Comments of the Privacy Rights Clearinghouse
Department of Health and Human Services
HIPAA Privacy Rule Accounting of Disclosures Under the
HITECH Act
Notice of Proposed Rulemaking
RIN: 0991-AB62
Submitted August 1, 2011
I. Background
II. General Statements
III. Responses to Requests for Comment
IV. Conclusion
The Privacy Rights Clearinghouse (PRC) respectfully submits the following comments to the Department of Health and Human Services Office for Civil Rights (OCR) in response to its call for public comment in its Notice of Proposed Rulemaking (NPRM): Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act).[1]
I. Background
The PRC is a nonprofit organization, established in 1992 and located in San Diego, California.[2] Our mission is two-part: consumer education and consumer advocacy. We advise consumers on a variety of informational privacy issues, including medical privacy, and have published more than 50 Fact Sheets providing practical information consumers may employ to safeguard their personal information. We invite individuals to contact the organization with their privacy-related questions, concerns and complaints. Our advocacy efforts are in large part shaped by these interactions.
II. General Statements
The NPRM proposes revising existing section 164.528(a) of the HIPAA Privacy Rule concerning an individual’s right to an accounting of disclosures. It also proposes adding 164.528(b) to provide individuals with the right to an access report detailing the date, time and name of anyone within a covered entity or business associate accessing electronic protected health information in a designated record set. One purpose of the proposed revisions is to implement section 13405(c) of the HITECH Act which requires covered entities to account for disclosures of protected health information through an electronic health record (EHR)[3] for treatment, payment and health care operations.[4] OCR further proposes to give individuals the right to obtain an access report so that they are able to receive a more complete accounting of internal uses of their protected health information.[5] The PRC regularly receives HIPAA-related inquiries from individual consumers. Therefore, our comments below focus primarily on the proposed rule’s impact on consumer privacy.
III. Responses to Requests for Comment
A. Accounting of Disclosures of Protected Health Information—Section 164.528(a)
1. Right to an Accounting of Disclosures
Proposal to limit the accounting requirement to protected health information in a designated record set and potential consequences on the privacy interests of the individual.[6]
Under the current regulations, individuals are able to receive an accounting of applicable disclosures regardless of where the information is located. OCR proposes to limit the accounting to information located in a designated record set.[7] In the NPRM, OCR consistently states that the requirements regarding accountings of disclosures should focus on providing information that is likely to impact an individual’s personal and legal interests while taking the administrative burden on covered entities into account.[8]
The NPRM states that protected health information outside the designated record set would remain fully protected by the Privacy Rule, and that electronic protected health information would remain protected by the Security Rule. It further notes that the Breach Notification Rule continues to apply to all protected health information in any form wherever it exists.[9] While the information may technically continue to be protected under other provisions, the PRC believes that the right to a more comprehensive accounting of disclosures instills a level of accountability and trust that diminishes as the amount of relevant information available to individuals in an accounting is reduced.
OCR requests comment on the issue of whether there is a need for accounting of disclosures beyond three years.[10]
Under the current HIPAA Privacy Rule, an individual has a right to receive an accounting of the disclosures of protected health information made during the six-year period prior to the individual’s request.[11] OCR proposes reducing this to three years and cites as its reason an interest in maintaining consistency with section 13405(c)(1)(B) of the HITECH Act. Section 13405(c)(1)(B) specifies that an individual may receive a three-year accounting of disclosures through an EHR of personal health information for treatment, payment, and health care operations.[12] We are aware that there may be administrative burdens associated with section 13405(c)(1)(B)’s three-year requirement as opposed to the HIPAA Privacy Rule’s six-year requirement. However, we believe that the legal and personal interests of individuals are significantly hampered by the proposed three year reduction in the accounting period for disclosures that do not fall under HITECH section 13405(c)(1)(B).
One concern we have with the three-year accounting period reduction regards the current six-year statute of limitations for civil penalties imposed by the Secretary.[13] De-harmonizing the accounting period and the statute of limitation for imposing civil penalties could adversely affect HHS’ enforcement capabilities and effectiveness. Consumer complaints to HHS provide a source of information that can play a role in opening an investigation or bringing an action against a covered entity. Limiting the accounting to three years from the date of request may mean that an individual is not able to discover an abuse that could still be subject to enforcement by civil penalty by HHS.
