[Please label comments about this section with the subject: “Accounting of disclosures”]
In this rule, we propose that individuals have a right to receive an accounting of all instances where protected health information about them is disclosed by a covered entity for purposes other than treatment, payment, and health care operations, subject to certain time-limited exceptions for disclosures to law enforcement and oversight agencies as discussed below. Providing such an accounting would allow individuals to understand how their health information is shared beyond the basic purposes of treatment, payment and health care operations.
We considered whether to require covered entities to account for all disclosures, including those for treatment, payment and health care operations. We rejected this approach because it would be burdensome and because it would not focus on the disclosures of most interest to individuals. Upon entering the health care system, individuals are generally aware that their information will be used and shared for the purpose of treatment, payment and health care operations. They have the greatest interest in an accounting of circumstances where the information was disclosed for other purposes that are less easy to anticipate. For example, an individual might not anticipate that his or her information would be shared with a university for a research project, or would be requested by a law enforcement agency.
We are not proposing that covered entities include uses and disclosures for treatment, payment and health care operations in the accounting. We believe that it is appropriate for covered entities to monitor all uses and disclosures for treatment, payment and health care operations, and they would be required to do so for electronically maintained information by the Security Standard. However, we do not believe that covered entities should be required to provide an accounting of the uses and disclosures for treatment payment and health care operations.
The proposed Security Standard would require that “[e]ach organization … put in place audit control mechanisms to record and examine system activity. They would be important so that the organization can identify suspect data access activities, assess its security program, and respond to potential weaknesses.” The purpose of the audit control mechanism, or audit trail, in the Security Standard would be to provide a means for the covered entity to police access to the protected health information maintained in its systems. By contrast, the purpose of the accounting would be to provide a means for individuals to know how the covered entity is disclosing protected health information about them. An audit trail is critical to maintaining security within the entity and it could be constructed in such a way to enable the covered plan or provider to satisfy the requirements of both regulations. For example, every time protected health information was used or disclosed, the audit mechanism could prompt the user for a “purpose.” If the disclosure was for a purpose other than treatment, payment or health care operations, then the information could be flagged or copied into a separate database. This would allow the entity to both monitor security and have the ability to provide an accurate accounting upon request.
Covered entities should know how all protected health information is used and disclosed, but should not be required to provide an exhaustive accounting of all uses and disclosures to individuals upon request. Such an accounting could be extremely long and detailed. It would place a tremendous burden on the covered entities and it could be far too detailed to adequately inform the individual. We determined that when individuals seek health care, they understand that information about them will be used and disclosed in order to provide treatment or obtain payment and therefore, they would have the most significant interest in knowing how protected health information was used and disclosed beyond the expected realm of treatment, payment and health care operations. We are soliciting comment on whether the scope of accounting strikes an appropriate balance between providing information to the individual and imposing requirements on covered entities.
We are proposing that covered entities be required to provide an accounting of disclosures for as long as the entity maintains the protected health information. We considered only requiring the accounting for a specified period of time, but concluded that individuals should be permitted to learn how their information was disclosed for as long as the information is maintained by the covered plan or provider. We are soliciting comments on whether we should include a specific time period in this proposed rule.
This proposed rule does not specify a particular form or format for the accounting. In order to satisfy the accounting requirement, a covered entity could elect to maintain a systematic log of disclosures or it could elect to rely upon detailed record keeping that would permit the entity to readily reconstruct the history when it receives a request from an individual. We would require that covered entities be able to respond to a request for accounting within a reasonable time period. In developing the form or format of the accounting, covered entities should adopt policies and procedures that will permit them to respond to requests within the 30-day time period in this proposed rule.
We are proposing that the accounting include all disclosures for purposes other than treatment, payment, and health care operations, subject to certain exceptions for disclosures to law enforcement and oversight agencies, discussed below. This would also include disclosures that are authorized by the individual. The accounting would include the date of each disclosure; the name and address of the organization or person who received the protected health information; and a brief description of the information disclosed. For all disclosures that are authorized by the individual, we are proposing that the covered entity maintain a copy of the authorization form and make it available to the individual with the accounting.
We considered whether the accounting of disclosures should include the name of the person who authorized the disclosure of information. The proposed Security Standard would require covered entities to have an audit mechanism in place to monitor access by employees. We concluded that it was unnecessary and inappropriate to require the covered entity to include this additional information in the accounting. If the individual identifies an improper disclosure by an entity, he or she should hold the entity – not the employee of the entity – accountable. It is the responsibility of the entity to train its workforce about its policies and procedures for the disclosure of protected health information and to impose sanctions if such policies and procedures are violated.
We are proposing that protected health information that is disclosed to a health oversight or law enforcement agency would be excluded from the accounting if the oversight or law enforcement agency provides a written request stating that the exclusion is necessary for a specified time period because access by the individual during that time period would be reasonably likely to impede the agency’s activities. The written request must specifically state how long the information should be excluded. At the expiration of that period, the covered entity would be required to include the information in an accounting for the individual.
We are proposing this time-limited exclusion for law enforcement and oversight activities because we do not intend to unreasonably interfere with investigations and other activities that are in the public interest. The Recommendations simply provide that disclosures to law enforcement and oversight agencies should be excluded from the accounting where access by the individual could be reasonably likely to impede the agency’s activities. We were concerned that it would be difficult for covered entities to determine whether access by the individual was "reasonably likely to impede the agency’s activities." In order to address this concern, we considered excluding all disclosures to law enforcement and oversight from the accounting, but concluded that such an exclusion would be overly broad. As a means of creating a clearly defined rule for the covered entity to follow, we are proposing that covered entities require a time-limited, written statement from the oversight or law enforcement agency. We are soliciting comment on whether this time-limited exclusion strikes the appropriate balance between ensuring individual access to an accounting of disclosures and preserving the integrity of law enforcement and oversight investigations.
We are proposing that the accounting of disclosures, including copies of signed authorization forms, be made available to the individual as quickly as the circumstances require, but not later than 30 days following receipt of the request.