The Department of Health and Human Services (HHS) proposes to expand the Health Insurance Portability and Accountability (HIPAA) privacy rule through its new amendment which provides that a patient should be allowed to receive a report on individuals and organizations that have accessed his or her electronic medical records. At present, the healthcare organizations are required by HIPAA to track access to electronic protected health information, but they are not currently required to share this information with patients.
The notice of proposed rulemaking from HHS states that HIPAA accounting provisions should be expanded to provide individuals “with the right to receive an access report indicating who has accessed electronic protected health information”.
The department is making the change to the HIPAA privacy rule to implement the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009.
“This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information. We need to protect peoples’ rights so that they know how their health information has been used or disclosed”, said Georgina Verdugo, director of the HHS Office of Civil Rights.
“The proposed rule requires an accounting of more detailed information for certain disclosures that are most likely to affect a person’s rights or interests. The proposed changes to the accounting requirements provide information of value to individuals while placing a reasonable burden on covered entities and business associates”, the HHS department said.
Comments on the proposed rule are due August 1, 2011.