Also, while the NPRM states that individuals who request an accounting of disclosures are generally interested in learning of more recent disclosures,[14] we believe a better characterization is that individuals generally seek an accounting when the need arises. Some individuals require a more historic picture of disclosures. For instance, the PRC has received inquiries from individuals seeking information about disclosures regarding divorce, custody, criminal and other legal actions and proceedings. Three years is a relatively short period of time when it comes to judicial processes, law enforcement, and administrative proceedings. OCR clearly recognizes an individual’s legal and personal interest in receiving these disclosures,[15] and therefore should recognize the benefit of a six-year accounting period over the proposed three year period.
OCR requests comment on the benefits to individuals associated with also receiving an accounting of disclosures that includes information provided in accordance with the breach notification requirement.[16]
Depending on a security breach’s specific characteristics, an individual may receive notification from a covered entity via mail, e-mail, or various forms of substitute notice.[17] The NPRM proposes that covered entities not be required to account for security breaches that the covered entity has already been required to provide notice of. We do not agree with this proposal, and believe it is would be both confusing and detrimental to individuals if breaches were removed from an accounting.
The impermissible disclosures with the most serious potential consequences are those subject to the breach notification requirement. It makes no sense to exclude breaches from disclosure accountings under the assumption that breach notification requirements ensure actual notice to each individual. There is no realistic way to ever verify that all individuals actually receive notice of the breach. Therefore, including disclosures that constitute breach in an accounting furthers OCR’s stated intent of providing “full accounting” for the “disclosures that are most likely to impact the individual.”[18]
Exempt reports of child abuse and neglect from accounting requirement for public health disclosures—Proposed 45 CFR 164.528(a)(1)(i)(A)[19]
OCR proposes to except from the accountings disclosures to public health or other government authorities involving reports of child abuse and neglect as permitted under 164.512(b)(1)(ii).[20] The PRC supports the proposed exception for the same reasons set forth in the NPRM, namely that a covered entity or its employees may suffer harms and retribution when having to account to a parent or guardian who may be suspected of abuse or neglect (if the disclosure is not required by law). Covered entities and their employees should not be discouraged from disclosing such information about minors.
OCR requests comment on whether the Department should exempt from the accounting requirements certain categories of disclosures that are currently subject to the accounting.[21]
OCR specifically proposes the possibility of exempting from the accounting requirements the following categories of disclosures that are currently subject to the accounting: accountings related to disclosures of adult abuse, neglect, or domestic violence; disclosures for health oversight activities; certain disclosures regarding decedents; disclosures for protective services for the President and others; certain disclosures for research purposes; and most disclosures required by law. [22]
We oppose any changes to the rules regarding the above disclosures. As additional categories of disclosures are exempted from the accounting requirement, an accounting of disclosures loses its value to individuals. Individuals should be entitled to as comprehensive an accounting of disclosures as possible so that they may have access to an accurate picture of disclosures made over the course of a period of time. Most versions of Fair Information Practices (FIPs) incorporate the principles of openness, transparency, and accountability.[23] These principles are important to ensure that individuals have confidence in the covered entities that handle their sensitive health information, and to maintain a level of transparency as well as accountability for unauthorized disclosures.
The NPRM raises the concerns that accountings may contain an overload of information and place an undue administrative burden on covered entities and business associates. We believe that OCR’s proposal to require covered entities to provide individuals the option of limiting the accounting to a particular time period, type of disclosure, or recipient offers a valid option to reduce each concern.[24] Also, the fact that one accounting per year from a covered entity will be free and subsequent accountings may be subject to cost should deter individuals from requesting them for frivolous purposes.
