Author Describes Disclosures Rule

Adam Greene Outlines Proposed Requirements

By , June 1, 2011.
Author Describes Disclosures Rule

Adam Greene, the primary author of the proposed accounting of disclosures rule mandated under the HITECH Act, describes its major provisions and offers advice on how to prepare.The Department of Health and Human Services' Office for Civil Rights, in its proposed rule, takes a two-pronged approach, explains Greene, who recently left the office to join a Washington law firm.

First, the proposed rule spells out revised HIPAA requirements to provide patients with an accounting of disclosures of protected health information to outside parties for certain purposes, such as law enforcement and public health, Greene says.

Second, the proposal requires providing patients, upon request, with "access reports" that summarize who electronically accessed their information, Greene explains. He says the rule attempts to address "What's the best way to get the information that individuals are most interested in, which is, who has seen their records?" He points out that under the proposed rule, a patient could simply ask whether a specific individual has electronically accessed their records, or they could ask for a complete list of everyone who has accessed them.

In an interview, Greene:

  • Describes how both provisions apply to designated record sets as defined by HIPAA. These record sets include medical records, billing records and "other information that may have been used to make decisions about treatment or payment."
  • Contends that if an organization already has system activity logs in place "it won't necessarily be a huge lift to comply with this rule." He acknowledges, however, that if larger organizations have many information systems that contain designated records sets, "There will be some burden on them to go through and create an aggregate report based on access reports from all these different systems."
  • Cautions against "spending huge resources to come into compliance with the content of the proposed rule" now because it could be changed once its finalized. "It's a good time, though, to look at your audit systems and make sure they are turned on," he stresses. And he advises healthcare organizations to document all of the information systems that contain designated record sets.

A veteran health law attorney, Greene until recently was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing HIPAA privacy and security rules as well as the breach notification rule. He was responsible for determining how HIPAA rules apply to new and emerging health information technologies and was instrumental in the development of the current enforcement process. In his new role as partner at Davis Wright Tremaine LLP in Washington, he specializes in HIPAA and HITECH Act issues.

Follow Howard Anderson on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Is FDA Medical Device Alert Tip of Iceberg?

A Food and Drug Administration warning regarding security vulnerabilities found in certain infusion...

Latest Tweets and Mentions

ARTICLE Is FDA Medical Device Alert Tip of Iceberg?

A Food and Drug Administration warning regarding security vulnerabilities found in certain infusion...

The ISMG Network