HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act, 31426-31449 [2011-13297]

Agencies

• DEPARTMENT OF HEALTH AND HUMAN SERVICES
• Office of the Secretary

[Federal Register Volume 76, Number 104 (Tuesday, May 31, 2011)]
[Proposed Rules]
[Pages 31426-31449]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-13297]



[[Page 31425]]

Vol. 76

Tuesday,

No. 104

May 31, 2011

Part III





Department of Health and Human Services





-----------------------------------------------------------------------



45 CFR Part 164



HIPAA Privacy Rule Accounting of Disclosures Under the Health 
Information Technology for Economic and Clinical Health Act; Proposed 
Rule

Federal Register / Vol. 76 , No. 104 / Tuesday, May 31, 2011 / 
Proposed Rules

[[Page 31426]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Part 164

RIN 0991-AB62


HIPAA Privacy Rule Accounting of Disclosures Under the Health 
Information Technology for Economic and Clinical Health Act

AGENCY: Office for Civil Rights, Department of Health and Human 
Services.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Department of Health and Human Services (HHS or ``the 
Department'') is issuing this notice of proposed rulemaking to modify 
the Health Insurance Portability and Accountability Act of 1996 (HIPAA) 
Privacy Rule's standard for accounting of disclosures of protected 
health information. The purpose of these modifications is, in part, to 
implement the statutory requirement under the Health Information 
Technology for Economic and Clinical Health Act (``the HITECH Act'' or 
``the Act'') to require covered entities and business associates to 
account for disclosures of protected health information to carry out 
treatment, payment, and health care operations if such disclosures are 
through an electronic health record. Pursuant to both the HITECH Act 
and its more general authority under HIPAA, the Department proposes to 
expand the accounting provision to provide individuals with the right 
to receive an access report indicating who has accessed electronic 
protected health information in a designated record set. Under its more 
general authority under HIPAA, the Department also proposes changes to 
the existing accounting requirements to improve their workability and 
effectiveness.

DATES: Submit comments on or before August 1, 2011.

ADDRESSES: You may submit comments, identified by RIN 0991-AB62, by any 
of the following methods (please do not submit duplicate comments):
     Federal eRulemaking Portal:https://www.regulations.gov. 
Follow the instructions for submitting comments. Attachments should be 
in Microsoft Word, WordPerfect, or Excel; however, we prefer Microsoft 
Word.
     Regular, Express, or Overnight Mail: U.S. Department of 
Health and Human Services, Office for Civil Rights, Attention: HIPAA 
Privacy Rule Accounting of Disclosures, Hubert H. Humphrey Building, 
Room 509F, 200 Independence Avenue, SW., Washington, DC 20201. Please 
submit one original and two copies.
     Hand Delivery or Courier: Office for Civil Rights, 
Attention: HIPAA Privacy Rule Accounting of Disclosures, Hubert H. 
Humphrey Building, Room 509F, 200 Independence Avenue, SW., Washington, 
DC 20201. Please submit one original and two copies. (Because access to 
the interior of the Hubert H. Humphrey Building is not readily 
available to persons without Federal government identification, 
commenters are encouraged to leave their comments in the mail drop 
slots located in the main lobby of the building.)
    Inspection of Public Comments: All comments received before the 
close of the comment period will be available for public inspection, 
including any personally identifiable or confidential business 
information that is included in a comment. We will post all comments 
received before the close of the comment period at https://www.regulations.gov. Because comments will be made public, they should 
not include any sensitive personal information, such as a person's 
social security number; date of birth; driver's license number, state 
identification number or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. Comments also 
should not include any sensitive health information, such as medical 
records or other individually identifiable health information, or any 
non-public corporate or trade association information, such as trade 
secrets or other proprietary information.

FOR FURTHER INFORMATION CONTACT: Andra Wicks, 202-205-2292.

SUPPLEMENTARY INFORMATION: 
    The discussion below includes a description of the statutory and 
regulatory background of the proposed rule, a section-by-section 
description of the proposed modifications, and the impact statement and 
other required regulatory analyses. We solicit public comment on the 
proposed rule.

I. Statutory and Regulatory Background

A. The Accounting of Disclosures Under the Current Privacy Rule

    The Health Insurance Portability and Accountability Act of 1996 
(HIPAA), title II, subtitle F--Administrative Simplification, Pubic Law 
104-191, 110 Stat. 2021, provided for the establishment of national 
standards to protect the privacy and security of personal health 
information. The Administrative Simplification provisions of HIPAA 
apply to three types of entities, which are known as ``covered 
entities'': health care providers who conduct covered health care 
transactions electronically, health plans, and health care 
clearinghouses.
    Pursuant to HIPAA, the Department promulgated the Standards for 
Privacy of Individually Identifiable Health Information, known as the 
``Privacy Rule,'' on December 28, 2000 (amended on August 14, 2002). 
See 65 FR 82462, as amended at 67 FR 53182. The Privacy Rule at 45 CFR 
164.528 requires covered entities to make available to an individual 
upon request an accounting of certain disclosures of the individual's 
protected health information made during the six years prior to the 
request. A disclosure is defined at Sec.  160.103 as ``the release, 
transfer, provision of access to, or divulging in any other manner of 
information outside the entity holding the information.''
    For each disclosure, the accounting must include: (1) The date of 
the disclosure; (2) the name (and address, if known) of the entity or 
person who received the protected health information; (3) a brief 
description of the information disclosed; and (4) a brief statement of 
the purpose of the disclosure (or a copy of the written request for the 
disclosure). For multiple disclosures to the same person for the same 
purpose, the accounting is only required to include: (1) For the first 
disclosure, a full accounting, with the elements described above; (2) 
the frequency, periodicity, or number of disclosures made during the 
accounting period; and (3) the date of the last such disclosure made 
during the accounting period.
    Section 164.528(a)(1) provides that an accounting must include all 
disclosures of protected health information, except for disclosures:
     To carry out treatment, payment and health care operations 
as provided in Sec.  164.506;
     To individuals of protected health information about them 
as provided in Sec.  164.502;
     Incident to a use or disclosure otherwise permitted or 
required by this subpart, as provided in Sec.  164.502;
     Pursuant to an authorization as provided in Sec.  164.508;
     For the facility's directory or to persons involved in the 
individual's care or other notification purposes as provided in Sec.  
164.510;
     For national security or intelligence purposes as provided 
in Sec.  164.512(k)(2);
     To correctional institutions or law enforcement officials 
as provided in Sec.  164.512(k)(5);

