The Department of Health & Human Services (HHS) Friday, May 27, published a HITECH-required proposed rule on accounting of disclosures of EHRs.
The rule will ultimately lay the foundation for what healthcare providers will be accountable for when patients request disclosures on their electronic medical records. HITECH expands an individual’s right to request accounts on disclosures of his/her health record.
It also includes a new right for patients to request an “access report,” which will tell patients who exactly accessed and viewed their PHI. This right was not included in HITECH.
“We believe that these changes to the accounting requirements will provide information of value to individuals while placing a reasonable burden on covered entities and business associates,” according to HHS in the proposed rule. “The process of creating a full accounting of disclosures is generally a manual, expensive, and time consuming process for covered entities and business associates.”
The Office for Civil Rights (OCR), the enforcer of the HIPAA privacy and security rules, in May 2010 published a notice  in the Federal Register asking for help crafting this proposed rule on accounting of disclosures on EHRs.
OCR wrote that it wanted to “better understand the interests of individuals with respect to learning of such disclosures, the administrative burden on covered entities and business associates of accounting for such disclosures, and other information that may inform [our] rulemaking in this area.”
Current law exempts disclosures to carry out treatment, payment and healthcare operations. But HITECH changed that, allowing patients to request these types of disclosures through an EHR.