[Federal Register Volume 75, Number 84 (Monday, May 3, 2010)]
[Proposed Rules]
[Pages 23214-23216]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-10054]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0991-AB62
HIPAA Privacy Rule Accounting of Disclosures Under the Health
Information Technology for Economic and Clinical Health Act; Request
for Information
AGENCY: Office for Civil Rights, Department of Health and Human
Services.
ACTION: Request for information.
-----------------------------------------------------------------------
SUMMARY: Section 13405(c) of the Health Information Technology for
Economic and Clinical Health (HITECH) Act expands an individual's right
under the Health Insurance Portability and Accountability Act of 1996
(HIPAA) Privacy Rule to receive an accounting of disclosures of
protected health information made by HIPAA covered entities and their
business associates. In particular, section 13405(c) of the HITECH Act
requires the Department of Health and Human Services (``Department'' or
``HHS'') to revise the HIPAA Privacy Rule to require covered entities
to account for disclosures of protected health information to carry out
treatment, payment, and health care operations if such disclosures are
through an electronic health record. This document is a request for
information (RFI) to help us better understand the interests of
individuals with respect to learning of such disclosures, the
administrative burden on covered entities and business associates of
accounting for such disclosures, and other information that may inform
the Department's rulemaking in this area.
DATES: Submit comments on or before May 18, 2010.
ADDRESSES: Written comments may be submitted through any of the methods
specified below. Please do not submit duplicate comments.
Federal eRulemaking Portal: You may submit electronic
comments at http://www.regulations.gov. Follow the instructions for
submitting electronic comments. Attachments should be in Microsoft
Word, WordPerfect, or Excel; however, we prefer Microsoft Word.
Regular, Express, or Overnight Mail: You may mail written
comments (one original and two copies) to the following address only:
U.S. Department of Health and Human Services, Office for Civil Rights,
Attention: HITECH Accounting of Disclosures, Hubert H. Humphrey
Building, Room 509F, 200 Independence Avenue, SW., Washington, DC
20201.
Hand Delivery or Courier: If you prefer, you may deliver
(by hand or courier) your written comments (one original and two
copies) to the following address only: Office for Civil Rights,
Attention: HITECH Accounting of Disclosures, Hubert H. Humphrey
Building, Room 509F, 200 Independence Avenue, SW., Washington, DC
20201. (Because access to the interior of the Hubert H. Humphrey
Building is not readily available to persons without Federal government
identification, commenters are encouraged to leave their comments
[[Page 23215]]
in the mail drop slots located in the main lobby of the building.)
Inspection of Public Comments: All comments received before the
close of the comment period will be available for public inspection,
including any personally identifiable or confidential business
information that is included in a comment. We will post all comments
received before the close of the comment period at http://www.regulations.gov. Because comments will be made public, they should
not include any sensitive personal information, such as a person's
social security number; date of birth; driver's license number, state
identification number or foreign country equivalent; passport number;
financial account number; or credit or debit card number. Comments also
should not include any sensitive health information, such as medical
records or other individually identifiable health information, or any
non-public corporate or trade association information, such as trade
secrets or other proprietary information.
FOR FURTHER INFORMATION CONTACT: Andra Wicks, 202-205-2292.
SUPPLEMENTARY INFORMATION:
I. Background
Covered entities under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), Title II, Subtitle F--
Administrative Simplification, Public Law 104-191, 110 Stat. 2021, are
currently required by the HIPAA Privacy Rule at 45 CFR 164.528 to make
available to an individual upon request an accounting of certain
disclosures of the individual's protected health information over the
past six years. For each disclosure, the accounting must include: (1)
The date of the disclosure; (2) the name (and address, if known) of the
entity or person who received the protected health information; (3) a
brief description of the information disclosed; and (4) a brief
statement of the purpose of the disclosure (or a copy of the written
request for the disclosure). For multiple disclosures to the same
person for the same purpose, the accounting is only required to
include: (1) For the first disclosure, a full accounting, with the
elements described above; (2) the frequency, periodicity, or number of
disclosures made during the accounting period; and (3) the date of the
last such disclosure made during the accounting period. Section
164.528(a)(1)(i) of the Privacy Rule currently exempts disclosures to
carry out treatment, payment, and health care operations from these
accounting requirements.\1\
---------------------------------------------------------------------------
\1\ The core health care activities of ``Treatment,''
``Payment,'' and ``Health Care Operations'' are defined in the
Privacy Rule at 45 CFR 164.501.
---------------------------------------------------------------------------
Section 13405(c) of the Health Information Technology for Economic
and Clinical Health (HITECH) Act, Public Law 111-5, 123 Stat. 265-66,
provides that the exemption at Sec. 164.528(a)(1)(i) of the Privacy
Rule for disclosures to carry out treatment, payment, and health care
operations no longer applies to disclosures ``through an electronic
health record.'' Under section 13405(c), an individual has a right to
receive an accounting of such disclosures that covers disclosures made
during the three years prior to the request. Section 13400 of the
statute defines ``electronic health record'' as ``an electronic record
of health-related information on an individual that is created,
gathered, managed, and consulted by authorized health care clinicians
and staff.'' We take the opportunity in this RFI to request public
comment to inform our regulations under the HITECH Act, which requires
that we take into account both the interests of individuals in learning
the circumstances under which their protected health information is
being disclosed and the administrative burden of accounting for
disclosures for treatment, payment, and health care operations through
an electronic health record.