[[Page 31427]]

     As part of a limited data set in accordance with Sec.  
164.514(e); or
     That occurred prior to the compliance date for the covered 
entity.
    For disclosures for research in accordance with Sec.  164.512(i) 
(such as disclosures subject to an Institutional Review Board's waiver 
of authorization) involving 50 or more individuals, Sec.  164.528(b)(4) 
permits the covered entity to provide a list of research protocols 
rather than specific information about each disclosure. Accordingly, an 
individual who requests an accounting of disclosures may receive a list 
of research protocols with information about each protocol, including 
contact information, rather than specific information about disclosures 
for research.
    The current accounting provision applies to disclosures of paper 
and electronic protected health information, regardless of whether such 
information is in a designated record set. While the obligation to 
provide an individual with an accounting of disclosures falls to the 
covered entity, the accounting must include disclosures to and by its 
business associates. Business associates are required, as a term of 
their business associate agreements, to make available the information 
required for the covered entity's accounting.

B. Changes Required by the HITECH Act

    Section 13405(c) of the Health Information Technology for Economic 
and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV 
of Division B of the American Recovery and Reinvestment Act of 2009 
(ARRA) (Pub. L. 111-5), provides that the exemption at Sec.  
164.528(a)(1)(i) of the Privacy Rule for disclosures to carry out 
treatment, payment, and health care operations no longer applies to 
disclosures ``through an electronic health record.'' Section 13400 of 
the HITECH Act defines an electronic health record (``EHR'') as ``an 
electronic record of health-related information on an individual that 
is created, gathered, managed, and consulted by authorized health care 
clinicians and staff.'' Under section 13405(c), an individual has a 
right to receive an accounting of such disclosures made during the 
three years prior to the request. With respect to disclosures by 
business associates through an EHR to carry out treatment, payment, and 
health care operations on behalf of the covered entity, section 
13405(c) requires the covered entity to provide either an accounting of 
the business associates' disclosures, or a list and contact information 
of all business associates (enabling the individual to contact each 
business associate for an accounting of the business associate's 
disclosures).
    The HITECH Act, at section 13405(c), requires the Secretary to 
promulgate regulations governing what information is to be collected 
about these disclosures. The regulations ``shall only require such 
information to be collected through an electronic health record in a 
manner that takes into account the interests of the individuals in 
learning the circumstances under which their protected health 
information is being disclosed and takes into account the 
administrative burden of accounting for such disclosures.''
    Additionally, section 13101 of the HITECH Act, which adds section 
3004(b)(1) of the Public Health Service Act, requires the Secretary to 
adopt an initial set of standards, implementation specifications, and 
certification criteria for EHR technology. These standards, 
implementation specifications, and certification criteria are required 
to address the areas set forth in the newly added section 3002(b)(2)(B) 
of the Public Health Service Act, including the ``[t]echnologies that 
as a part of a qualified electronic health record allow for an 
accounting of disclosures made by a [HIPAA covered entity] for purposes 
of treatment, payment, and health care operations (as such terms are 
defined for purposes of [the HIPAA regulations].'' Section 13405(c) 
links the modifications to the HIPAA accounting requirements to the 
above standards, providing that the Secretary issue the accounting 
regulations within six months of the Secretary's adoption of the EHR 
accounting standard.
    In an interim final rule published on January 13, 2010, the HHS 
Office of the National Coordinator for Health Information Technology 
(ONC) adopted a standard and certification criterion to account for 
disclosures at 45 CFR 170.210(e) and 170.302(v), 75 FR 2014, 2044, 
2046. The standard and certification criterion provide that certified 
EHR technology have the capability to record the date, time, patient 
identification, user identification, and a description of the 
disclosure, for disclosures made for treatment, payment, and health 
care operations. ONC published a final rule on July 28, 2010, which 
retained this standard but made the certification criterion optional. 
In the final rule (75 FR 44623), ONC discussed its rationale for 
retaining the standard for accounting for treatment, payment, and 
health care operations disclosures and making the related certification 
criterion optional. Accordingly, EHR technology is not required to have 
the capability to account for treatment, payment, and health care 
operations disclosures as a condition of certification for meaningful 
use Stage 1 under the Medicare and Medicaid EHR incentive payment 
programs. The Office for Civil Rights will continue to work closely 
with ONC to ensure that the standards and certification criteria for 
certified EHR technology align with the HIPAA Privacy Rule accounting 
of disclosures requirement.
    The HITECH Act provides that the effective date of the new 
accounting requirement for HIPAA covered entities that have acquired an 
EHR after January 1, 2009, is January 1, 2011, or the date that it 
acquires an EHR, whichever is later. For covered entities that acquired 
EHRs prior to January 1, 2009, the effective date is January 1, 2014. 
The statute authorizes the Secretary to extend both of these compliance 
deadlines to no later than 2013 and 2016, respectively.

II. Request for Information

    On May 3, 2010, HHS published a request for information (RFI) 
seeking further information on individuals' interests in learning of 
disclosures, the burdens on covered entities in accounting for 
disclosures, and the capabilities of current technology. We received 
approximately 170 comments from numerous organizations representing 
health plans, health care providers, privacy advocates, and other non-
covered entities. These comments are summarized below and were 
considered when drafting this proposed rule.
    The first question in the RFI asked about the potential benefits to 
individuals from receiving an accounting of disclosures, particularly 
an accounting that included disclosures for treatment, payment, and 
health care operations. Approximately 10 respondents representing both 
consumers and covered entities endorsed the benefits of such an 
accounting in order to foster transparency and patient trust, as well 
as to discourage inappropriate behavior. Commenters pointed out that 
the use of audit trails and the right to an accounting of disclosures 
improves the detection of breaches and assists with the identification 
of weaknesses in privacy and security practices. Roughly 10 commenters 
representing covered entities agreed generally that there are potential 
benefits to transparency, but questioned whether general accountings 
would provide the type of information that individuals usually seek. 
The majority of comments, contributed mostly by covered entities, 
indicated that providing an accounting of

