HHS is proposing to expand the HIPAA accounting provisions to provide individuals “with the right to receive an access report indicating who has accessed electronic protected health information”, the notice of proposed rulemaking said.
The department is making the change to the HIPAA privacy rule to implement the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009.
“This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information. We need to protect peoples’ rights so that they know how their health information has been used or disclosed”, said Georgina Verdugo, director of the HHS Office of Civil Rights.
Although healthcare organizations are required by HIPAA to track access to electronic protected health information, they are not currently required to share this information with patients, HHS explained.
“The proposed rule requires an accounting of more detailed information for certain disclosures that are most likely to affect a person’s rights or interests. The proposed changes to the accounting requirements provide information of value to individuals while placing a reasonable burden on covered entities and business associates”, the department said.
Comments on the proposed rule are due August 1, 2011.