[Federal Register Volume 75, Number 84 (Monday, May 3, 2010)]
[Proposed Rules]
[Pages 23214-23216]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-10054]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164

RIN 0991-AB62


HIPAA Privacy Rule Accounting of Disclosures Under the Health 
Information Technology for Economic and Clinical Health Act; Request 
for Information

AGENCY: Office for Civil Rights, Department of Health and Human 
Services.

ACTION: Request for information.

-----------------------------------------------------------------------

SUMMARY: Section 13405(c) of the Health Information Technology for 
Economic and Clinical Health (HITECH) Act expands an individual's right 
under the Health Insurance Portability and Accountability Act of 1996 
(HIPAA) Privacy Rule to receive an accounting of disclosures of 
protected health information made by HIPAA covered entities and their 
business associates. In particular, section 13405(c) of the HITECH Act 
requires the Department of Health and Human Services (``Department'' or 
``HHS'') to revise the HIPAA Privacy Rule to require covered entities 
to account for disclosures of protected health information to carry out 
treatment, payment, and health care operations if such disclosures are 
through an electronic health record. This document is a request for 
information (RFI) to help us better understand the interests of 
individuals with respect to learning of such disclosures, the 
administrative burden on covered entities and business associates of 
accounting for such disclosures, and other information that may inform 
the Department's rulemaking in this area.

DATES: Submit comments on or before May 18, 2010.

ADDRESSES: Written comments may be submitted through any of the methods 
specified below. Please do not submit duplicate comments.
     Federal eRulemaking Portal: You may submit electronic 
comments at http://www.regulations.gov. Follow the instructions for 
submitting electronic comments. Attachments should be in Microsoft 
Word, WordPerfect, or Excel; however, we prefer Microsoft Word.
     Regular, Express, or Overnight Mail: You may mail written 
comments (one original and two copies) to the following address only: 
U.S. Department of Health and Human Services, Office for Civil Rights, 
Attention: HITECH Accounting of Disclosures, Hubert H. Humphrey 
Building, Room 509F, 200 Independence Avenue, SW., Washington, DC 
20201.
     Hand Delivery or Courier: If you prefer, you may deliver 
(by hand or courier) your written comments (one original and two 
copies) to the following address only: Office for Civil Rights, 
Attention: HITECH Accounting of Disclosures, Hubert H. Humphrey 
Building, Room 509F, 200 Independence Avenue, SW., Washington, DC 
20201. (Because access to the interior of the Hubert H. Humphrey 
Building is not readily available to persons without Federal government 
identification, commenters are encouraged to leave their comments

[[Page 23215]]

in the mail drop slots located in the main lobby of the building.)
    Inspection of Public Comments: All comments received before the 
close of the comment period will be available for public inspection, 
including any personally identifiable or confidential business 
information that is included in a comment. We will post all comments 
received before the close of the comment period at http://www.regulations.gov. Because comments will be made public, they should 
not include any sensitive personal information, such as a person's 
social security number; date of birth; driver's license number, state 
identification number or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. Comments also 
should not include any sensitive health information, such as medical 
records or other individually identifiable health information, or any 
non-public corporate or trade association information, such as trade 
secrets or other proprietary information.

FOR FURTHER INFORMATION CONTACT: Andra Wicks, 202-205-2292.

SUPPLEMENTARY INFORMATION:

I. Background

    Covered entities under the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA), Title II, Subtitle F--
Administrative Simplification, Public Law 104-191, 110 Stat. 2021, are 
currently required by the HIPAA Privacy Rule at 45 CFR 164.528 to make 
available to an individual upon request an accounting of certain 
disclosures of the individual's protected health information over the 
past six years. For each disclosure, the accounting must include: (1) 
The date of the disclosure; (2) the name (and address, if known) of the 
entity or person who received the protected health information; (3) a 
brief description of the information disclosed; and (4) a brief 
statement of the purpose of the disclosure (or a copy of the written 
request for the disclosure). For multiple disclosures to the same 
person for the same purpose, the accounting is only required to 
include: (1) For the first disclosure, a full accounting, with the 
elements described above; (2) the frequency, periodicity, or number of 
disclosures made during the accounting period; and (3) the date of the 
last such disclosure made during the accounting period. Section 
164.528(a)(1)(i) of the Privacy Rule currently exempts disclosures to 
carry out treatment, payment, and health care operations from these 
accounting requirements.\1\
---------------------------------------------------------------------------

    \1\ The core health care activities of ``Treatment,'' 
``Payment,'' and ``Health Care Operations'' are defined in the 
Privacy Rule at 45 CFR 164.501.
---------------------------------------------------------------------------

    Section 13405(c) of the Health Information Technology for Economic 
and Clinical Health (HITECH) Act, Public Law 111-5, 123 Stat. 265-66, 
provides that the exemption at Sec.  164.528(a)(1)(i) of the Privacy 
Rule for disclosures to carry out treatment, payment, and health care 
operations no longer applies to disclosures ``through an electronic 
health record.'' Under section 13405(c), an individual has a right to 
receive an accounting of such disclosures that covers disclosures made 
during the three years prior to the request. Section 13400 of the 
statute defines ``electronic health record'' as ``an electronic record 
of health-related information on an individual that is created, 
gathered, managed, and consulted by authorized health care clinicians 
and staff.'' We take the opportunity in this RFI to request public 
comment to inform our regulations under the HITECH Act, which requires 
that we take into account both the interests of individuals in learning 
the circumstances under which their protected health information is 
being disclosed and the administrative burden of accounting for 
disclosures for treatment, payment, and health care operations through 
an electronic health record.
    We request comments specifically on the questions below. The 
Department welcomes comments from all stakeholders on these issues, but 
in addition to hearing from covered entities, is particularly 
interested in hearing from individuals, consumer advocates and groups, 
and, regarding technical capabilities, from vendors of electronic 
health record systems.