[[Page 31428]]

treatment, payment, and health care operations disclosures would 
provide little to no benefit to individuals (over 80 respondents), 
while incurring substantial administrative, staffing and monetary 
burdens (over 120 respondents).
    The second and third RFI questions inquired about individuals' 
awareness of their right to receive an accounting of disclosures, how 
covered entities ensure individuals are aware of their accounting 
right, and the number of accounting requests that covered entities have 
received. Most covered entities responded that individuals are aware of 
their accounting right from the notices of privacy practices covered 
entities provide to individuals. The responses indicated that almost 30 
covered entity respondents have received no requests for an accounting 
of disclosures and more than 90 covered entity respondents have 
received less than 20 requests since the Privacy Rule's 2003 compliance 
date.
    The fourth RFI question asked about individual use of and 
satisfaction with the information received in accountings of 
disclosures. Some covered entities reported receiving accounting 
requests that were prompted by concerns over a specific situation or 
person that may have accessed their records. Some covered entities also 
reported individuals withdrawing their requests for an accounting once 
they realized that inappropriate uses of protected health information 
(such as inappropriate access by a member of the workforce) would not 
be included in the accounting. Most covered entities that have received 
accounting requests were not aware of how the information was used by 
individuals or if it was useful to them. Consumer advocates were 
divided on this topic; one indicated that accountings of disclosures 
have been useful to individuals, and one related that the accountings 
have likely not been useful to individuals since the reports have 
lacked information about the treatment, payment and healthcare 
operations disclosures.
    The fifth question in the RFI asked whether an accounting for 
treatment, payment, and health care operations disclosures should 
include the following elements and, if so, why: to whom a disclosure 
was made, and the reason or purpose for the disclosure. This question 
also asked about the specificity needed regarding the purpose of a 
disclosure, and to what extent individuals are familiar with activities 
that may constitute ``health care operations.'' Regarding the recipient 
of the disclosure, approximately 60% of the comments, representing 
covered entities and industry, indicated that recipient information 
should not be included in an accounting of disclosures. In a few cases, 
concerns about employee privacy, security, and safety were cited as a 
reason not to include recipient information. On the other hand, almost 
40% of commenters, representing consumers, covered entities and 
industry, felt that information about the recipient would be vital in 
addressing individuals' concerns regarding inappropriate receipt of 
their health information.
    Over 60% of the commenters, representing covered entities and 
industry, indicated that the purpose of the disclosure should not be 
included due to the minimal benefit this information would provide to 
individuals and the significant difficulty in capturing this 
information. Since most current systems do not automatically capture 
the purpose of a disclosure, new actions would be required, resulting 
in a disruption of provider workflow. In contrast, almost 20% of 
commenters, representing consumers and covered entities, indicated that 
an accounting of disclosures would be useless to individuals without a 
description of the purpose of each disclosure. Almost one third of 
comments on this issue supported the use of general categories if a 
description of the purpose of a disclosure is required. Most 
respondents felt that individuals do not have a good understanding of 
what may constitute ``health care operations.''
    Question six of the RFI asked about the capabilities of current EHR 
systems. Almost all comments received on this topic indicated that 
current EHR systems are unable to distinguish between a ``use'' and a 
``disclosure,'' are decentralized, and cannot generate accountings of 
disclosures reports automatically, requiring manual entry to assemble a 
report for each requested accounting. The comments reflected a variety 
of audit log experiences, representative of the wide range of systems 
used for various functions in the health care system. According to the 
comments, most current audit logs retain at least the name or other 
identification of the individual who accessed the record, the name or 
other identification of the record that was accessed, the date, the 
time, and the area, module, or screen of the EHR that was accessed. 
Comments generally indicated that maintaining current audit logs for 
three years would incur minimal additional burden; however, increasing 
the information retained to include additional information about 
treatment, payment, and health care operations disclosures would create 
additional storage space burden.
    The seventh RFI question asked about the feasibility of the HITECH 
Act compliance timelines for the new accounting requirements. The 
HITECH Act provides that a covered entity that has acquired an EHR 
after January 1, 2009, must comply with the new accounting requirement 
by January 1, 2011, unless the Department extends this compliance 
deadline to no later than 2013. Almost all comments received on this 
topic indicated that the January 1, 2011, deadline would be impossible 
to meet. Estimates of the time needed to develop and implement the new 
accounting feature and subsequently install updated systems varied, 
however many comments indicated needing at least two years past the 
2011 date for compliance. Fewer than 10 early adopters of EHRs 
(acquired before January 1, 2009) responded, generally indicating that 
they would also need longer than the 2014 date for compliance, and that 
the timing would be dependent on vendors developing appropriate 
systems.
    Question eight requested input on the feasibility of an EHR module 
that is exclusively dedicated to accounting for disclosures. Almost 90% 
of the comments received on this topic indicated that a separate module 
to produce accounting of disclosures reports would not be an ideal 
solution due to the significant time and expense needed to develop such 
a module for limited benefit, given the low number of accounting 
requests received to date. Comments also indicated a potential for this 
effort to detract from meaningful use requirements.
    The final question of the RFI requested any other information that 
would be helpful to the Department regarding accounting for disclosures 
through an EHR to carry out treatment, payment, and health care 
operations. A large percentage of the comments expressed concerns with 
the burdens that this new accounting of disclosures requirement would 
create. These comments cited increased health care costs, reduced 
patient care time resulting from disruptions in provider workflow, and 
a potential chilling effect on the adoption of EHR systems, 
particularly for small providers. In addition, we received suggestions 
and requests for clarification on the scope of EHRs, disclosures, and 
disclosures through an EHR.

