An accounting of disclosures is a helpful tool for patients trying to understand when and where providers have shared their protected health information (PHI). How thorough does this need to be, though?
HIPAA protects patient privacy, enhances security, and provides rights that help patients understand and control their PHI use and disclosure. Signed patient authorization forms are required for most disclosures, but there are exceptions.
To ensure compliance, it’s important to log these exceptions in an accounting of disclosures form, but not all exceptions are applicable. In this article, we’ll discuss what an accounting of disclosures is, explain when it’s necessary, and more.
As you read on, please remember that you should always document every disclosure, whether it’s necessary for an accounting of disclosures or not.
What Constitutes Disclosure?
HHS defines disclosure as the “release, transfer, provisions of, access to, or divulgence in any manner of information outside the entity holding the information.”
This broad HIPAA definition is pretty simple; if your healthcare organization releases records, it’s disclosure. This definition also applies to breaches or unintentional disclosures.
When dealing with disclosure accounting, however, the definition of disclosure is slightly more specific.
In this context, disclosures are the access to, delivery of, or transmission of PHI to parties without patient-signed authorization forms. This excludes TPO (treatment, payment, and operations) and healthcare operations business associates with an established BAA.
So while the broad HIPAA definition of disclosure accounts for all movement of protected health information, disclosures in the context of accounting are limited to specific instances. There is a reason for this divide.
An accounting of disclosures is a report for patients designed to fill gaps in their knowledge of their PHI disclosures. The most significant example of this split is in the context of PHI requests made with signed patient authorization forms.
When a patient signs a form to authorize disclosure to themselves, another provider, or a 3rd party professional, they’re already aware of the disclosure. While this counts as a disclosure for the broad definition, it’s unnecessary to include it in an accounting of disclosures.
What Are the Accounting of Disclosures Exceptions?
To help you understand what you must add to an accounting of disclosures, let’s discuss the exceptions. If you’re a covered entity, it’s important to note that you must include disclosures to or by your business associates.
Patients have the right to request HIPAA accounting, excluding disclosures made for the following purposes:
Treatment, Payment, and Healthcare Operations
HHS identifies TPO, or treatment, payment, and healthcare operations, as nonessential to report in an accounting of disclosures. These are key functions of medical, billing, and imaging records, and patients should assume covered entities use them as such.
Treatment refers to “the provision, coordination, or management of healthcare and related services.” This includes consultations and patient referrals with other providers and essential functions with third parties (business associates and other covered entities).
Payment refers to the actions healthcare providers take to seek payment or reimbursement for services rendered. It also covers health plans’ activities to obtain premium payments, provide coverage benefits, and provide or collect reimbursement for services.
Healthcare Operations are certain administrative, financial, legal, and quality improvement activities essential for covered entities’ business operations and core functions.
Informing Individuals Directly Involved in Patient Care
There’s a short list of individuals to whom healthcare providers may disclose PHI without reporting in an accounting of disclosures.
The patient receiving treatment can discuss their PHI with their healthcare provider per their doctor-patient relationship without formal accounting.
Incidental disclosure is a “secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule.” A common example of an incidental disclosure is another patient overhearing part of a confidential doctor-patient conversation.
Signed authorizations for disclosure imply that the patient is aware of and consents to the disclosure of PHI to the recipient.
Patient directories can receive patient data for internal use without accounting.
Individuals responsible for the patient’s care may receive certain updates about the patient’s care, payment, and notifications related to their location, condition, or passing.
Legal Use and Limited Data Sets
Issues of national security or intelligence don’t require disclosure accounting.
Correctional institutions and law enforcement officials don’t require disclosure accounting.
Limited data sets are sets of individually identifiable health information that covered entities may share with certain entities for research, public health, and healthcare operations without patient authorization. Because these records must be stripped of identifiable data including name, address, contact details, etc., they don’t require disclosure accounting.
When Must Organizations Provide Accounting of Disclosures?
With such a long list of disclosures that don’t require inclusion in an accounting of disclosures, it may be hard to visualize when inclusion is necessary. There are plenty of situations where disclosure would necessitate accounting, including the following:
Research Purposes
Data used for research purposes that has not been de-identified must be included in an accounting of disclosures. Depending on the scope of the study, this may also apply to Institutional Review Boards and Privacy Boards.
Marketing and Sales Purposes
PHI used for marketing and sales purposes is also necessary to include in your accounting. This may also apply to situations in which a patient has provided consent, such as client marketing stories.
Legal Use
In certain situations, the release of information is legally required, and you must include these in your accounting. Examples of mandatory disclosures include subpoenas, court orders, emergencies, and state reporting.
This also includes disclosures made for:
- Government functions like military and veteran activities,
- Worker’s Compensation disclosures necessary for legal compliance,
- Mandatory disclosure for patients who have faced abuse, neglect, and/or domestic violence.
Public Health
The release of PHI may be necessary to avoid threats to public well-being, and these must also be included in the accounting. HHS, FDA, and other such organizations may require disclosures to prevent disease, perform investigations, and protect from terroristic threats.
End of Life
When a patient reaches the end of their life, certain health information may be disclosed to protect the health of coroners, funeral directors, and those involved in organ donation.
Incorrect Recipient
In addition to fulfilling Breach Notification Rule requirements, PHI disclosed unintentionally or to the incorrect party requires accounting.
What Does an Accounting of Disclosures Look Like?
When patients request an accounting of disclosures, your report must include disclosures made 6 years prior to the request date. Requestors can provide a date range for this request, but it may not extend beyond this 6-year period.
When an accounting of disclosures request reaches an organization, that organization has 60 days to fulfill the request. With a detailed, written statement that includes the reason for delay and expected date of fulfillment, covered entities may extend this deadline an extra 30 days.
Once you’ve determined which disclosures require inclusion in an accounting of disclosures, it’s important to include all necessary information. This information includes:
Disclosure details, including the date of the disclosure and the name and address of the entity that received the PHI.
A brief description of the PHI disclosed. This should include a brief statement of the reason for the disclosure.
If a disclosure request was submitted by the Secretary of HHS to investigate the covered entity’s compliance or under circumstances that would not necessitate written authorization, a copy of the written disclosure request is acceptable.
Can a Covered Entity Charge For an Accounting of Disclosures?
In most cases, covered entities may not charge for releasing a requested accounting of disclosures. The HIPAA Privacy Rule requires covered entities to release the first accounting in any given 12-month period for no charge.
In situations where an individual requests their accounting of disclosures more than once in 12 months, covered entities may charge. This charge must be a reasonable, cost-based fee, and it may only be required if the covered entity informs the individual of the fee in advance. They must also offer the requestor an opportunity to change or rescind their request.
How Can ChartRequest Simplify Accounting of Disclosure?
Manually logging every disclosure of protected health information can be a major challenge for healthcare workers.
Traditional release of information methods can devour your team’s time between:
- Ensuring compliance throughout the entire process,
- Answering calls and emails regarding request status,
- Hunting down incoming and verifying outgoing faxes,
- and Much more.
We understand people don’t enter healthcare for the paperwork That’s why we automate the accounting of disclosures with a comprehensive audit log. By reducing the burdens of compliant record release, we help our healthcare partners spend more time doing what matters most – helping patients.
Want to learn more about what makes ChartRequest a leader in compliant record release?
Set up a brief chat with a member of our team or explore our solutions for healthcare organizations.