OCR Tries Subtraction through Addition
in Accounting of Disclosure Rule
By Kevin Heubusch
THE OFFICE FOR Civil Rights proposed rule on the HITECH modifications to the HIPAA accounting of disclosure provision contains an interesting attempt to balance the mandates of the statute with the realities of today’s accountings. OCR was faced with the difficult task of expanding account- ing of disclosures to include disclosures made for purposes of treatment, payment, and healthcare operations (TPO). The ad- ministrative burden of tracking disclosures in the current envi- ronment is high, and the interest from individuals in receiving accountings has been low. OCR proposes a new “access report” that would be easier for covered entities to maintain and more likely to provide individuals with the information they want. The report would not distinguish between use and disclosure—something few if any current IT systems can do. Instead, it would identify anyone inside
or outside the facility who accessed an individual’s information.
The report would be restricted to protected health information contained within the individual’s designated record set and
existing in electronic format. The designated record set and access tracking—features of HIPAA—should be well-established
within covered entities, OCR reasons.
Under the proposal, the modification regarding TPO would
not apply to accountings of disclosure. It would apply only to
the access report, which would serve to meet the HITECH requirement.
Take, for example, a staff member who logs into a claims
system and discloses information to a payer. An access report
would detail the name, date, and system accessed, but it would
not be required to report the disclosure. The same event would
not appear in an accounting of disclosure, because the disclosure was for purposes of payment.
The Access Report
The access report, in effect, answers the simple question “who?”
It would show that John Smith accessed the individual’s record,
but it would not indicate that Smith is a clinical researcher, for
example. It would not be required to indicate the purpose of
Smith’s access or any action that he took.
As proposed, the access report would include:
x Date and time of access
x Name of person accessing the record
The proposed rule is very clear that the report provide actual
names. Although some organizations have expressed concern
for the privacy and safety of their employees, OCR believes the
value of the access report is in the individual’s ability to know
who has seen his or her protected information.