III. Overview of Proposed Rule

    We are proposing to revise Sec.  164.528 of the Privacy Rule by 
dividing it into two separate rights for individuals:

[[Page 31429]]

paragraph (a) would set forth an individual's right to an accounting of 
disclosures and paragraph (b) would set forth an individual's right to 
an access report (which would include electronic access by both 
workforce members and persons outside the covered entity). Our 
revisions to the right to an accounting of disclosures are based on our 
general authority under HIPAA and are intended to improve the 
workability and effectiveness of the provision. The right to an access 
report is based in part on the requirement of section 13405(c) of the 
HITECH Act to provide individuals with information about disclosures 
through an EHR for treatment, payment, and health care operations. This 
right to an access report is also based in part on our general 
authority under HIPAA, in order to ensure that individuals are 
receiving the information that is of most interest.
    These two rights, to an accounting of disclosures and to an access 
report, would be distinct but complementary. The right to an access 
report would provide information on who has accessed electronic 
protected health information in a designated record set (including 
access for purposes of treatment, payment, and health care operations), 
while the right to an accounting would provide additional information 
about the disclosure of designated record set information (whether 
hard-copy or electronic) to persons outside the covered entity and its 
business associates for certain purposes (e.g., law enforcement, 
judicial hearings, public health investigations). The intent of the 
access report is to allow individuals to learn if specific persons have 
accessed their electronic designated record set information (it will 
not provide information about the purposes of the person's access). In 
contrast, the intent of the accounting of disclosures is to provide 
more detailed information (a ``full accounting'') for certain 
disclosures that are most likely to impact the individual.
    We believe that these changes to the accounting requirements will 
provide information of value to individuals while placing a reasonable 
burden on covered entities and business associates. The process of 
creating a full accounting of disclosures is generally a manual, 
expensive, and time consuming process for covered entities and business 
associates. In contrast, we believe that the process of creating an 
access report will be a more automated process that provides valuable 
information to individuals with less burden to covered entities and 
business associates. By limiting the access report to electronic 
access, the report will include information that a covered entity is 
already required to collect under the Security Rule. Under Sec. Sec.  
164.308(a)(1)(ii)(D) and 164.312(b) of the HIPAA Security Rule, a 
covered entity is required to record and examine activity in 
information systems and to regularly review records of such activity. 
Accordingly, our proposal attempts to shift the accounting provision 
from a manual process that generates limited information to a more 
automated process that produces more comprehensive information (since 
it includes all access to electronic designated record set information, 
whether such access qualifies as a use or disclosure). We believe that 
these two rights, in conjunction, would provide individuals with 
greater transparency regarding the use and disclosure of their 
information than under the current rule.
    The right to an accounting of disclosures would encompass 
disclosures of both hard copy and electronic protected health 
information that is maintained in a designated record set. It would 
cover a three-year period, and would require a covered entity and its 
business associates to account for the disclosures of protected health 
information that we believe are of most interest to individuals. The 
right to an access report would only apply to protected health 
information about an individual that is maintained in an electronic 
designated record set. Our proposed rule would provide an individual 
with a right to obtain a copy of this information in the form of an 
``access report.'' It would cover a three-year period, and would 
provide the individual with information about who has accessed the 
individual's electronic protected health information held by a covered 
entity or business associate. It would not distinguish between ``uses'' 
and ``disclosures,'' and thus, would apply when any person accesses an 
electronic designated record set, whether that person is a member of 
the workforce or a person outside the covered entity. We propose to 
require that the access report identify the date, time, and name of the 
person (or name of the entity if the person's name is unavailable) who 
accessed the information (we also propose to require the inclusion of a 
description of the protected health information that was accessed and 
the user's action, but only to the extent that such information is 
available).
    With respect to the right to an accounting of disclosures and the 
right to an access report, covered entities would be required to 
include the applicable uses and disclosures of their business 
associates. Because these rights are limited to protected health 
information maintained in a designated record set, we believe that some 
business associates will not be affected by these requirements because 
they do not have designated record set information.
    We are proposing a revision to the requirements for notices of 
privacy practices at Sec.  164.520 in order to inform individuals of 
their right to receive an access report, in addition to an accounting 
of certain disclosures.
    We are proposing that covered entities (including small health 
plans) and business associates comply with the modifications to the 
accounting of disclosures requirement beginning 180 days after the 
effective date of the final regulation (240 days after publication). We 
are proposing that covered entities and business associates provide 
individuals with a right to an access report beginning January 1, 2013, 
for electronic designated record set systems acquired after January 1, 
2009, and beginning January 1, 2014, for electronic designated record 
set systems acquired as of January 1, 2009.

IV. Section-by-Section Description of Proposed Rule

    The following describes the provisions of the proposed rule section 
by section. Those interested in commenting on the proposed rule can 
assist the Department by preceding discussion of any particular 
provision or topic with a citation to the section of the proposed rule 
being discussed. While we request comment on several specific 
questions, we welcome comments on any aspects of the proposed rule.

A. Accounting of Disclosures of Protected Health Information--Section 
164.528(a)

    We are proposing the following modifications to the existing 
accounting of disclosures requirements to improve the workability of 
the requirements and to better focus the requirements on providing the 
individual with information about those disclosures that are most 
likely to impact the individual's legal and personal interests, while 
taking into account the administrative burdens on covered entities and 
business associates.
1. Standard: Right to an Accounting of Disclosures
    Paragraph (a)(1)(i) of the proposed rule would maintain the general 
standard that an individual has a right to receive an accounting of 
disclosures by a covered entity or business associate, but would 
include a number of changes to this right. Specifically, we

[[Page 31430]]

