Follow the accounting for disclosures requirement. The HITECH Act of 2009 amended HIPAA to require providers to account for disclosures for treatment, payment or operations made in the past three years at a patient's request if the disclosure was through an electronic health record. Previously providers did not have to account for disclosures for treatment, payment or operations.
OCR had published a proposed rule in 2011 to implement this new requirement; after incurring considerable backlash the agency shelved it and has yet to issue a new one. However, despite the lack of specific guidance regarding how to comply with this obligation, it has been effective law since 2010, so providers need a mechanism to track these electronic disclosures to other providers and deliver them when a patient requests the information.