Under HIPAA, Is Disclosure Accounting Required?
The HIPAA Privacy Rule applies to any health plan, health care clearinghouse, or health care provider who electronically transmits protected health information in connection with standard transactions.
The HIPAA Privacy Rule requires covered entities to account for disclosures of PHI for purposes other than treatment, payment, or healthcare operations (TPO). This is called Disclosure Accounting.
How To Do Disclosure Accounting?
Under HIPAA, disclosure accounting is the action or process of keeping records of disclosures made of PHI for purposes other than Treatment, Payment, and Healthcare Operations (TPO). This is sometimes called “Accounting of Disclosures” or “AOD.”
A disclosure accounting is a report that complies with the requirements of the HIPAA Privacy Rule. It must be provided to the individual who has received a disclosure of PHI or their legally authorized representative no later than 60 days after the individual requested the accounting.
This is a requirement of the HIPAA Privacy Rule, ensuring that patients have accurate information about what has been disclosed to them and their legal representatives. A disclosure accounting must also contain all relevant details about the disclosure.
The first step in disclosure accounting is to identify the events that have occurred and the type of PHI involved. This will help you determine which disclosures need to be accounted for and which do not.
Some of the most common disclosures that require disclosure accounting include disclosures to third parties for research, data sales, marketing purposes, and patient consent. Suppose these disclosures are part of your business. In that case, they may need to be strategically analyzed and procedurally assessed to ensure compliance with HIPAA.
Other important disclosures that need to be accounted for include disclosures to law enforcement and other public authorities, such as health oversight agencies, whistleblowers, and criminal justice personnel. These disclosures can be very large and often involve sensitive information.
It is also important to note that some disclosures are exempt from the accounting requirements of the HIPAA Privacy Rule. These include certain reports of child abuse if the reporting party is a law enforcement agency.
It is a good idea to record all these disclosures so patients can make informed decisions about their healthcare. Many EHR systems offer an Accounting of Disclosures log, allowing you to record all these disclosures in one place.
What To Include In The Accounting?
Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), disclosure accounting is required when a covered entity or business associate discloses protected health information for purposes other than treatment, payment, or healthcare operations. Disclosure accounting documents these disclosures and responds to individuals’ requests for them.
The Accounting of Disclosures (AOD) provision requires covered entities and business associates to provide an individual with a disclosure accounting within 60 days of receiving the request. However, if accounting is provided as soon as possible and no later than 30 days after receiving the request, an individual may obtain an additional 30-day extension based on good cause.
In addition to providing an accounting, a covered entity must establish an Accounting of Disclosures log. This blog is designed to record all disclosures of protected health information for which an individual is given the right to receive an accounting.
A covered entity must also include in its Accounting of Disclosures log the name and identification number of the patient whose PHI was disclosed and a brief statement of purpose that reasonably informs the individual of the purposes for which protected health information is being disclosed. The date and time the individual’s disclosure was made. The AOD may also contain other information, including the reason for the disclosure and any other relevant information. However, such information must be limited to the above elements.
Some commenters also wanted to exclude disclosures to public health agencies and law enforcement officials from the accounting. They believed including such disclosures in accounting could impede an agency or official’s activities or interfere with law enforcement investigations or responses. In some cases, a covered entity may not be able to exclude such disclosures because of the confidentiality of the information.
Others argued that requiring the recording of all disclosures would encourage consistent documentation of all disclosures and help prevent fraudulent authorizations. However, they also feared that some people who might have been exposed to certain risks might be more likely to use their rights to request an accounting of disclosures if they had a way to track such activities.
What To Exclude From The Accounting?
In general, the accounting must include
- a statement of the date of each disclosure,
- the name and address of the person or entity receiving protected health information,
- the purpose of each disclosure, and
- a brief description of the information disclosed.
However, the accounting must only include the first disclosure with the abovementioned elements for multiple disclosures to the same person for the same purpose.
During the rulemaking process, we received comments and questions that raised concerns about the accounting requirement. For example, several commenters believed that accounting for all disclosures would be burdensome and disproportionate to the need to monitor individual privacy rights. Others believe that it is unnecessary to provide individuals with an accounting for disclosures of their health information by other entities unless they request it or the covered entity can demonstrate that it has a reasonable basis to believe that the individual needs to know about the disclosures.