propose to change the scope of information subject to the accounting to 
the information about an individual in a designated record set, to 
explicitly include business associates in the language of the standard, 
to change the accounting period from six years to three years, and to 
list the types of disclosures that are subject to the accounting 
(rather than listing the types of disclosures that are exempt from the 
accounting).
    Currently, an individual has a right under Sec.  164.528 to an 
accounting of certain disclosures of protected health information about 
the individual, regardless of where such information is located. We are 
proposing to limit the accounting provision to protected health 
information about the individual in a designated record set. Designated 
record sets include the medical and health care payment records 
maintained by or for a covered entity, and other records used by or for 
the covered entity to make decisions about individuals. See the 
definition of ``designated record set'' at Sec.  164.501.
    This proposed change would better align the accounting provision at 
Sec.  164.528 with the individual's rights to access and amend 
protected health information at Sec. Sec.  164.524 and 164.526, which 
are both limited to protected health information about an individual in 
a designated record set. We believe that this information, which forms 
the basis for covered entities' health care and payment decisions about 
the individual, generally represents the protected health information 
that is of most interest to the individual.
    Covered entities should already have documentation of which systems 
qualify as designated record sets. Currently, Sec.  164.524(e)(1) 
provides that ``[a] covered entity must document the following and 
retain the documentation as required by Sec.  164.530(j): (1) [t]he 
designated record sets that are subject to access by individuals; * * 
*'' Covered entities and business associates are likely able to track 
those disclosures of protected health information within defined and 
established record sets and systems more easily.
    An example of protected health information that may fall outside 
the designated record set is a hospital's peer review files. If these 
files are only used to improve patient care at the hospital, and not to 
make decisions about individuals, then they are not part of the 
hospital's designated record set. Another example of protected health 
information that is outside the designated record set are transcripts 
of customer calls that are used only for purposes of customer service 
review, rather than to make decisions about the individual.
    Note that protected health information outside the designated 
record set would remain fully protected by the Privacy Rule and, with 
respect to electronic protected health information, the Security Rule. 
Further, the Breach Notification Rule continues to apply to all 
protected health information in any form and regardless of where such 
information exists at a covered entity or business associates. Thus, 
individuals would still be informed of breaches of unsecured protected 
health information even if such information resides outside of a 
designated record set.
    We request comment on our proposal to limit the accounting 
requirement to protected health information in a designated record set 
and whether there are unintended consequences with doing so either in 
terms of workability or the privacy interests of the individual.
    We include a direct reference to business associates in the 
standard to make clear that the covered entity must include accounting 
information for all disclosures by the covered entity's business 
associates that create, receive, maintain, or transmit designated 
record set information. Under the current Privacy Rule, a covered 
entity is required at Sec.  164.504(e)(2)(ii)(G) to include in its 
business associate agreements the requirement that the business 
associate will ``make available the information required to provide an 
accounting of disclosures in accordance with Sec.  164.528.'' Section 
164.528(b)(1) currently provides that the accounting must include 
``disclosures to or by business associates of the covered entity'' 
without regard to whether such information is maintained within a 
designated record set. To align with our proposal to apply the 
accounting requirements only to information within a designated record 
set, we in turn limit the information held by business associates that 
is subject to the accounting to information within a designated record 
set. For example, if a business associate is a third party 
administrator and maintains a copy of an individual's billing 
information, the covered entity must coordinate with the business 
associate to provide an accounting of the disclosures of this 
information. Similarly, we propose that if a business associate 
maintains a copy of an individual's medical record, then the covered 
entity would be required to account for the business associate's 
disclosure of this information. In contrast, a covered entity would not 
be required to account for a business associate's disclosure of 
information outside of a designated record set. As stated above, we 
believe that this represents the information that is of most interest 
to individuals, since it is the information that covered entities use 
to make health care and payment decisions about the individual.
    We propose that covered entities and business associates must 
generally account for disclosures over a three-year period. The current 
accounting provision requires covered entities and business associates 
to account for disclosures for the six-year period prior to the 
request. Section 13405(c)(1)(B) of the HITECH Act, however, states that 
an individual has a right to receive an accounting of treatment, 
payment, and health care operations disclosures through an EHR for the 
three-year period prior to the request. We believe that it is 
appropriate to maintain a consistent accounting time period for all 
types of disclosures. Accordingly, our proposal aligns the accounting 
period for all types of disclosures with the three-year period set 
forth in section 13405(c)(1)(B) of the HITECH Act. Additionally, based 
on our experience to date, we believe that individuals who request an 
accounting of disclosures are generally interested in learning of more 
recent disclosures (e.g., an individual is seeking information on why 
she has recently begun to receive information related to her health 
condition from a third party). Therefore, we do not believe that it 
will be a significant detriment to individuals to reduce the accounting 
period from six years to three years. In contrast, we believe it is a 
significant burden on covered entities and business associates to 
maintain information on six years of disclosures, rather than three 
years. We request comment on this issue and if there are specific 
concerns regarding the need for accounting of disclosures beyond three 
years.
    Paragraph (a)(1)(i) also would address which disclosures are 
subject to the accounting requirement. We propose to explicitly list 
the types of disclosures that are subject to the accounting 
requirement. In contrast, under the current Privacy Rule, Sec.  164.528 
provides that disclosures are generally subject to the accounting 
requirement, but then lists a series of exceptions. We believe that by 
explicitly listing the exceptions, but not the types of disclosures 
that are subject to the accounting requirement, the current regulatory 
language may make it difficult to easily and readily understand the 
types of disclosures that are subject to the accounting requirement. 
Thus, our proposed rule takes the opposite approach and explicitly 
lists the types of disclosures

[[Page 31431]]

