MIAOULIS NOTE: As I read the rule, if a patient asks "tell me everyone that has looked at my record:, The CE must give them a list of names of who has accessed. We do not have to tell them why.
This makes it essential that view audit trails be turned on and that we maintain Audit trail for 3 years.
I have long advocated the need for strong audit trails as a deterrent to unauthorized access to patient information, this takes the information to the patient and in my opinion will enhance the confidentiality of patient information for everyone.
THE RULE CAN BE FOUND HERE (PDF FORMAT)
AHIMA has a great article which can be found here:
Rights to Reports on Disclosure and Access
In addition, acting on its “general authority under HIPAA,” OCR proposes revising the privacy rule to create two separate rights for individuals: the right to an accounting of disclosures and the right to a report on access.
The access report would not distinguish between “uses” and “disclosures,” thus it would apply when any person accesses a designated record set maintained in an electronic system.
The right to a report on access was not called for specifically under HITECH, but OCR appears to be acknowledging long-standing comments from both providers and consumers that individuals are often more interested in who accessed their information than to whom it was disclosed. The change is intended to “ensure that individuals are receiving the information that is of most interest,” OCR writes.
As proposed, the access report would not indicate the purpose of the access. OCR considers the accounting of disclosure to be the “full accounting” that provides greater detail.