Some commenters thought the accounting should be streamlined to reduce the cost and burden on the covered entity. For example, they questioned whether accountings should be required for research and surveillance systems and databases that only release small portions of protected health information. They also expressed concern that the accounting could detract from meaningful use requirements.
Other commenters, including mental health professionals, expressed a strong desire to continue the requirement for an accounting of authorized disclosures. They argued that psychotherapy notes should be subject to the same accountability as other protected health information and that patients should have the right to request an accounting of authorized disclosures by their healthcare providers.
Response: The Department believes that individuals have a right to be informed about their protected health information disclosures. However, balancing the individual’s rights with the Department’s oversight function is necessary. For this reason, we exempted routine disclosures primarily for treatment, payment, health care operations, and certain security purposes. These disclosures are not likely to be made by parties who have unauthorized access to protected health information. They are also not likely to be committed by the individual, their caregiver, or their spouse. They, therefore, are unlikely to affect the integrity of law enforcement or other investigative processes.
How To Prepare For Accounting?
Disclosure accounting is a requisite for any HIPAA-covered entity. However, determining where to start and when to stop is the most interesting part. This is where a robust risk analysis and assessment plan comes into play. It’s about a holistic, standardized approach to managing and mitigating risks. The HIPAA identifier suite will help you do just that. The most revealing is the Healthcare Risk Assessment, which will give you a tamer and clearer picture of your patient’s health data.
Under HIPAA, Is Disclosure Accounting Required? Guide To Know
Under HIPAA, disclosure accounting records all disclosures of protected health information (PHI) made by a covered entity or business associate. A covered entity can be a healthcare provider, a health plan, or a clearinghouse. At the same time, a business associate is any entity that performs a function on behalf of a covered entity involving PHI use or disclosure.
The disclosure accounting includes
- the date of disclosure,
- the name and address of the entity or person receiving the information,
- a brief description of the information disclosed, and
- the reason for the disclosure.
It is important to note that disclosure accounting does not apply to all disclosures of PHI. In addition, certain disclosures are excluded from the accounting requirement.
The purpose of disclosure accounting is to give individuals greater control over their PHI and increase transparency regarding who has accessed it. An individual has the right to request a disclosure accounting from a covered entity, which must provide the accounting within 60 days of the request.
There are some exceptions to the disclosure accounting requirement. One exception is for disclosures made for treatment, payment, or healthcare operations purposes. This means that a covered entity does not have to provide an accounting for disclosures made for these purposes. Another exception is for disclosures made under an individual’s authorization. For example, suppose an individual has authorized the disclosure of their PHI. In that case, a covered entity must not include that disclosure in the accounting.
It is important to note that the disclosure accounting requirement applies to disclosures made on or after April 14, 2003. Disclosures made before this date are not subject to the requirement. Additionally, the requirement only applies to disclosures for purposes other than treatment, payment, and healthcare operations.
In summary, disclosure accounting is a record of all disclosures of PHI made by a covered entity or business associate, excluding certain disclosures. Disclosure accounting aims to give individuals greater control over their PHI and increase transparency regarding who has accessed it.
FAQ’s
What is an accounting of disclosure?
Accounting for Disclosures – Information that lists the PHI that has been disclosed by a covered entity for purposes other than treatment, payment, and health care operations, with authorization, and in certain other limited circumstances.
When required the information provided to the subject in a HIPAA disclosure accounting?
Where necessary, for disclosures involving fewer than 50 subject records, the details supplied to the data subject in a HIPAA disclosure accounting… must be more thorough. At least for the initial interaction, can be considered a “preparatory to research” activity, although data shouldn’t leave the protected entity.
What is the minimum necessary rule in HIPAA?
In order to reduce unauthorised or improper access to and disclosure of protected health information, covered entities are required under the minimum necessary level to review their procedures and strengthen security measures as necessary.
What is included in the authorization for disclosure of PHI?
A number of components must be specified in an authorization, such as the protected health information to be used and released, who is permitted to use or disclose it, who the covered entity may disclose it to, and when it will expire.
Which of the following disclosures do not require accounting?
There is no need for an accounting for disclosures that are incidental to another legal use or disclosure or that are only a portion of a small group of data.
Is accounting a disclosure policy?
Any adjustment to an accounting policy that has a significant impact needs to be disclosed. To the extent that it is possible to determine it, the amount by which each item in the financial statements is impacted by the change should also be communicated. Where such amount is not ascertainable, wholly or in part, the fact should be indicated.