that are subject to the accounting requirement.
    We propose that covered entities will continue to be required to 
account for disclosures that are impermissible under the Privacy Rule. 
While individuals will learn of most impermissible disclosures through 
the Breach Notification Rule at Sec.  164.404, we expect that some 
individuals will be interested in learning of impermissible disclosures 
that did not rise to the level of a breach (e.g., because the 
disclosure did not compromise the security or privacy of the protected 
health information). This ensures that covered entities and business 
associates maintain full transparency with respect to any impermissible 
disclosures by allowing a means (either through receipt of a breach 
notice or by requesting an accounting) for individuals to learn of all 
ways in which their designated record set information has been 
disclosed in a manner not permitted by the Privacy Rule.
    We propose to exempt from the accounting requirement impermissible 
disclosures in which the covered entity (directly or through a business 
associate) has provided breach notice. We do not believe it is 
necessary to require the covered entity or its business associates to 
account for such disclosures since the covered entity has already made 
the individual aware of the impermissible disclosure through the 
notification letter required by the Breach Notification Rule. The 
breach notification requirement serves the same purpose as the 
accounting requirement, but it is much more rigorous in that it is an 
affirmative duty on the covered entity to notify the individual of an 
impermissible disclosure in a more timely and detailed manner than the 
accounting for disclosures. Nonetheless, covered entities are free to 
also include in the accounting disclosures for which breach 
notification has already been provided to the individual if they choose 
to do so. We request comment on the burdens on covered entities and 
benefits to individuals associated with also receiving an accounting of 
disclosures that includes information provided in accordance with the 
breach notification requirement.
    We also propose to continue to include in the accounting 
requirement disclosures for public health activities (except those 
involving reports of child abuse or neglect), for judicial and 
administrative proceedings, for law enforcement activities, to avert a 
serious threat to health or safety, for military and veterans 
activities, for the Department of State's medical suitability 
determinations, to government programs providing public benefits, and 
for workers' compensation. We believe that these are the types of 
disclosures for which individuals are more likely to have a significant 
legal or personal interest.
    We have proposed to continue to include disclosures for public 
health purposes because, although some public health disclosures are 
population-based and may have limited impact on individuals, other 
public health disclosures, such as those related to targeted public 
health investigations, may be very specific to an individual and could 
have significant consequences to the individual. As discussed below, if 
a public health disclosure is also required by law, it would not be 
subject to the proposed accounting requirement. For example, if a 
disclosure to a public health authority regarding a communicable 
disease is required by law, the covered entity would not need to 
account for the disclosure. In contrast, if a disclosure regarding an 
individual's communicable disease is authorized, but not required, by 
law (meaning that it is at the discretion of the covered entity), then 
the covered entity would be required to account for the disclosure.
    Within public health disclosures, however, we are proposing to 
exempt from the accounting reports of child abuse or neglect to a 
public health authority or other appropriate government authority 
authorized by law to receive such reports, as permitted under Sec.  
164.512(b)(1)(ii). Since the initial compliance date of the Privacy 
Rule, a number of entities have raised concerns about the potential 
harm a covered entity or the members of its workforce may suffer as a 
result of having to account to a parent or guardian for its reporting 
to authorities of suspected child abuse or neglect. While the current 
Privacy Rule at Sec.  164.502(g)(5)(i)(B) provides that a covered 
entity may elect not to treat a person as an individual's personal 
representative when the covered entity reasonably believes that doing 
so could endanger the individual, a covered entity does not have the 
same discretion when it believes its actions could instead endanger the 
reporter. Thus, we believe it prudent to exempt such disclosures from 
the accounting requirement. Further, it is our understanding that the 
reporting of suspected child abuse or neglect is generally mandated by 
law and thus, would nonetheless be exempt from the accounting under our 
proposal (described below) to exempt from the accounting most 
disclosures that are required by law.
    With respect to the remainder of public health disclosures (i.e., 
public health disclosures other than those related to reports of child 
abuse or neglect), we request comment on whether there are other 
categories of public health disclosures that warrant an exception 
because such disclosures may be of limited interest to individuals and/
or because accounting for such disclosures may adversely affect certain 
population-based public health activities, such as active surveillance 
programs. We also request comment on whether the complexity of carving 
out such public health disclosures would lead to too much confusion 
among individuals and covered entities.
    We expect that individuals may have a significant interest in 
learning of disclosures for judicial and administrative proceedings, 
law enforcement, and to avert a serious threat to health or safety 
because such disclosures may significantly impact individuals' legal 
interests. We thus propose to continue to require that covered entities 
account for such disclosures.
    We propose to continue to require covered entities and business 
associates to account for disclosures for military and veterans 
activities under Sec.  164.512(k)(1) and for purposes of the Department 
of State's medical suitability determinations under Sec.  164.512(k)(4) 
because such disclosures may have significant employment and benefits 
consequences to the individual, such as a determination that an 
individual is not medically able to perform an assignment or mission or 
not eligible for certain veteran's benefits. In addition, we propose to 
continue to apply the accounting requirements to disclosures to 
government programs providing public benefits under Sec.  164.512(k)(6) 
and for workers' compensation purposes under Sec.  164.512(l) because 
such disclosures may adversely affect an individual's claim or 
benefits.
    As previously stated, the proposed rule explicitly lists the types 
of disclosures that are subject to the accounting requirement, rather 
than the previous approach of listing the types of disclosures for 
which an accounting was not required. Despite this change in regulatory 
approach, the following disclosures continue to be excluded from the 
accounting requirement: (i) To individuals of protected health 
information about them as provided in Sec.  164.502; (ii) incident to a 
use or disclosure otherwise permitted or required by the Privacy Rule, 
as provided in Sec.  164.502; (iii) pursuant to an authorization as 
provided in

[[Page 31432]]

Sec.  164.508; (iv) for the facility's directory or to persons involved 
in the individual's care or other notification purposes as provided in 
Sec.  164.510; (v) for national security or intelligence purposes as 
provided in Sec.  164.512(k)(2); (vi) to correctional institutions or 
law enforcement officials as provided in Sec.  164.512(k)(5); (vii) as 
part of a limited data set in accordance with Sec.  164.514(e); or 
(viii) that occurred prior to the compliance date for the covered 
entity. How these exceptions are treated for purposes of the access 
report is discussed below. Disclosures to carry out treatment, payment 
and health care operations as provided in Sec.  164.506 would continue 
to be exempt for paper records. However, in accordance with section 
13405(c) of the HITECH Act, an individual would be able to obtain 
information (such as the name of the person accessing the information) 
for all access to electronic protected health information stored in a 
designated record set for purposes of treatment, payment and health 
care operations.
    We also request comment on whether the Department should exempt 
from the accounting requirements certain categories of disclosures that 
are currently subject to the accounting. In particular, for the reasons 
discussed below, we are proposing to exclude disclosures about victims 
of abuse, neglect, or domestic violence under Sec.  164.512(c); 
disclosures for health oversight activities under Sec.  164.512(d); 
disclosures for research purposes under Sec.  164.512(i); \1\ 
disclosures about decedents to coroners and medical examiners, funeral 
directors, and for cadaveric organ, eye, or tissue donation purposes 
under Sec.  164.512(g) and (h); disclosures for protective services for 
the President and others under Sec.  164.512(k)(3); and most 
disclosures that are required by law (including disclosures to the 
Secretary to enforce the HIPAA Administrative Simplification Rules). 
Note, however, to the extent such disclosures are made through direct 
access to electronic designated record set information, such 
disclosures will be recorded and available to the individual in an 
access report under proposed Sec.  164.528(b). We request comment on 
our proposal to exclude these categories from the accounting of 
disclosures requirements, including comment on the rationales expressed 
below, and will revisit these exclusions in drafting the final rule 
based on the public comment we receive.
---------------------------------------------------------------------------

