HITECH Accounting of Disclosures Rule

Jason Luke

The HITECH act Sec 13405(c) establishes a new right for patients to receive an accounting of who accessed their PHI.

HHS released a Notice of Proposed Rulemaking (NPRM) relating to this new right that expands on the text of the law and has significant impact to covered entities and business associates.

The new proposal creates the right for a patient to obtain a report of all uses and disclosures of their PHI. Since the HIPAA Security Rule requires audit logging, there is a presumption that this data is already collected. There is substantial disagreement as to whether the Security Rule actually requires all the logging that would be necessary to meet this new reporting requirement, and it is doubtful that most companies could easily accommodate such a request. Essentially, this rule allows a patient, at any time and for any reason with no limit, to request a list of everyone who has accessed their PHI in every location it is stored. Considering all the applications and databases in a typical hospital along with how many people may need to view that data on a typical patient, this would be a significant report for any company. HHS is accepting comments regarding this NPRM until August 1, 2011.