als have the right to limit their requests by date, time period, or
person. OCR notes that it is to no one’s advantage to collect and
report three years of access data if the individual is only interested in access that occurred within a 30-day period.
The access reports must be made available in an electronic
format such as a PDF. However, if possible, reports should be
in a machine-readable format, such as a word-processing or
spreadsheet file, which will aid the individual in searching the
contents for specific names or dates.
Accounting of Disclosures
With a belief that the access report will provide much of the information that individuals are seeking, OCR makes relatively
few changes to the accounting of disclosure provisions. However, some are significant.
Most notably, the rule would limit accountings to disclosures
of protected health information contained in the designated record set. Accountings would continue to be made on information in both paper and electronic format.
The rule attempts to eliminate earlier confusion by specifying
the disclosure types that must be reported, and it expands the
list of those that are exempt. The rule details these changes.
The Coming Year
OCR will accept comment on the proposed rule until August 1,
so the first step for covered entities is to review the rule, consider
its impact, and comment.
Covered entities that purchased systems after January 1, 2009,
would have until January 1, 2013, to comply with the final rule.
Those that purchased systems before 2009 would have until
January 1, 2014.
Preparing for the rule will require that covered entities identify
all systems that contribute to their designated record sets. That
inventory must include the date on which each system was purchased, since this determines when systems must be included
in the report. In future years, any new systems will have to be
evaluated for inclusion in reporting.
Organizations whose ancillary systems feed into the EHR or a
hub will have an easier time generating a report, because they
can report access through a single point. In more decentralized
arrangements, where individuals can query individual systems,
the report must track access to each system. Further, each of
these systems must have the ability to record the name, date,
and time of each individual who logs on.
Covered entities will require good lines of communication
with their system vendors to determine how and when updates
will be available. In some instances they may find that their current systems possess functionality to address new requirements
that has not been implemented. ¢
Department of Health and Human Services. “HIPAA Privacy
Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act.”
Comparing Access and Accounting
THE PROPOSED ACCESS report and the full accounting of
disclosure would show two views of the same event. Or, as
in the second scenario below, they may not overlap at all.
Example 1. A nurse accesses the EHR system, prints a
record, and faxes it to a law enforcement agency.
x The access report would indicate the nurse accessed
the EHR system. It would not indicate why she was in
the system; however, depending on the system capa-
bilities, the report may show that she printed the infor-
x The accounting of disclosure would include the disclo-
sure to law enforcement. It would not detail the nurse’s
access, which involved internal use.
Example 2. A physician with staff privileges accesses the
hospital EHR system and sends a record to a specialist for
purpose of treatment.
x The access report would show the physician’s access
to the EHR system. It would not indicate her purpose.
However, depending the capability of the system, the
report may show that the physician sent the information
to a third party, and it may even identify the recipient.
x The accounting of disclosures would not include this
event, because the disclosure is for purposes of treat-
The following table summarizes the main differences.
Name of recipient
the DRS system
Machine-readable format Yes
Source: Greene, Adam, and Dan Rode. “Proposed Regulations for
Accounting of Disclosures Audio Seminar/Webinar.” AHIMA. June 7,
Federal Register 76, no. 104 (May 31, 2011): 31426–49.
Greene, Adam, and Dan Rode. “Proposed Regulations for Accounting of Disclosures Audio Seminar/Webinar.” AHIMA.
June 7, 2011. www.ahimastore.org.
Kevin Heubusch ( email@example.com) is editor-in-chief of the
Journal of AHIMA.