HHS seeks comments on health data disclosures

The Department of Health and Human Services and the Office of Civil Rights issued a request for information Monday on the HIPAA privacy rule that governs the accounting of disclosures under the American Recovery and Reinvestment Act (ARRA).

ARRA mandates that HHS revise the HIPAA privacy rule to require covered entities to account for disclosures of protected health information for treatment, payment, and healthcare operations "if such disclosures are through an electronic health record."

In the May 3 Federal Register, HHS called for providers to inform the agency on the administrative burdens this would place on them and "other information that may inform the Department's rulemaking in this area."

Comments are due by May 18. HHS officials said they would like to receive comments from all stakeholders, especially from individuals, consumer advocates, groups, and vendors.

The request for information included a list of questions from HHS. Among them are:

  • What are the benefits to the individual of an accounting of disclosures, particularly of disclosures made for treatment, payment, and healthcare operations purposes?
  • Are individuals aware of their current right to receive an accounting of disclosures? On what do you base this assessment?
  • If you are a covered entity, how do you make clear to individuals their right to receive an accounting of disclosures? How many requests for an accounting have you received from individuals?
  • For individuals that have received an accounting of disclosures, did the accounting provide the individual with the information he or she was seeking? Are you aware of how individuals use this information once obtained?
  • Should an accounting for disclosures include who asked for the disclosure and why?
  • How important is it for individuals to know the specific purpose of a disclosure? Would it be sufficient to describe the purpose generally or is more detail necessary for the accounting to be of value?
  • To what extent are individuals familiar with the different activities that may constitute "healthcare operations?" On what do you base this assessment?

The request for information includes more than 10 questions for vendors, including one inquiring whether a vendor's system is able to distinguish between "uses" and "disclosures" as those terms are defined under the HIPAA Privacy Rule.

Is this story relevant to you?