In this rule, we propose that individuals have a right to receive an accounting of all instances where protected health information about them is disclosed by a covered entity for purposes other than treatment, payment, and health care operations, subject to certain time-limited exceptions for disclosures to law enforcement and oversight agencies as discussed below. Providing such an accounting would allow individuals to understand how their health information is shared beyond the basic purposes of treatment, payment and health care operations.
We considered whether to require covered entities to account for all disclosures, including those for treatment, payment and health care operations. We rejected this approach because it would be burdensome and because it would not focus on the disclosures of most interest to individuals. Upon entering the health care system, individuals are generally aware that their information will be used and shared for the purpose of treatment, payment and health care operations. They have the greatest interest in an accounting of circumstances where the information was disclosed for other purposes that are less easy to anticipate. For example, an individual might not anticipate that his or her information would be shared with a university for a research project, or would be requested by a law enforcement agency.
We are not proposing that covered entities include uses and disclosures for treatment, payment and health care operations in the accounting. We believe that it is appropriate for covered entities to monitor all uses and disclosures for treatment, payment and health care operations, and they would be required to do so for electronically maintained information by the Security Standard. However, we do not believe that covered entities should be required to provide an accounting of the uses and disclosures for treatment payment and health care operations.
The proposed Security Standard would require that “[e]ach organization … put in place audit control mechanisms to record and examine system activity. They would be important so that the organization can identify suspect data access activities, assess its security program, and respond to potential weaknesses.” The purpose of the audit control mechanism, or audit trail, in the Security Standard would be to provide a means for the covered entity to police access to the protected health information maintained in its systems. By contrast, the purpose of the accounting would be to provide a means for individuals to know how the covered entity is disclosing protected health information about them. An audit trail is critical to maintaining security within the entity and it could be constructed in such a way to enable the covered plan or provider to satisfy the requirements of both regulations. For example, every time protected health information was used or disclosed, the audit mechanism could prompt the user for a “purpose.” If the disclosure was for a purpose other than treatment, payment or health care operations, then the information could be flagged or copied into a separate database. This would allow the entity to both monitor security and have the ability to provide an accurate accounting upon request.
Covered entities should know how all protected health information is used and disclosed, but should not be required to provide an exhaustive accounting of all uses and disclosures to individuals upon request. Such an accounting could be extremely long and detailed. It would place a tremendous burden on the covered entities and it could be far too detailed to adequately inform the individual. We determined that when individuals seek health care, they understand that information about them will be used and disclosed in order to provide treatment or obtain payment and therefore, they would have the most significant interest in knowing how protected health information was used and disclosed beyond the expected realm of treatment, payment and health care operations. We are soliciting comment on whether the scope of accounting strikes an appropriate balance between providing information to the individual and imposing requirements on covered entities.
We are proposing that covered entities be required to provide an accounting of disclosures for as long as the entity maintains the protected health information. We considered only requiring the accounting for a specified period of time, but concluded that individuals should be permitted to learn how their information was disclosed for as long as the information is maintained by the covered plan or provider. We are soliciting comments on whether we should include a specific time period in this proposed rule.