We request comments specifically on the questions below. The
Department welcomes comments from all stakeholders on these issues, but
in addition to hearing from covered entities, is particularly
interested in hearing from individuals, consumer advocates and groups,
and, regarding technical capabilities, from vendors of electronic
health record systems.
II. Questions
1. What are the benefits to the individual of an accounting of
disclosures, particularly of disclosures made for treatment, payment,
and health care operations purposes?
2. Are individuals aware of their current right to receive an
accounting of disclosures? On what do you base this assessment?
3. If you are a covered entity, how do you make clear to
individuals their right to receive an accounting of disclosures? How
many requests for an accounting have you received from individuals?
4. For individuals that have received an accounting of disclosures,
did the accounting provide the individual with the information he or
she was seeking? Are you aware of how individuals use this information
once obtained?
5. With respect to treatment, payment, and health care operations
disclosures, 45 CFR 170.210(e) currently provides the standard that an
electronic health record system record the date, time, patient
identification, user identification, and a description of the
disclosure. In response to its interim final rule, the Office of the
National Coordinator for Health Information Technology received
comments on this standard and the corresponding certification criterion
suggesting that the standard also include to whom a disclosure was made
(i.e., recipient) and the reason or purpose for the disclosure. Should
an accounting for treatment, payment, and health care operations
disclosures include these or other elements and, if so, why? How
important is it to individuals to know the specific purpose of a
disclosure--i.e., would it be sufficient to describe the purpose
generally (e.g., for ``for treatment,'' ``for payment,'' or ``for
health care operations purposes''), or is more detail necessary for the
accounting to be of value? To what extent are individuals familiar with
the different activities that may constitute ``health care
operations?'' On what do you base this assessment?
6. For existing electronic health record systems:
(a) Is the system able to distinguish between ``uses'' and
``disclosures'' as those terms are defined under the HIPAA Privacy
Rule? Note that the term ``disclosure'' includes the sharing of
information between a hospital and physicians who are on the hospital's
medical staff but who are not members of its workforce.
(b) If the system is limited to only recording access to
information without regard to whether it is a use or disclosure, such
as certain audit logs, what information is recorded? How long is such
information retained? What would be the burden to retain the
information for three years?
(c) If the system is able to distinguish between uses and
disclosures of information, what data elements are automatically
collected by the system for disclosures (i.e., collected without
requiring any additional manual input by the person making the
disclosure)? What information, if any, is manually entered by the
person making the disclosure?
(d) If the system is able to distinguish between uses and
disclosures of information, does it record a description of disclosures
in a standardized manner (for example, does the system offer or require
a user to select from a limited list of types of disclosures)? If yes,
is
[[Page 23216]]
such a feature being utilized and what are its benefits and drawbacks?
(e) Is there a single, centralized electronic health record system?
Or is it a decentralized system (e.g., different departments maintain
different electronic health record systems and an accounting of
disclosures for treatment, payment, and health care operations would
need to be tracked for each system)?
(f) Does the system automatically generate an accounting for
disclosures under the current HIPAA Privacy Rule (i.e., does the system
account for disclosures other than to carry out treatment, payment, and
health care operations)?
i. If yes, what would be the additional burden to also account for
disclosures to carry out treatment, payment, and health care
operations? Would there be additional hardware requirements (e.g., to
store such accounting information)? Would such an accounting feature
impact system performance?
ii. If not, is there a different automated system for accounting
for disclosures, and does it interface with the electronic health
record system?
7. The HITECH Act provides that a covered entity that has acquired
an electronic health record after January 1, 2009 must comply with the
new accounting requirement beginning January 1, 2011 (or anytime after
that date when it acquires an electronic health record), unless we
extend this compliance deadline to no later than 2013. Will covered
entities be able to begin accounting for disclosures through an
electronic health record to carry out treatment, payment, and health
care operations by January 1, 2011? If not, how much time would it take
vendors of electronic health record systems to design and implement
such a feature? Once such a feature is available, how much time would
it take for a covered entity to install an updated electronic health
record system with this feature?
8. What is the feasibility of an electronic health record module
that is exclusively dedicated to accounting for disclosures (both
disclosures that must be tracked for the purpose of accounting under
the current HIPAA Privacy Rule and disclosures to carry out treatment,
payment, and health care operations)? Would such a module work with
covered entities that maintain decentralized electronic health record
systems?
9. Is there any other information that would be helpful to the
Department regarding accounting for disclosures through an electronic
health record to carry out treatment, payment, and health care
operations?
Dated: April 26, 2010.
Georgina Verdugo,
Director, Office for Civil Rights.
[FR Doc. 2010-10054 Filed 4-30-10; 8:45 am]
BILLING CODE 4153-01-P