HCA

DEPARTMENT: Information Protection and Security
POLICY DESCRIPTION: Accounting of Disclosures

PAGE: 1 of 5

REPLACES POLICY DATED: 4/14/03, 3/1/08, 9/23/13

EFFECTIVE DATE: February 1, 2019 REFERENCE NUMBER: IP.PRI.009 (formerly HIM.PRI.009)

APPROVED BY: Ethics and Compliance Policy Committee

SCOPE: All Company-affiliated facilities including, but not limited to, hospitals, ambulatory surgery centers, imaging and oncology centers, physician practices, shared services centers, and each entities' respective departments.

PURPOSE: To ensure that each Company-affiliated facility, and their respective departments, understands the requirement to populate and provide an Accounting of Disclosures of Protected Health Information to all patients as required by the Health Insurance Portability and Accountability Act (HIPAA), Standards for Privacy of Individually Identifiable Health Information (Privacy Standards), 45 CFR Parts 160 and 164, the Health Information Technology for Economic and Clinical Health Act (HITECH) component of the American Recovery and Reinvestment Act of 2009 (ARRA), and any and all other Federal regulations and interpretive guidelines promulgated thereunder.

POLICY: Each Company-affiliated facility must provide a written accounting of disclosures (AOD) of protected health information (PHI) to individuals that a facility has made during the six years prior to the date on which the accounting is requested. AODs do not need to be provided for any disclosures on or prior to April 13, 2003. Requests for an AOD must be made in writing or the verbal request must be documented.

A system must be in place for all departments (including but not limited to: Radiology, Quality, Emergency Room, and Health Information Management) within the facility to accurately and completely track all disclosures and have such information available for a minimum of six (6) years as required by the HIPAA Privacy Standards and this policy.

The right to request an AOD and the process for making a request must be outlined in the Notice of Privacy Practices.

PROCEDURE: An individual has a right to receive an accounting of disclosures of PHI made by a facility in the six (6) years prior to the date on which the accounting is requested, except for the following disclosures (the HIPAA Privacy Standards Section is included after each exception):

  1. To carry out treatment, payment and health care operations (§164.506);
  2. To individuals of PHI about them (§164.502);
  3. Pursuant to an authorization (§164.508);
  4. For the facility's directory or to persons involved in the individual's care or other notification purposes (§164.510);
  5. For national security or intelligence purposes (§164.512(K)(2));
  6. To correctional institutions or law enforcement agencies that have lawful custody of an inmate (§164.512(K)(2));
  7. As part of a limited data set (§164.514(e));
  8. That occurred prior to the compliance date for the covered entity; or
  9. Incident to a use or disclosure otherwise permitted or required (§164.502).

The accounting must include the following for each disclosure:

  1. The date of the disclosure;
  2. The name of the entity or person who received the PHI and, if known, the address of such entity or person;
  3. A brief description of the PHI disclosed; and
  4. A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure; or, in lieu of such statement, a copy of a written request for a disclosure.

Research

If the covered entity has made disclosures of PHI for a particular research purpose in accordance with the HIPAA Privacy Standards §164.512(i) (specifically under the provisions for Waiver of Authorization by an Institutional Review Board or Privacy Board, Reviews Preparatory To Research or Research on Decedent's Information) for 50 or more individuals, the accounting may provide:

  1. The name of the protocol or other research activity;
  2. A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records;
  3. A brief description of the type of PHI that was disclosed;
  4. The date or period of time during which such disclosure occurred, or may have occurred, including the date of the last such disclosure during the accounting period;
  5. The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and
  6. A statement that the PHI of the individual may or may not have been disclosed for a particular research protocol or other research activity.

If the covered entity provides an accounting for research disclosures in accordance with the Research section noted above and at the request of the individual, the covered entity may assist in contacting the entity that sponsored the research and the researcher if it is reasonably likely that the PHI of the individual was disclosed for research protocol or activity.

If the covered entity has made disclosures of PHI for a particular research purpose in accordance with the HIPAA Privacy Standards §164.512(i) for less than 50 individuals, an AOD is required for each patient that includes the date of the disclosure; the name of the entity or person who received the PHI and, if known, the address of such entity or person; a brief description of the PHI disclosed; and a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure; or, in lieu of such statement, a copy of a written request for a disclosure.

Provision of the accounting

  1. The facility must act on the individual's request for an accounting, no later than 60 days after receipt of such a request, as follows:
    1. The facility must provide the individual with the accounting requested; or
    2. If the facility is unable to provide the accounting within the time required then the facility may extend the time to provide the accounting by no more than 30 days, provided that:
      1. The facility, within the time limit set provides the individual with a written statement of the reasons for the delay and the date by which the facility will provide the accounting; and
      2. The facility may have only one such extension of time for action on a request for an accounting.
  2. The facility must provide the first accounting in any 12 month period to an individual free of charge. The facility may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period, provided that the facility informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee.

Documentation

A facility must document the following and retain the documentation for six years:

  1. The information required to be included in an accounting;
  2. The written accounting that is provided to the individual which should be stored with the designated record set; and
  3. The titles of the persons or offices responsible for receiving and processing requests for an accounting by individuals.

Suspend right of accounting to health oversight or law enforcement

The facility must temporarily suspend an individual's right to receive an accounting of disclosures to a health oversight agency or law enforcement for the time specified by such agency or official, if such agency or official provides the facility with a written statement that such an accounting to the individual would be reasonably likely to impede the agency's activities and specifying the time for which such a suspension is required.

If the agency or official statement is made orally, the facility must:

  1. Document the statement, including the identity of the agency or official making the statement;
  2. Temporarily suspend the individual's right to an accounting of disclosures subject to the statement; and
  3. Limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless a written statement pursuant to above paragraph is submitted during that time.

List of Types of Disclosures that must be tracked for the purposes of accounting

  1. Required by law
  2. Public health activities
  3. Victims of abuse, neglect, or domestic violence unless the Covered Entity (CE), in exercising professional judgment, believes informing the individual may cause serious harm or if the CE believes the individual is responsible for the abuse, neglect, or injury.
  4. Health oversight activities
  5. Judicial and administrative proceedings
  6. Law enforcement purposes
  7. Decedents:
    • Coroners and medical examiners
    • Funeral directors
  8. Cadaveric organ, eye, or tissue donation purposes
  9. Research purposes where a waiver of authorization was provided by the Institutional Review Board or Privacy Board, preparatory reviews for research purposes and/or research on decedent's information
  10. In order to avert a serious threat to health or safety
  11. Specialized government functions:
    • Military and veterans activities
    • Protective services for the President and others
  12. Worker's compensation disclosures necessary to comply with laws relating to worker's compensation programs (not including disclosures related to payment).
  13. Inappropriate disclosures (e.g., the incorrect PHI being provided to the wrong patient, the incorrect PHI being provided to an attorney)

Attachments

  • Attachment A is a list of examples of the type of disclosures that must be tracked in the Accounting of Disclosures.
  • Attachment B is a list of examples of the type of disclosures that do NOT need to be tracked in the Accounting of Disclosures.
  • Attachment C is a sample Patient Request for Accounting form.
  • Attachment D is a sample cover letter to include when providing the patient with the Accounting of Disclosures.

REFERENCES:

  1. Patient Privacy Program Requirements Policy, IP.PRI.001
  2. Privacy Official Policy, IP.PRI.002
  3. Records Management Policy, EC.014
  4. Health Insurance Portability and Accountability Act (HIPAA), Standards for Privacy of Individually Identifiable Health Information (45 CFR Parts 160 and 164)
  5. American Recovery and Reinvestment Act of 2009, Title XIII, Subtitles A&D