Home Health & Hospice Week

Your HIPAA headaches will multiply under a new proposed rule on PHI access.

A new Department of Health and Human Services proposed rule, published in the May 31 Federal Register, would require you to offer patients a way to combat the growing concern of medical records privacy, by issuing them an "access report." The report would list the specific people who electronically viewed their protected health information (PHI).

The HIPAA Security Rule already requires covered entities to track access to patients' electronic PHI, but does not currently require them to share that information with the patients. Now the proposal suggests offering the patients an annual listing of the records. It would include every instance of access to the patient's PHI -- including legitimate reviews for reasons of treatment and payment -- as well as other instances. It won't, however, provide information about why the person accessed the records.

"This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information," says HHS Office for Civil Rights Director Georgina Verdugo in a statement. "We need to protect peoples' rights so that they know how their health information has been used or disclosed."

HHS proposes instituting the right to access reports beginning on Jan. 1, 2013 for electronic designated record set systems acquired after Jan. 1, 2009, and beginning the following year for record set systems acquired as of Jan. 1, 2009.