This article discusses a HITECH Act compliance ticking time bomb known as "Accounting of Disclosures" of PHI and that we prefer to call "Accounting for Disclosures" of PHI or "A4D" for short. Specifically, this article focuses on the "As Is" state of A4D as embodied in Privacy Rule section 164.528 and the implications of HITECH Act section 13405(c) on HHS' proposed A4D rule. HHS' proposed rule has been hotly debated and is long past due in its final form.
The "As Is" Rule?
The current rule reads in part as follows:
Accounting of disclosures of PHI.
(a) Standard: Right to an accounting of disclosures of protected health information
(1) An individual has a right to receive an accounting of disclosures of PHI made by a CE in the six years prior to the date on which the accounting is requested, except for disclosures (paraphrasing): for TPO; regarding PHI about the individual; incident to; etc.
In short, the current rule provides a right to an accounting except for a long list of exceptions. But what exactly is an accounting? Well as the word "accounting" suggests it means providing the patient information about all instances where his/her PHI has been disclosed to third party regardless of what information system's audit log contains it. Moreover, the accounting requires that certain specific information regarding the disclosure be provided for each separate instance. The definition of "disclosure" is as follows:
Disclosure: "means the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information."
Notice that the definition itself does not address the issue of what entities outside the organization are included or excluded in the A4D. That is addressed in 164.528(a)(1) as discussed above.
HITECH ACT 13405(c)?
HITECH Act section 13405(c) changed 164.528(a)(1) in some important ways. This section states in relevant part as follows:
(c) Accounting of Certain Protected Health Information Disclosures Required if Covered Entity Uses Electronic Health Record.-
''(1) In General.-In applying section 164.528 of title 45, Code of Federal Regulations, in the case that a covered entity uses or maintains an electronic health record with respect to protected health information-
''(A) the exception under paragraph (a)(1)(i) of such section shall not apply to disclosures through an electronic health record made by such entity of such information; and
''(B) an individual shall have a right to receive an accounting of disclosures described in such paragraph of such information made by such covered entity during only the three years prior to the date on which the accounting is requested.
In essence what the HITECH Act does is remove the TPO (i.e. treatment, payment, and operations) exception from the A4D and reduces the time frame of disclosures available from six years down to three, but only where the CE is using an EHR.
Because TPO disclosures make up the lion's share of disclosures, this change dramatically increases the potential number of disclosures to be accounted for, together with the corresponding administrative burden.