On May 31, the U.S. Department of Health & Human Services released a proposed change to the HIPAA Privacy Rule. The proposed rule would give people the right to get a report on who has electronically accessed their protected health information (PHI).

HHS’ Office of Civil Rights (OCR) proposed the change.
HIPAA covered entities are currently required by the Security Rule to track access to electronic PHI, but they are not required to share that information with people. Under the changed Privacy rule, people could request an access report, which would document in detail who electronically accessed and viewed their PHI.
 
According to HHS, the accounting requirement pertains to disclosures that are most likely to affect a person’s rights or interests.
 
“This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information,” said OCR Director Georgina Verdugo. “We need to protect peoples’ rights so that they know how their health information has been used or disclosed.”
 
According to the website of Information Law Group, the proposed regulations would require covered entities to generate, upon request, an access report from access log data, which is collected by electronic record systems each time a user accesses PHI. Access reports would detail the access by covered entities as well as business associates. The group added that the proposed rule requires covered entities and business to retain access logs for no less than three years so that access reports can document access to an individual’s health information for the three years prior to the individual’s request for the report.
 
Interested parties can submit comments on the proposed rule through Aug. 1.
 
Photo by Alotor courtesy of Creative Commons license.