The proposed rule would explicitly list disclosures that are subject to accounting requirements. It differs from the previous approach, which listed disclosures that are not subject to accounting but that should still be recorded. In addition to this, the rule would also require companies to keep records of the financial information they disclose to the public. Listed disclosures are the type of information that investors and regulators typically want to know about. The accounting requirement for these disclosures would only apply to companies that provide financial information to the public.
The HITECH Act included the right to receive a full accounting for any disclosures made to or received through an electronic health information exchange. The accounting requirement would also include a description of the purpose for making the disclosure. It would also require companies to report to HHS if they had used an EHR or another electronic system to make the disclosure. As such, the new accounting requirement would apply to business associates, covered entities, and other HHS-required entities.
A few commenters felt that the inclusion of the purpose of the disclosure was necessary to make the accounting meaningful. In fact, the RFI specifically asked for an explanation of why the agency made a disclosure, but anecdotal reports suggest that the purpose of the disclosure is less relevant in many cases. Nonetheless, individuals generally want to know who accessed the information they provided. Therefore, the RFI was a welcome step in the right direction.
In response to the proposed rule, some commenters suggested that disclosures made without a signed authorization should not be subject to accounting. Others argued that this right does not extend to other types of disclosures, such as research or registries. However, the proposed rule should specify whether or not the disclosures are intended to result in the physical release of a patient’s medical records. This requirement will help consumers determine whether or not the disclosures are meaningful to them.
The covered entity must provide an individual with a copy of the written request that made the disclosure. This copy is important for the individual to have a better understanding of the circumstances surrounding a disclosure. Further, the disclosure of information related to communicable diseases is a legitimate way to protect patient confidentiality. The Department of Health and Human Services should carefully balance the oversight function with the burden placed on the entity. By including authorized disclosures in the accounting, covered entities will still be able to monitor compliance with the disclosure requirements.
The proposed rule would also change the reporting period. Currently, covered entities must account for disclosures within three years. This period would be reduced from six to three years. In addition, this new accounting provision will be applicable to electronic protected health information as well as designated record sets. It also changes the types of disclosures that are subject to accounting. By clarifying the accounting requirements, the new regulations would simplify the entire process. The proposed rule would be the first major change that would improve the privacy of health information.