    \1\ Disclosures of limited data sets for research purposes under 
Sec.  164.514(e) and disclosures for research purposes pursuant to 
an individual's authorization under Sec.  164.508 are currently 
exempt from the accounting requirements and would not be impacted by 
this proposal.
---------------------------------------------------------------------------

    First, we are proposing to exclude from the accounting requirement 
disclosures related to reports of adult abuse, neglect, or domestic 
violence under Sec.  164.512(c). As with the proposal to exclude 
disclosures for child abuse reporting, we have concerns that accounting 
for such disclosures could endanger the reporter of the abuse. Further, 
the Privacy Rule at Sec.  164.512(c)(2) requires the covered entity to 
promptly inform the individual that an abuse or domestic violence 
report has been or will be made to the proper authorities unless doing 
so may endanger the individual. Thus, in most cases, the individual 
will be affirmatively notified of such disclosures by the covered 
entity, which obviates the need for the disclosures to be included in 
an accounting.
    In this proposed rule, we are also considering removing from the 
accounting requirement disclosures for research under Sec.  164.512(i), 
which includes research where an Institutional Review Board (IRB) or 
Privacy Board has waived the requirement for individual authorization 
because, among other reasons, it determined that the study poses no 
more than a minimal risk to the privacy of individuals and the waiver 
is needed to conduct the research.\2\ Because such research may involve 
thousands of medical records and the burden to account for each 
disclosure may have a chilling effect on important areas of study, the 
current Privacy Rule includes a simplified accounting requirement for 
larger studies. In particular, the Privacy Rule allows a covered entity 
to provide individuals with a protocol listing describing the research 
protocols for which the individual's protected health information may 
have been disclosed, rather than an individualized accounting of each 
actual disclosure, for studies involving 50 or more individuals. The 
protocol listing must include the name of the protocol or other 
research activity; a plain language description of the research; a 
brief description of the types of protected health information that 
were disclosed; the date or period of time during which such 
disclosures occurred or may have occurred; contact information for the 
researcher and research sponsor; and a statement that the protected 
health information of the individual may or may not have been disclosed 
for a particular protocol or research activity. If it is reasonably 
likely that the protected health information of the individual was 
disclosed for a particular research protocol or activity, the Privacy 
Rule requires that the covered entity assist in contacting the 
researcher and research sponsor, if requested by the individual. See 
Sec.  164.528(b)(4)(ii).
---------------------------------------------------------------------------

    \2\ Section 164.512(i) also permits uses and disclosures for 
research without an individual's authorization where access to 
protected health information is sought solely to review the 
information as necessary to prepare a research protocol or for 
similar purposes and no protected health information is to be 
removed from the covered entity by the researcher in the course of 
the review or where access is being sought solely for research on 
the protected health information of decedents.
---------------------------------------------------------------------------

    Therefore, under the current rule, an individual that requests an 
accounting of disclosures will receive a specific accounting of certain 
disclosures (for example, disclosures for research studies involving 
less than 50 individuals) and a potentially large protocol listing of 
studies that may or may not include the individual's protected health 
information. The individual would not be notified of certain 
disclosures of protected health information for research (such as 
research in which the individual specifically authorized release of 
protected health information). In this proposed rule, we are 
considering whether to exempt covered entities from having to provide 
an accounting of disclosures for research, including through a protocol 
listing. Rather, the individual would continue to receive notice 
through the notice of privacy practices that protected health 
information may be used or disclosed for research, and the covered 
entity would only be able to disclose the individual's protected health 
information for research under limited circumstances (such as based on 
the individual's authorization or an IRB/Privacy Board finding that the 
research poses no more than a minimal risk to the individual's 
privacy).
    The Department is considering excluding research disclosures from 
the accounting requirements because, even though the Privacy Rule 
includes this simplified accounting option for research disclosures to 
large studies, the Department continues to hear concerns from the 
research community regarding the administrative burden of the 
accounting requirements and the potentially resulting chilling effect 
the requirements have on human subjects research. For example, the 
Secretary's Advisory Committee for Human Research Protections (SACHRP) 
in its September 2004 letter to the Secretary recommended that the 
Department exempt research disclosures from the accounting requirements 
altogether. SACHRP indicated that a research protocol listing may be 
very extensive at

[[Page 31433]]