Note also that according to the NPRM, many covered entities state they receive few if any requests for such accountings. In our experience this is not a testament to the value of such accountings, but to the fact that individuals request an accounting when the need arises or when they are suspicious of an unauthorized disclosure.[25] This also speaks to the administrative burden of the current and proposed rules. Because individuals do not typically monitor disclosures of their protected health information the way they do for credit reports, but request them on a rare situation-specific basis, the administrative burden should in theory remain relatively low. Rather than attempting to predetermine which disclosures will be meaningful to individuals, the accountings will hold the most value if they are able to provide individuals with information on a wide range of disclosures.
2. Content and Provision of the Accounting—Proposed §164.528(a)(2)-(3)
OCR proposes changing certain requirements regarding the content of the accounting. The PRC supports the proposal to give individuals the option to limit the accounting to a particular time period, type of disclosure, or recipient. We also support the proposal to shorten the 60-day deadline to provide the accounting to 30 days.
B. Right to an Access Report—Proposed §164.528(b)
OCR proposes to expand the current accounting provisions to provide individuals with a right to receive an access report showing who has accessed their electronic protected health information in a designated record set for up to a three year period prior to the date the report is requested. [26] An access report would indicate who within a covered entity or business associate’s workforce has accessed the electronic protected health information, and would provide individuals a more complete knowledge of the internal uses of their information.[27]
Individuals place significant trust in employees of covered entities who have access to their sensitive medical information. Despite the trust individuals place in the employees of covered entities and their business associates, there have been numerous reports of abuses including, for instance, employees accessing and disclosing celebrity medical information for personal profit.[28] The PRC has also heard from individuals who fear or have encountered similar abuses committed by relatives, ex-relatives, or an intrusive acquaintance with access to health information.
As proposed, this rule could have a significant impact in combating employee abuses involving access to and use of medical information. We therefore believe that the right to an access report will be an important and valuable tool to improve transparency and accountability, and therefore foster patient privacy and trust in covered entities and their business associates.
1. Content of the Access Report—Proposed § 164.528(b)(2)
The NPRM states that an access report would include: date of access; time of access; name of natural person, if available, otherwise the name of the entity; description of what information was accessed, if available; a description of the action by the user (for example, this would consist of create, modify, access, delete).[29] We also believe it would be beneficial to individuals as well as covered entities and their business associates to list the department, if feasible, where the access was made.
OCR is further proposing that the covered entity provide the access report in a format that is understandable to individuals without an external aid. We fully support the concept of providing individuals with a readable format.[30] In the interest of providing a clear and valuable access report, we also fully support OCR’s proposal that the covered entity’s access report include uses and disclosures by business associates of electronic designated record set information maintained by the business associates rather than merely providing a listing of business associates.
Request for comment concerning internal exchanges of information, the importance of information about what protected health information was accessed, and the importance of including a description of the purpose of the access in the access report.[31]
OCR requests comment on the issue of whether individuals have an interest in learning of internal exchanges of information between electronic designated record set systems, and the importance of knowing what information was accessed and for what purpose. For the reasons stated above, namely fostering transparency and accountability, we believe covered entities should offer individuals the option to receive as much information in an access report as is feasible within the particular electronic designated record set systems.
Under the proposed rules, access reports would not contain information on the purpose of the access.[32] Of the three categories OCR requests comment on, we believe that this would be not only of most benefit to individuals interested in knowing why a certain person may have accessed their information, but also most effective from a deterrence standpoint. For example, an unauthorized employee with intent to report the contents of a public figure’s medical record for personal gain might be less inclined to access the record if he or she had to log a purpose for access in the system.
OCR requests comment on the conclusion it makes that the burden of generating access reports will be directly proportionate to the interests of individuals; if few individuals request access reports, then covered entities will rarely need to undertake the burden of generating an access report.[33]
The NPRM suggests that covered entities should be able to generate access reports since, in accordance with the HIPAA Security Rule, all electronic systems with designated record set information should be creating access logs with the requisite information for the proposed access reports.[34] Therefore, we believe it is reasonable for OCR to reach the conclusion that the burden will rest on generating the reports from the logs, and that the number of reports requested will likely be low and in response to a certain situation just like requests for accountings of disclosures. In fact, the existence of the right to an access report may itself prove to prevent some of the situations that would cause individuals to want a report by deterring the action and instilling trust.
