Proposed HIPAA Reporting Requirement May Lead to Increased Compliance Costs and Enforcement Action

Advertisement

Recently posted in the National Law Review an article by Nancy C. Brower and Elizabeth H. Johnson of  Poyner Spruill LLP about HHS’ notice of proposed rulemaking (NPRM) that would allow individuals to obtain an “access report” from HIPAA .  

 

 

On May 31, 2011, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued a notice of proposed rulemaking (NPRM) that would allow individuals to obtain an “access report” from HIPAA covered entities reporting virtually every instance of access to their electronic protected health information (ePHI), including all access by individual employees. The proposed access report must reflect the full name of every person or entity that accessed an individual’s ePHI (if maintained in a designated record set) in the prior three years.

Advertisement

An express purpose of this proposal is to allow individuals to identify situations in which a member of a covered entity’s workforce inappropriately accessed their ePHI. Individuals can then file a complaint with the OCR claiming improper employee access to ePHI.

In a recent case, the OCR entered into a $865,000 settlement with the University of California at Los Angeles Health Systems (UCLAHS) after investigating celebrity complaints of potential inappropriate ePHI access by UCLAHS employees. The investigation led to OCR allegations that UCLAHS employees repeatedly accessed ePHI of many patients, including several celebrity patients, when they did not have any job-related need to access the data, and that UCLAHS failed to implement security controls to reduce the risk of impermissible access, failed to provide Security Rule training, and failed to apply appropriate sanctions against workforce members who violated UCLAHS policies and procedures.

Advertisement

In the NPRM, OCR stated that it believes the degree of access logging required in the new access report is currently being captured and stored by covered entities’ electronic information systems because OCR interprets HIPAA’s audit controls standard (45 C.F.R. § 164.312(b)) and information system activity review implementation specification (45 C.F.R. § 164.308(a)(1)(ii)(D)) to require that all such access be logged, including “view” or “read only” access. However, this interpretation of the Security Rule is much broader than many had believed, and the NPRM has already fallen under criticism as a result. If the new rule is implemented as proposed, many covered entities will incur significant unexpected costs related to systems modifications, data storage (access logs must be retained for three years), training, privacy notice revision and redistribution and response to individual requests.

Advertisement

Business associates will have to undertake a similar degree of implementation to provide covered entities with access logs relevant to the access report, and covered entities will need to consider updating their business associate agreements to reflect this requirement. Individual privacy complaints filed with covered entities and OCR may well increase if this new rule is adopted, either because covered entities will fail to completely or timely provide the access report, or because individuals reviewing their access report will find real or (more likely) perceived cases of inappropriate access to their records.
© 2011 Poyner Spruill LLP. All rights reserved.

Published by

National Law Forum

A group of in-house attorneys developed the National Law Review on-line edition to create an easy to use resource to capture legal trends and news as they first start to emerge. We were looking for a better way to organize, vet and easily retrieve all the updates that were being sent to us on a daily basis.In the process, we’ve become one of the highest volume business law websites in the U.S. Today, the National Law Review’s seasoned editors screen and classify breaking news and analysis authored by recognized legal professionals and our own journalists. There is no log in to access the database and new articles are added hourly. The National Law Review revolutionized legal publication in 1888 and this cutting-edge tradition continues today.