Healthcare Information Security

Cybersecurity News

Tiger Team reviews accounting of patient data disclosures

By Patrick Ouellette

- Yesterday’s HIT Policy Committee Privacy & Security Tiger Team meeting discussed the background of accounting of disclosures for patient data and brought forward prevalent topics for its Sept. 6 virtual hearing.

The Office of Civil Rights (OCR) had been investigating the accounting of disclosures issue and requested that the Tiger Team hold a hearing on the matter while getting feedback from various stakeholders. The Tiger team maintained that among its goals was to “explore realistic ways to provide patients with greater transparency about the uses and disclosures of their digital, identifiable health information.  Such exploration should also help facilitate implementation of the HITECH requirement that a patient’s right under the HIPAA Privacy Rule to an “accounting” of disclosures include disclosures for “treatment, payment and operations” when such disclosures are made through an EHR.”

The Tiger Team also rehashed the regulatory background of how the HITECH Act brought changes to accounting of disclosures provisions. The HIPAA Privacy Rule had previously required covered entities to make available, upon request, an accounting of certain disclosures of an individual’s PHI made during the six years prior to the request, but that number is now three years.

After receiving the feedback from a 2010 RFI (Nine questions were asked requesting information on potential benefits, burdens, awareness of rights, uses, information in the disclosures, technological capabilities and timing), the OCR released an NPRM to change the Privacy Rule’s Accounting of Disclosures requirement.  Patients would now have an accounting of disclosures and an “access report”, which must contain the following:

- Date and time of access

- Name of person or entity accessing PHI

- Description of information and user action (creation, modification, deletion).

Since OCR did not address accounting of disclosures in the final HIPAA Omnibus Rule and ONC counted them as optional certification criteria for EHRs in its 2014 edition, the Tiger Team is in the process of learning:

1. What patients would like to know about uses and disclosures of their electronic protected health information (PHI).

2. The capabilities of currently available, affordable technology that could be leveraged to provide patients with greater transparency re: access/disclosure of PHI.

3. How record access transparency technologies are currently being deployed by health care providers, health plans, and their business associates (for example, HIEs).

4. Other issues raised as part of the initial proposed rule to implement HITECH changes.

5. The difficulty in making the distinction between “uses” and “disclosures”.

The Sept. 6 meeting, scheduled for 11:30am to 5:30pm EST will ask panelists to testify based on questions they will receive ahead of time and invited the HITSC Privacy and Security Workgroup to take part in the Q&A. Possible testifiers include:

Providers such as Johns Hopkins Health System, John Muir Health, Henry Ford Health System, Health Partners, Kaiser Permanente (can also provide a payer’s perspective), Health Information Exchanges (HIEs) and AHIMA (representing health information professionals in provider organizations). The Tiger Team also mentioned potential vendors such as FairWarning, Meditech, Athena Health, Siemens, WEDI and the Health IT Now Coalition.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...