larger institutions and the requirement for a covered entity to assist 
individuals in contacting the researchers and research sponsors places 
an unreasonable burden on covered entities. SACHRP further indicated 
that, since the accounting requirements apply only to research 
``disclosures'' and not ``uses,'' whether access by researchers within 
institutions to protected health information must be accounted for 
depends entirely on whether the researchers are workforce members 
(uses) or physicians with staff privileges (disclosures), which is an 
``artificial'' distinction. See Appendix A to SACHRP's September 27, 
2004 letter to the Secretary, available at https://www.hhs.gov/ohrp/sachrp/appendixa.html.
    Similarly, in a report on ways to enhance privacy and improve 
health through research, the Institute of Medicine (IOM) concluded that 
the Privacy Rule's current accounting provision for research 
disclosures places a heavy administrative burden on health systems and 
health services research but achieves little in terms of protecting 
privacy. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving 
Health through Research, Institute of Medicine of the National 
Academies p. 51 (2009) (available at https://www.iom.edu). The IOM 
report recommended that the Department revise the Privacy Rule to 
exempt disclosures made for research from the Privacy Rule's accounting 
requirement. As an alternative, the IOM suggested that all institutions 
should maintain a list, accessible to the public, of all studies 
approved by an IRB/Privacy Board.
    While acknowledging these concerns, the Department notes that it 
does not have sufficient information regarding the actual burden, as 
well as the utility, of providing the current accounting of research 
disclosures to individuals (i.e., a specific accounting of disclosures 
for research studies where the disclosures involved less than 50 
individuals and a protocol listing of studies where the disclosures 
involved 50 or more individuals). We thus solicit public comment on the 
value of the current accounting for research disclosures to individuals 
who have used or might in the future request such an accounting, 
including comments on what may be the most important/useful elements of 
the current accounting to individuals. We also ask covered entities to 
provide data regarding the number of protocols that would typically be 
included in a protocol listing, the nature and number of smaller 
research studies that involve the disclosure by the covered entity of 
protected health information about less than 50 individuals and for 
which a specific accounting is currently required, and the burdens on 
researchers and covered entities to provide the requested accountings 
of disclosures. Further, we seek public comment on alternative ways 
that we could provide the individual with information about the covered 
entity's research disclosures, such as the IOM's recommendation for a 
list of all IRB/Privacy Board approved studies, or whether other types 
of documentation about the research could be provided to the individual 
in a manner that is potentially less burdensome on covered entities but 
still sufficiently valuable to individuals. We will assess how to best 
provide information regarding research disclosures to individuals based 
on these comments.
    We note that, as mentioned above, under proposed Sec.  164.528(b), 
an individual would still be able to request an access report from the 
covered entity, which would include access for research purposes to 
electronic designated record set information by workforce members and 
others, such as physicians with staff privileges (although such 
electronic access would not be labeled as research).
    We also propose to not include disclosures for health oversight 
activities under Sec.  164.512(d). Such disclosures primarily are 
population-based or event triggered and thus relate to the covered 
entity, rather than the individual (if an investigation is focused on 
the individual rather than the covered entity, then the Privacy Rule at 
Sec.  164.512(d)(2) generally treats the investigation as for law 
enforcement rather than health oversight, which means that the 
disclosure would be subject to the proposed accounting provision). Such 
disclosures are also often routine, to a government agency, and 
required by law. For these reasons, we do not believe the potential 
burden on a covered entity or business associate to account for what 
may be voluminous disclosures of records is balanced by what is likely 
not a strong interest on the part of individuals to learn of such 
disclosures. We request comment on these assumptions.
    In addition, we are proposing to not include disclosures about 
decedents to coroners, medical examiners, and funeral directors under 
Sec.  164.512(g) because we believe that such types of disclosures are 
relatively routine, expected, and do not raise significant privacy 
concerns. Similarly, we propose to exclude disclosures about decedents 
for cadaveric organ, eye, or tissue donation purposes under Sec.  
164.512(h). This limited provision permits a covered entity to disclose 
protected health information about a decedent in cases where there was 
no prior HIPAA authorization to organ procurement organizations or 
other entities engaged in the procurement, banking, or transplantation 
of cadaveric organs, eyes, or tissue for the purpose of facilitating 
organ, eye, or tissue donation and transplantation. The provision is 
intended to avoid putting covered entities in the position of having to 
request consent from grieving families with respect to donation of 
organs of a deceased loved one before a determination has been made 
that donation would be medically suitable. Given the circumstances and 
limited nature of the disclosure, and because we anticipate that 
families will be involved in the decision process with respect to the 
donation, we propose to exclude these disclosures from the accounting. 
We request comment on this proposal.
    We are proposing to exclude most disclosures that are required by 
law because these disclosures are often population based rather than 
related to a specific individual, because they often reflect a 
determination by a state legislature or other government body rather 
than a discretionary decision of a covered entity or business 
associate, and because we believe it is reasonable to assume that 
individuals are aware that their health information will be disclosed 
where mandated by law. Further, individuals are generally informed that 
a covered entity may disclose an individual's protected health 
information when required to do so by other law through a covered 
entity's notice of privacy practices. Based on comments received, we 
have been informed that accounting for these nondiscretionary 
disclosures represents a significant administrative burden on covered 
entities. Thus, we propose that disclosures made under Sec.  
164.512(a)(1) of the Privacy Rule need not be included in an accounting 
in order to lessen this administrative burden.
    In addition, in paragraph (a)(1)(ii), we propose to make clear that 
most disclosures that fall under paragraph (a)(1)(i) (i.e., are for a 
purpose that would otherwise be subject to the accounting) but that are 
also required by law do not require an accounting. For example, if a 
disclosure to a public health authority or for workers' compensation is 
required by law (rather than merely authorized by law), then the 
covered entity or business associate is not required to include such a 
disclosure in a requested accounting. We propose, however, that covered 
entities and business associates account

[[Page 31434]]

for disclosures for judicial and administrative proceedings and for law 
enforcement purposes, even when such disclosures are required by law. 
This is consistent with our general treatment of such disclosures under 
Sec.  164.512(a)(2), where we provide that a disclosure that is 
required by law but that also falls within the law enforcement or 
judicial and administrative proceeding provisions at Sec.  164.512(e) 
and (f) must meet the latter's requirements. As indicated above, we 
believe that disclosures for law enforcement purposes and judicial and 
administrative proceedings directly implicate an individual's legal 
and/or personal interests and thus believe the individual should have a 
right to learn of such disclosures.
    If a covered entity has been subject to the Privacy Rule for less 
than three years, then the covered entity only need account for the 
period of time during which the covered entity was subject to the Rule.
2. Implementation Specification: Content of the Accounting
    Currently, the Privacy Rule at Sec.  164.528(b)(2) requires an 
accounting of disclosures to include the date of disclosure, name and 
(if known) address of the recipient, a brief description of the type of 
protected health information disclosed, and a brief statement of the 
purpose of the disclosure. We are proposing to maintain these elements, 
but with some minor modifications.
    We are proposing at paragraph (a)(2)(i)(A) that a covered entity or 
business associate need only provide an approximate date or period of 
time for each disclosure, if the actual date is not known. At a 
minimum, the approximate date must include a month and year or a 
description of when the disclosure occurred from which an individual 
can readily determine the month and year of the disclosure. Thus, the 
accounting may include the specific date of a disclosure (e.g., 
December 1, 2010), a month and year (e.g., December 2010), or an 
approximate time range (e.g., between December 1, 2010 and December 15, 
2010).
    The Privacy Rule currently provides, at Sec.  164.528(b)(3), that 
for multiple disclosures of protected health information to the same 
person or entity for the same purpose, the accounting may provide all 
of the information required by paragraph (b)(2) for the first 
disclosure; the frequency, periodicity, or number of disclosures during 
the accounting period; and the date of the last disclosure. We instead 
propose that, for multiple disclosures to the same person or entity for 
the same purpose, the approximate period of time is sufficient (e.g., 
for numerous disclosures, ``December 2010 through August 2011,'' or 
``monthly between December 2