HIPAA Update: New Proposed HIPAA Accounting Rules and KPMG Audit Protocol Contract
2011 has brought renewed focus on HIPAA compliance and enforcement. In February, the Department of Health and Human Service’s Office for Civil Rights (OCR) announced significant HIPAA penalties and monetary settlements of alleged HIPAA violations. On May 31, 2011, OCR issued proposed rules implementing portions of the Health Information Technology for Economic and Clinical Health Act (the HITECH Act). On June 10, 2011, the Department of Health and Human Services (HHS) awarded a contract to KPMG relating to HIPAA.
Proposed Rules
On or before August 1, 2011, members of the public are invited to submit comments regarding the OCR’s proposed rules issued on May 31, 2011. The proposal surprised many in the health industry. The HITECH Act, among other things, included a requirement that covered entities provide patients with an accounting of most disclosures from an electronic health record when patients make such a request. Prior to the HITECH Act, these accounting disclosures did not need to include disclosures for treatment, payment, or healthcare operations purposes. The HITECH Act requires that, after certain compliance dates, those disclosures be included in the accounting.
Some covered entities, such as health plans, may not have been concerned about the expanded accounting requirement if they took the position that the records they maintained were not “electronic health records.” The HITECH Act defines an electronic health record as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.” The proposed rules make the definition of an electronic health record less relevant for accounting purposes, however, because the rules go beyond the HITECH Act’s mandate to add a new requirement. Under the rules, if promulgated in their proposed form, individuals will have a new right to receive a “written access report.” This report will let individuals know who has accessed their protected health information held in an “electronic designated record set.” Under the proposal, covered entities and business associates would have to maintain, for at least three years, a record of the date and time information was accessed, as well as the name of the natural person or entity accessing the electronic designated record set.
Designated Record Set
The expanded requirements under the proposed rules hinge largely on the definition of a “designated record set.” Information in a designated record set will have to be stored in a way that allows a covered entity or business associate to identify who has accessed a particular patient’s information and when that person viewed the record. The current HIPAA rules define a designated record set as “a group of records maintained by or for a covered entity that is (i) [t]he medical records and billing records about individuals maintained by or for a covered health care provider; (ii) [t]he enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) [u]sed, in whole or in part, by or for the covered entity to make decisions about individuals.” A “record” is “any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.”
The existing HIPAA rules require covered entities to document the designated record sets. This documentation requirement, and careful consideration of what records are and are not included in a designated record set, will become critical if the rules are finalized as proposed. Covered entities will need to have a reliable method to capture and store the very detailed data that will have to be included in the accounting.
OCR notes, in the preamble to the proposed rules, that some covered entities report receiving very few or no accounting requests. OCR seems to attribute that to the fact that the information included in an accounting may not be of interest to patients, hence the need for the broader access report.
KPMG to Conduct Audits
KPMG will be conducting HIPAA compliance audits on behalf of the federal government. A synopsis of the KPMG contract, posted on www.fbo.gov, indicates that the “protocol and audit program performance requested under this contract shall assist OCR in operating an audit program that effectively implements the statutory requirement to audit covered entity and business associate compliance with the HIPAA privacy and security standards as amended by ARRA.” The contractor will be required to develop an audit protocol and then conduct site visits with entities. These site visits will “include interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director).” They will also include “examination of physical features and operations; consistency of process to policy; observation of compliance with regulatory requirements.” The contractor must also submit an audit report noting best practices and including specific recommendations for actions the audited entity can take to address identified compliance problems. According to the contract synopsis, “[t]he government anticipates completing 150 audits of entities varying in size and scope.”
Next Steps
In light of these new HIPAA-related developments, now is an excellent time for covered entities and their business associates to review and update their HIPAA compliance efforts. Business associates should ensure that they have policies and procedures in place that enable full compliance with business associate agreements and HITECH Act provisions. Covered entities should review their existing compliance programs to determine whether revisions, additional training, or other actions are needed to bring the organization into compliance.