Proposed Regulations on HIPAA Accounting of Disclosures

New Rules and Regulations for Covered Healthcare Entities


Join Our Mailing List 


Proposed regulations regarding HIPAA accounting of disclosures have been recently published and are open for public comments.  If enacted in their current form, the new regulations will require Covered Entities to make significant revisions to their current HIPAA procedures and may require modifications to current computer systems.  


Under the HITECH Act, regulations must be enacted that allow individuals to receive a much expanded accounting of disclosures of electronic health information, including disclosures made for treatment, payment and health care operations. 

In order to accomplish this, the proposed regulations differentiate between “accountings of disclosures” and “access reports.”  Accountings will continue to be a list of certain limited types of disclosures.  Access reports will be similar to “audit trails” and must include information regarding each access to an individual’s electronic health information.  Covered Entities must be able to provide, upon request, both accountings and access reports.

Covered Entities

The proposed regulations also include specific requirements, including the following:

  • Accountings and access reports must be available in regard to disclosures or access, as applicable, for 3 years and must be provided within 30 days of the request. 
  • Accountings and access reports will be required only for health information maintained in designated record sets (e.g., medical records, billing records).
  • Accountings and access reports must include information about disclosures of, and access to, information maintained by business associates.
  • There are additional exceptions to the types of disclosures that must be included on an accounting (e.g., exceptions will include disclosures about abuse and to medical examiners).


And so, your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.


Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact:

Our Other Print Books and Related Information Sources:

Health Dictionary Series:

Practice Management:

Physician Financial Planning:

Medical Risk Management:

Healthcare Organizations:

Physician Advisors:

Subscribe Now: Did you like this Medical Executive-Post, or find it helpful, interesting and informative? Want to get the latest ME-Ps delivered to your email box each morning? Just subscribe using the link below. You can unsubscribe at any time. Security is assured.


Sponsors Welcomed: And, credible sponsors and like-minded advertisers are always welcomed.


Product Details 

9 Responses

  1. To really prove to an auditor from KPMG that your HIPAA sanctions are in place, someone has to take a hit for the team.

    Yesterday, posted “U.S. Department Of Health And Human Services Audits Set To Begin Soon” (no byline).

    Attorney Adam H. Greene, who formerly worked at HHS’ Office for Civil Rights and now focuses his practice on HIPAA compliance, suggested that “entities that have never imposed an internal HIPAA-related sanction may have a problem.” He adds that not having issued a sanction “doesn’t mean you have never had a HIPAA violation.”

    So, Doc, got an employee in mind?

    D. Kellus Pruitt DDS


  2. We’ve been had

    New HIPAA rules won’t enhance privacy, but they will burden physicians



  3. HIPAA in the “Real” World

    The things I hate about HIPAA are its inconsistencies, and its overall effect.

    For instance, there are many of restrictions on sending even the simplest of emails without major encryption, but nothing about faxes at all.

    In fact, the law’s severe penalties created panic-like behavior in my office, where we worried about how a patient wandering into a back room might glance at a chart and see another patient’s name. OR, how we even blanked out names on X-ray films!

    Dr. David Edward Marcinko MBA


  4. You’ve got that right – Dr. Marcinko!

    A couple of years ago, a serious discussion on a HIPAA listserv revolved around replacing written allergy warnings on the outside of patients’ charts with color coded labels to prevent passers-by from accidentally catching a glance at protected health information.

    D. Kellus Pruitt DDS


  5. Sanctioned an employee yet?

    If you are considering ignoring the reporting deadline simply because your practice hasn’t experienced any breaches of patients’ identities in 2011, let me first of all tell you congratulations on your spotless privacy record. Though that’s certainly an admirable accomplishment all dentists should strive for, this is not the time or the environment to take a bow. Like dental school, this is a time to blend in.

    Even the most secure practices should be aware that since the frequency of data breaches from healthcare organizations has reached epidemic proportions, ambitious KPMG auditors working on commission for OCR are well aware that virtually all dentists with electronic records have suffered reportable data breaches in 2011. You can imagine the amount of unwanted special attention a HIPAA success story in dentistry could attract these days.

