Here's Robin Raiford's bookmarked version of it.
The purpose of the NPRM is to implement the statutory requirement under HITECH to require covered entities and business associates to account for disclosures of protected health information to carry out treatment, payment, and health care operations if such disclosures are through an electronic health record.
Remember that HIPAA did not require disclosure logging for treatment, payment and operations. This revision does, when such data is disclosed/accessed via an EHR.
In the certification process, demonstrating accounting of disclosures is optional, so it's likely many certified EHRs lack accounting of disclosure functionality.
Wes Rishel wisely warns us that this may be very challenging to implement for hospitals with complex built and bought systems.
Here's Rebecca Herold's blog summarizing the major points of the NPRM.
She also describes the definition of a designated record set.
Under the current provisions of the HIPAA Privacy Rule, covered entities are required to maintain records on disclosures of protected health information for a period of six years, and to furnish an accounting of disclosures to individuals who request them. The HIPAA Privacy Rule included an exemption for disclosures for the purposes of treatment, payment, health care operations, and a variety of other special circumstances, including disclosures to the individual of their own PHI. Collectively, the excepted purposes constituted the vast majority of disclosure. HIPAA also covered all PHI, whether in paper or electronic form. HITECH shortened the accounting period to three years, but removed the exemptions for treatment, payment, and health care operations when the disclosure of information is from an EHR. The NPRM explicitly lists the types of disclosures that are subject to the accounting of disclosure requirement, rather than the prior approach of generally requiring inclusion but enumerating specific exceptions.
The NPRM does exempt disclosures made through a health information exchange, noting that the technology to track such disclosures is still evolving. The authors state
"as electronic health information exchange expands and standards for such exchange are adopted, we intend to work with ONC to assess whether such standards should include information about the purpose of each exchange transaction. Adoption of such standards may significantly reduce the burden on covered entities to account for treatment, payment, and health care operations disclosures through electronic health information exchange. We then intend to revisit this issue and determine whether the accounting requirements should be revised to encompass such disclosures, in light of the interests of individuals and the reduced burden on covered entities."
The burden of implementing this regulation, especially in complex organizations with many departmental systems, could be very high.
I'll watch the comment period very closely.