IV. Conclusion
The PRC appreciates the opportunity to comment, and we direct our conclusions as follows. With respect to an individual’s right to an accounting of disclosures, OCR should consider the adverse impact of reducing the accounting to three years. OCR should also limit exemptions to the accounting rule as much as possible to provide individuals the most complete picture of how their information is disclosed, and consider any consequences that may arise from limiting the accounting to disclosures of information in a designated record set. PRC fully supports the proposal to give individuals the right to an access report and the fact that the report must be readable without external aid, and urges OCR to ensure that the report contains meaningful information.
Respectfully Submitted,
Beth Givens, Director
Meghan Bohn, Staff Attorney
Privacy Rights Clearinghouse
[1] Department of Health and Human Services, Notice of Proposed Rulemaking, 76 Fed Reg. 31426 (May 31, 2011), RIN 0991-AB62 (Docket ID HHS-OCR-2011-0011), available at http://www.regulations.gov/#!documentDetail;D=HHS-OCR-2011-0011-0001 [hereinafter NPRM].
[2] Privacy Rights Clearinghouse, www.privacyrights.org (last visited July 25, 2011).
[3] HITECH Act Section 13400 defines EHR as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.”
[4] HITECH Act § 13405(c) (Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (AARA), Pub. L 111-5).
[5] See NPRM supra note 1, at 31429, 31433.
[6] See id. at 31430.
[7] “Designated Record Set” is a group of records maintained by or for a covered entity that is: medical and billing records; enrollment, payment, claims adjudication and case or medical management record systems; or used by a covered entity to make decisions about individuals. See 45 CFR §164.501.
[8] See NPRM supra note 1, at 31429.
[9] Id. at 31430.
[10] Id.
[11] 45 CFR 164.528 (Privacy Rule). The Standards for Privacy of Individually Identifiable Health Information, 65 FR 82462, as amended at 67 FR 53182.
[12] Id. at 31430.
[13] See 45 CFR 160.414, available at http://edocket.access.gpo.gov/cfr_2007/octqtr/pdf/45cfr160.414.pdf (last visited July 26, 2011).
[14] See NPRM supra note 1, at 31430.
[15] See id. at 31431.
[16] Id.
[17] See Interim final rule, Breach Notification for Unsecured Protected Health Information 45 CFR § 160, 164, available at 74 Fed. Reg. 162, at 42740 et. seq., August 24, 2009, http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf (Implementing Section 13402 of the HITECH Act, part of the American Recovery and Reinvestment Act of 2009, enacted Feb. 17, 2009).
[18] NPRM supra note 1, at 31429.
[19] See NPRM supra note 1, at 31431.
[20] Id.
[21] Id. at 31432.
[22] Id. at 31432-34.
[23] See e.g. DHS FIPs, available at http://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2008-01.pdf; Privacy Rights Clearinghouse, Review of the Fair Information Principles, https://www.privacyrights.org/ar/fairinfo.htm (last visited July 26, 2011).
[24] See NPRM supra note 1, at 31434.
[25] See e.g. Privacy Rights Clearinghouse, Disclosure Accounting: Comments Submitted to the U.S. Dept. of Health and Human Services, Office for Civil Rights re: Request for Information: Disclosure Accounting, RIN 0991-AB62 available at https://www.privacyrights.org/disclosure-accounting-comments.
[26] NPRM supra note 1, at 31448 (proposed 45 CFR 164.528(b)(1)).
[27] Id. at 31436.
[28] See e.g. Molly Hennessy-Fiske, UCLA hospitals to pay $865,500 for breaches of celebrities’ privacy, LA Times, July 8, 2011, http://www.latimes.com/news/local/la-me-celebrity-snooping-20110708,0,1018829.story (last visited Aug. 1, 2011).
[29] See NPRM supra note 1, at 31438 (proposed 45 CFR 164.528(b)(2)).
[30] See id. at 31440 (proposed 45 CFR 164.528(b)(2)(iii)).
[31] See NPRM supra note 1, at 31438-39.
[32] Id. at 31429.
[33] Id. at 31439.
[34] See id. at 31437 (citing §164.308 and § 164.312 of the HIPAA Security Rule).