Upon request, patients would get a chance to see a detailed report of who has accessed and viewed their electronic health records (EHRs) under a proposed privacy rule released by the Department of Health and Human Services on May 31.
Under current Health Insurance Portability and Accountability Act (HIPAA) rules, physicians, hospitals, health plans, and other healthcare organizations are required to track access to electronically protected health information. However, they currently are not required to share this information with patients.
If the proposed rule is approved, providers will be required to inform patients that they can request the detailed privacy report beginning Jan. 1, 2013, assuming the rule takes effect. The rule comes two weeks after audit reports by HHS's Office of the Inspector General criticized current federal efforts to enforce HIPAA security provisions.
The proposed privacy rule is divided into two separate rights for patients: The right to an access report includes information on who has accessed the electronic protected health information and for what purpose (such as treatment, payment, and healthcare operations). The right to an "accounting of disclosures" would provide additional information about whether the data was obtained through hard copy or electronically, and whether it was used for purposes, such as law enforcement, judicial proceedings and public health investigations.
"This proposed rule represents an important step in our continued efforts to promote accountability across the healthcare system, ensuring that providers properly safeguard private health information," HHS Office of Civil Rights Director Georgina Verdugo said in a statement. "We need to protect peoples' rights so that they know how their health information has been used or disclosed."
The proposed changes are in response to the HITECH Act, which called for a more complete accounting of disclosures of protected healthcare data than currently provided by HIPAA as providers and hospitals work to digitize health records and exchange patient data. HHS will take comments on the proposed rule until Aug 1.
HHS raises maximum HIPAA privacy fines to $1.5 million
Related Articles:OCR stepping up HIPAA privacy, security enforcement