While it is a great time to review existing auditing procedures, remember that this is a proposed rule, subject to change. Privacy and security officers "may want to sit tight and not act prematurely in response to a proposed, rather than final, rule," Greene says.
1. Expansion of the accounting of disclosures details. This will require changes to the corresponding policies and/or procedures that cover accounting for disclosures, in addition to possible changes in the applications being used to log and track these types of disclosures, and the ways in which this accounting is provided to individuals requesting to see it, says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, in Des Moines, IA.
2. The creation of a new DRS (containing ePHI) access report. This data is likely already collected somewhere, but CEs and BAs (who have DRS's) will need to create reports that are readable by all individuals, and are not just a listing of raw log data, says Herold.
3. Updates to Notice of Privacy Practices (NPPs). The need to let individuals know their new, expanded rights will result in the need for CEs to update their NPPs and then ensure the updated NPPs are provided to patients according to the new requirements and within the indicated timeframes; they do seem to try and accommodate the CEs according to current requirements for at least annual notices.