Patients would have the right to request and receive a record of who accessed and viewed their electronic protected health information in a proposed change to the Health Insurance Portability and Affordability Act's Privacy Rule.
Under HIPAA, healthcare organizations are already required to track access to patient data contained in electronic records, but they're not required to disclose this access information to patients. The proposed rule change, part of the Department of Health and Human Service's implementation of the 2009 HITECH Act, "represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard health information," says HHS Office of Civil Rights Director Georgina Verdugo in a press release.
The proposal, currently up for public comment, would give patients the right to 2 types of information:
an "access report," which would tell them who has accessed their protected health information "for purposes of treatment, payment and health care operations" in general, but would not divulge the specific purposes for each person's access; and
an "accounting of disclosures" that would provide more detailed information about disclosures "most likely to impact the individual," such as disclosures to law enforcement or legal authorities, as well as the purposes of such disclosures.
If the rule takes effect as written, healthcare organizations would have to update the HIPAA privacy notices they give to patients, beginning Jan. 1, 2013, to inform them of these rights and how they can go about requesting access reports, reports Medscape Medical News, quoting an anonymous HHS spokesperson.
"The changes being proposed will impact physicians," says the spokesperson. "We strongly encourage them to read the rule in the Federal Register and give us their feedback during the comment period. We want to hear from small and mid-sized providers on what they expect the impact will be on their practices."
HHS notes that "only a small minority of individuals" tend to exercise their right to an accounting of protected health information disclosures and that healthcare organizations are already required to log all the information that would be contained in an access report, so "there should be minimal, if any, changes to existing information systems." The proposal also shortens the length of time for which providers must account for disclosures from 6 years to 3 years.
The agency is accepting public comments on the proposal through Aug. 1, 2011.
Irene Tsikitas
