The Department of Health and Human Services (“HHS”) recently issued a proposed rule that would change the current accounting rule under the HIPAA privacy regulations. 76 Fed. Reg. 31426 (May 31, 2011).
The new rule also would require covered entities to keep a log of anyone who accesses electronic protected health information and provide an access report to individuals upon request (this requirement would apply to information held by the plan or any of its business associates). As described in the attached memo, if the proposal is finalized, it would significantly impact health plans and business associates and the systems they use to maintain health information.