[ Wednesday, June 01, 2011 ]
The Accounting Rule: As you can tell from the posts yesterday, I've been busy and am trying to clear up the backlog. As I noted Friday
, HHS has released a revised rule relating to how covered entities (and business associates) must account for disclosures of PHI. I was busy over the weekend graduating my eldest daughter from high school, so with ceremonies and parties and out of town guests, I didn't have a chance to read the rule, but I started in on it yesterday. I have read most of the commentary to the rule and will have a more in-depth analysis later. But it is a pretty dramatic change. There's press on it here
There are two components now, an accounting of disclosures and an access report. The accounting involves cataloguing (i) a set group of disclosures (ii) of all PHI (electronic or paper) that (iii) is maintained in a designated record set (iv) over the preceding 3 years. The access report involves cataloguing (i) any access to ePHI (not including paper PHI, but including ePHI in an EHR or in any other system or condition), (ii) regardless of whether the access is for a use or a disclosure, (iii) out of a designated record set (iv) for any purpose (v) over the preceding 3 years.
This really has a similar feel to the way the original Privacy Rule dealt with "health plans" as if they are separate legal entities (when most are not): it's as if HHS doesn't really know how hospitals and medical practices use and store ePHI.
More to come, I promise.
Jeff [10:27 AM]
Blogger: HIPAA Blog - Edit your Template