Preliminary Thoughts about the HIPAA Accounting of Disclosures NPRM
Logging access to ePHI has been around since the Security Rule went into effect. So, even though the original accounting for disclosures requirements did not include activities for TPO, CEs should theoretically already have the access/disclosure logging activities implemented. As should BAs after the HITECH rule went into effect. However, realistically, I doubt if more than 40% (and this is my own spit-wad estimation which is likely on the high side) actually have such logging in place. The Accounting of Disclosures NPRM is a wake-up call for CEs and BAs alike to get this portion of the Security Rule implemented. Once it is implemented, then creating easy-to-understand reports to show these accesses will be a matter of creating or updating existing applications that access ePHI. This could take some time to plan for and implement if starting from scratch.
Read Rebecca’s full commentary on Privacy Guidance.