    If you haven’t listed any breaches of 500 or fewer of your patients’ identities yet, between now and Wednesday, you might want to help a formerly careless employee or two recall how you sanctioned them for something like allowing a UPS delivery person to accidentally glance at a patient’s digital medical history. Or, maybe for leaving an unattended computer within reach of a patient (I think HIPAA actually protects a dentist from having to reveal the patient’s name). Anything would be preferable to a blank page under your NPI number, and it helps if you get your stories straight with staff members who learned a darn good lesson from the experience.

    You’ll certainly be unpopular around the office for a while, but according to attorney and former OCR official Adam Greene, “… entities that have never imposed an internal HIPAA-related sanction may have a problem.” He added that not having issued a sanction “doesn’t mean you have never had a HIPAA violation.”

    Regardless what triggers a HIPAA audit, suppose a humorless KPMG employee with bad breath just happens to be having a really bad day, and predictably doesn’t like dentists much at all. Dentists should do everything possible to avoid the risk of obscene fines for willful neglect which easily can bring an end to an honest dental practice. If you are a HIPAA covered entity, take the former OCR official’s advice and sanction someone if you haven’t already done so, and do it before Wednesday.

    I ask you. If I wasn’t here to warn of these liabilities, who would? The ADA? … You mean the same professional organization which joined with discount dentistry brokers like Delta Dental and BCBSTX to persuade uninformed dentists to volunteer for NPI numbers?

    Who’s your daddy?

    D. Kellus Pruitt DDS


  6. Blue Cross and Blue Shield of TN to Pay $1.5 Million in HIPAA Settlement

    In the first enforcement action stemming from the HITECH Act breach notification rule, Blue Cross and Blue Shield of Tennessee has agreed to pay federal regulators $1.5 million and enter into a corrective action plan after 57 hard drives were stolen from the insurer.

    Blue Cross told government authorities that the computer drives contained unencrypted private health information for more than one million people, including names, Social Security numbers, dates of birth, diagnosis codes, and health plan ID numbers, according to an announcement by HHS’ Office for Civil Rights.

    Source: Joe Carlson, Modern Healthcare [3/13/12]


  7. Of email Compliance

    Is sending “secure” email to patients who use Gmail – or other providers – HIPAA compliant?



  8. It’s a very risky for a physician to simply email health-related issues with their patients for several justified security reasons.

    However, an ad for RPost just appeared that you might be interested in reading: “Physician Groups Turn to RPost for HIPAA Compliance, Electronic Signatures, and Registered Email Legal Delivery Proof.”

    “RPost has set the standard for legal electronic messaging and document services with its patented Registered Email® services for delivery proof, compliant message encryption and legal electronic signatures.”

    Hope this helps.

    Darrell DK


  9. Can you trust your practice to your Business Associates’ hiring habits?

    “32,000 patient records exposed on contractor’s unsecured website – Cogent dealing with second HIPAA breach.” by Susan D. Hall, FierceHealthIT, August 12, 2013.

    An employee of medical transcription contractor Cogent, who left a critical firewall down for 7 weeks between May 5 and June 24, is responsible for permanently damaging thousands (?) of physicians’ practices across the nation by causing a breach of their patients’ Protected Health Information (PHI). According to HIPAA, Cogent is a “Business Associate” of physicians, who are “Covered Entities.” Even though BAs are to blame for 58% of all breaches of patients’ records, far too many of the 32,000 notified patients across 48 states won’t understand the difference. According to the Ponemon Institute at least 20% will immediately leave the practice – giving their hapless doctors no chance to explain. Is that fair?

    A Cogent employee simply goofed. A human error. Yet not even the very best cyber-insurance policy can repair the doctors’ reputations in their communities for even one breach. Note that this is Cogent’s second. I wonder how many doctors have had to notify their patients twice. How many will be willing risk identity theft a third time?

    HIPAA-covered dentists’ practices are at the mercy of their BAs’ hiring practices as well. Doesn’t that make you nervous, Doc?

    De-identify now. If dental patients’ identities are unavailable, they are impossible to steal.

    D. Kellus Pruitt DDS


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: