple systems that each maintains a separate access log, “our expectation is that data from each access log will be gathered and aggregated to generate a single access report (including data from business associates’ systems)” that is understandable to the individual Definition of access log: the raw data that an electronic system containing PHI collects each time a user accesses information Access Report Cover All Logs 6

Name of person accessing, if available Date and time of access Description of what information was accessed, if available Comments requested on: availability of this information in current access logs, importance of the information to individuals, potential administrative burden of requiring that access reports include description of information that was accessed Description of action taken by user of the information (created, modified, deleted, or just accessed record) For Inclusion in Access Report 7

Accounting for disclosures: Effective 60 days after publication 240 days after publication to comply Access report: For any electronic designated record set systems acquired after January 1, 2009: must produce a report starting January 1, 2013 For any electronic designated record set systems acquired before January 1, 2009: must produce a report starting January 1, 2014 Important Dates 8

Please contact Ivy Baer, if you have questions, concerns, or are willing to share information to be included in the AAMC comment letter in de- identified form, regarding issues such The difficulty of converting Security Rule Access Logs into information that will be understandable to a patient, focusing on cost and time. Other concerns, such as revealing the name of employees to patients For AAMC’s Comment Letter 9

If you send your own letter: Comments are due August 1, 2011 Submit to: Use RIN 0991-AB62 to identify your comments Please send a copy to: If you want to comment 10