II. Questions

    1. What are the benefits to the individual of an accounting of 
disclosures, particularly of disclosures made for treatment, payment, 
and health care operations purposes?
    2. Are individuals aware of their current right to receive an 
accounting of disclosures? On what do you base this assessment?
    3. If you are a covered entity, how do you make clear to 
individuals their right to receive an accounting of disclosures? How 
many requests for an accounting have you received from individuals?
    4. For individuals that have received an accounting of disclosures, 
did the accounting provide the individual with the information he or 
she was seeking? Are you aware of how individuals use this information 
once obtained?
    5. With respect to treatment, payment, and health care operations 
disclosures, 45 CFR 170.210(e) currently provides the standard that an 
electronic health record system record the date, time, patient 
identification, user identification, and a description of the 
disclosure. In response to its interim final rule, the Office of the 
National Coordinator for Health Information Technology received 
comments on this standard and the corresponding certification criterion 
suggesting that the standard also include to whom a disclosure was made 
(i.e., recipient) and the reason or purpose for the disclosure. Should 
an accounting for treatment, payment, and health care operations 
disclosures include these or other elements and, if so, why? How 
important is it to individuals to know the specific purpose of a 
disclosure--i.e., would it be sufficient to describe the purpose 
generally (e.g., for ``for treatment,'' ``for payment,'' or ``for 
health care operations purposes''), or is more detail necessary for the 
accounting to be of value? To what extent are individuals familiar with 
the different activities that may constitute ``health care 
operations?'' On what do you base this assessment?
    6. For existing electronic health record systems:
    (a) Is the system able to distinguish between ``uses'' and 
``disclosures'' as those terms are defined under the HIPAA Privacy 
Rule? Note that the term ``disclosure'' includes the sharing of 
information between a hospital and physicians who are on the hospital's 
medical staff but who are not members of its workforce.
    (b) If the system is limited to only recording access to 
information without regard to whether it is a use or disclosure, such 
as certain audit logs, what information is recorded? How long is such 
information retained? What would be the burden to retain the 
information for three years?
    (c) If the system is able to distinguish between uses and 
disclosures of information, what data elements are automatically 
collected by the system for disclosures (i.e., collected without 
requiring any additional manual input by the person making the 
disclosure)? What information, if any, is manually entered by the 
person making the disclosure?
    (d) If the system is able to distinguish between uses and 
disclosures of information, does it record a description of disclosures 
in a standardized manner (for example, does the system offer or require 
a user to select from a limited list of types of disclosures)? If yes, 
is

[[Page 23216]]

such a feature being utilized and what are its benefits and drawbacks?
    (e) Is there a single, centralized electronic health record system? 
Or is it a decentralized system (e.g., different departments maintain 
different electronic health record systems and an accounting of 
disclosures for treatment, payment, and health care operations would 
need to be tracked for each system)?
    (f) Does the system automatically generate an accounting for 
disclosures under the current HIPAA Privacy Rule (i.e., does the system 
account for disclosures other than to carry out treatment, payment, and 
health care operations)?
    i. If yes, what would be the additional burden to also account for 
disclosures to carry out treatment, payment, and health care 
operations? Would there be additional hardware requirements (e.g., to 
store such accounting information)? Would such an accounting feature 
impact system performance?
    ii. If not, is there a different automated system for accounting 
for disclosures, and does it interface with the electronic health 
record system?
    7. The HITECH Act provides that a covered entity that has acquired 
an electronic health record after January 1, 2009 must comply with the 
new accounting requirement beginning January 1, 2011 (or anytime after 
that date when it acquires an electronic health record), unless we 
extend this compliance deadline to no later than 2013. Will covered 
entities be able to begin accounting for disclosures through an 
electronic health record to carry out treatment, payment, and health 
care operations by January 1, 2011? If not, how much time would it take 
vendors of electronic health record systems to design and implement 
such a feature? Once such a feature is available, how much time would 
it take for a covered entity to install an updated electronic health 
record system with this feature?
    8. What is the feasibility of an electronic health record module 
that is exclusively dedicated to accounting for disclosures (both 
disclosures that must be tracked for the purpose of accounting under 
the current HIPAA Privacy Rule and disclosures to carry out treatment, 
payment, and health care operations)? Would such a module work with 
covered entities that maintain decentralized electronic health record 
systems?
    9. Is there any other information that would be helpful to the 
Department regarding accounting for disclosures through an electronic 
health record to carry out treatment, payment, and health care 
operations?

    Dated: April 26, 2010.
Georgina Verdugo,
Director, Office for Civil Rights.
[FR Doc. 2010-10054 Filed 4-30-10; 8:45 am]
BILLING CODE 4153-01-P