Which of the following is required to be included in an accounting of disclosures?

The HIPAA Privacy Rule requires Covered Entities to account for all disclosures of Protected Health Information (PHI) that were made for purposes other than treatment, payment, or healthcare operations. HIPAA Disclosure Accounting is the “accounting” (the action or process of keeping records) of these disclosures. This is sometimes referred to as “Accounting of Disclosures” or AOD.

HIPAA Disclosure Accounting and TPO

Within the context of disclosure accounting, disclosure is defined as the access to, delivery of, or transmission to, parties that do not have authorization (outside of TPO or an established Business Associate Agreement (BAA) which falls under healthcare operations).

TPO stands for Treatment, Payment, and Operations.

TPO describes the circumstances in which covered entities are allowed by law to disclose patient information without the need to obtain authorization from patients. (Check out our article on whether or not patient authorization is required here!)

From the HHS’s Guidance on the TPO disclosures:

• “Treatment” generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.
• “Payment” encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.
• “Health Care Operations” are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment.

When is an Accounting of Disclosures Form Necessary?

An accounting of disclosures form may be necessary if you disclose patient records for the purposes of selling them, for scientific research if the data has not been de-identified, if they consented to having their info included in a client marketing story, or if their information has been disclosed for other marketing purposes.

Other instances necessitating Accounting of Disclosures (AOD) include:

• Those Required by Law (Court Orders, subpoenas, state reporting, emergencies)
• Public Health Activities (Prevention of disease, public health investigations)
• Victims of abuse, neglect, or domestic violence
• Health Oversight Activities (HHS investigations, FDA, Medicaid fraud units)
• Decedents (Coroners, funeral directors)
• Cadaveric, tissue, or eye donation (organ procurement organizations)
• Research purpose (IRB or Privacy boards, dependent on scope of study)
• To avert a serious health or safety threat (FDA inquiry, terrorist threat, communicable disease organizations)
• Specialized government functions (Military, veteran, and Presidential activities)
• Worker’s Compensation (Worker’s compensation disclosures necessary to comply with the law, not payment related disclosures)
• Inappropriate or Mistake Disclosures (PHI mailed or faxed to incorrect party)

HIPAA Disclosure Accounting May Not be a Regular Part of Your Business

Ideally, you won’t have many disclosures to account for, and that is the point.

If disclosing patient data for research, data sales, or using PHI for marketing purposes is a part of your business operations, it would need to be strategically analyzed and procedurally assessed to ensure compliance with HIPAA laws.

Takeaways

• HIPAA Disclosure Accounting or Accounting of Disclosures (AOD) is the action or process of keeping records of disclosures of PHI for purposes other than Treatment, Payment, or Healthcare Operations.
• You are required by law to provide patients a list of all the disclosures of their PHI that you have made outside of TPO.
• Ideally, you won’t have many non-TPO disclosures to account for, and that is the point.

Still not sure if or when you need to practice disclosure accounting? The compliance consultants here at Gazelle can help!

Give us a call at (503)-389-5666 or send an email to now!

(a) Standard: Right to an accounting of disclosures of protected health information.

(1) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures:

(i) To carry out treatment, payment and health care operations as provided in § 164.506;

(ii) To individuals of protected health information about them as provided in § 164.502;

(iii) Incident to a use or disclosure otherwise permitted or required by this subpart, as provided in § 164.502;

(iv) Pursuant to an authorization as provided in § 164.508;

(v) For the facility's directory or to persons involved in the individual's care or other notification purposes as provided in § 164.510;

(vi) For national security or intelligence purposes as provided in § 164.512(k)(2);

(vii) To correctional institutions or law enforcement officials as provided in § 164.512(k)(5);

(viii) As part of a limited data set in accordance with § 164.514(e); or

(ix) That occurred prior to the compliance date for the covered entity.

(2)

(i) The covered entity must temporarily suspend an individual's right to receive an accounting of disclosures to a health oversight agency or law enforcement official, as provided in § 164.512(d) or (f), respectively, for the time specified by such agency or official, if such agency or official provides the covered entity with a written statement that such an accounting to the individual would be reasonably likely to impede the agency's activities and specifying the time for which such a suspension is required.

(ii) If the agency or official statement in paragraph (a)(2)(i) of this section is made orally, the covered entity must:

(A) Document the statement, including the identity of the agency or official making the statement;

(B) Temporarily suspend the individual's right to an accounting of disclosures subject to the statement; and

(C) Limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless a written statement pursuant to paragraph (a)(2)(i) of this section is submitted during that time.

(3) An individual may request an accounting of disclosures for a period of time less than six years from the date of the request.

(b) Implementation specifications: Content of the accounting. The covered entity must provide the individual with a written accounting that meets the following requirements.

(1) Except as otherwise provided by paragraph (a) of this section, the accounting must include disclosures of protected health information that occurred during the six years (or such shorter time period at the request of the individual as provided in paragraph (a)(3) of this section) prior to the date of the request for an accounting, including disclosures to or by business associates of the covered entity.

(2) Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure:

(i) The date of the disclosure;

(ii) The name of the entity or person who received the protected health information and, if known, the address of such entity or person;

(iii) A brief description of the protected health information disclosed; and

(iv) A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure under § 164.502(a)(2)(ii) or § 164.512, if any.

(3) If, during the period covered by the accounting, the covered entity has made multiple disclosures of protected health information to the same person or entity for a single purpose under § 164.502(a)(2)(ii) or § 164.512, the accounting may, with respect to such multiple disclosures, provide:

(i) The information required by paragraph (b)(2) of this section for the first disclosure during the accounting period;

(ii) The frequency, periodicity, or number of the disclosures made during the accounting period; and

(iii) The date of the last such disclosure during the accounting period.

(4)

(i) If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with § 164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide:

(A) The name of the protocol or other research activity;

(B) A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records;

(C) A brief description of the type of protected health information that was disclosed;

(D) The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period;

(E) The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and

(F) A statement that the protected health information of the individual may or may not have been disclosed for a particular protocol or other research activity.

(ii) If the covered entity provides an accounting for research disclosures, in accordance with paragraph (b)(4) of this section, and if it is reasonably likely that the protected health information of the individual was disclosed for such research protocol or activity, the covered entity shall, at the request of the individual, assist in contacting the entity that sponsored the research and the researcher.

(c) Implementation specifications: Provision of the accounting.

(1) The covered entity must act on the individual's request for an accounting, no later than 60 days after receipt of such a request, as follows.

(i) The covered entity must provide the individual with the accounting requested; or

(ii) If the covered entity is unable to provide the accounting within the time required by paragraph (c)(1) of this section, the covered entity may extend the time to provide the accounting by no more than 30 days, provided that:

(A) The covered entity, within the time limit set by paragraph (c)(1) of this section, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will provide the accounting; and

(B) The covered entity may have only one such extension of time for action on a request for an accounting.

(2) The covered entity must provide the first accounting to an individual in any 12 month period without charge. The covered entity may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period, provided that the covered entity informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee.

(d) Implementation specification: Documentation. A covered entity must document the following and retain the documentation as required by § 164.530(j):

(1) The information required to be included in an accounting under paragraph (b) of this section for disclosures of protected health information that are subject to an accounting under paragraph (a) of this section;

(2) The written accounting that is provided to the individual under this section; and

(3) The titles of the persons or offices responsible for receiving and processing requests for an accounting by individuals.

What is the purpose of accounting of disclosures?

Which of the following must be logged in the accounting of disclosures log?

What is an example of accounting of disclosures?

What is a Hipaa disclosure accounting?