HIPAA FAQ – Right to an Accounting of Disclosures
Accounting for disclosures requires an individual to be informed of the date the disclosure was made (45 CFR 164.528(b)(2)). If access to a universe of records was provided for a discrete period of time, Office for Civil Rights (OCR) interprets this provision to permit the accounting to include the range of dates (e.g., access was provided from August 1 to August 3, 2003; or during the week of August 10, 2003). If the disclosure is routinely made within a set period from an event, OCR, likewise, interprets this provision to permit the accounting to provide the date of the event and the normal interval (e.g., gun shot wound reported within 48 hours of treatment and provide date of treatment; hospital discharges reported on 15th of the following month and provide date of discharge; or access provided to public health authorities within 30 days of treatment in emergency department and provide the date of treatment).
The Privacy Rule does not require a notation in each medical record that has been accessed by public health authorities, as long as the information required under the Privacy Rule is included in the accounting for disclosures. Where, as with many public health disclosures, access to an entire universe of records is involved, tracking disclosures can be accomplished without the need for documentation in each record. This flexibility in the manner of documentation facilitates complying with the accounting requirement.
By way of background, a covered entity may disclose protected health information (PHI) without the patient’s authorization to a public health authority that is legally permitted to collect or receive such information for public health surveillance or related activities (45 CFR 164.512(b)(1)). A covered entity is also required by the Privacy Rule to account to the patient for such disclosures of PHI, if the patient asks (45 CFR 164.528). Further, under the Privacy Rule, making a set of records available for review by a third party constitutes a “disclosure” of the PHI in the entire set of records, regardless of whether the third party actually reviews any particular record. See 45 CFR 164.501, for the definition of disclosure. Thus, mere access by a third party, such as a public health authority, to PHI is a disclosure and subject to an accounting for disclosures.
Public health surveillance activities often involve a retrospective review by a public health authority of a universe of patient records to identify reportable events. When a reportable case is identified, the specific data items pertinent to the public health surveillance activity are extracted and reported to the public health authority.
For example, retrospective review of the medical charts for all patients treated by a health care provider or all charts of patients treated in the entity’s emergency department may be required to identify cases of new or previously unknown infectious agents, clinical conditions associated with the use or abuse of illicit or prescription drugs, or adverse events or reactions associated with pharmaceuticals or medical devices. In these cases, as noted above, all records to which access was provided to the public health authority are deemed to have been disclosed under the Privacy Rule. Because of the universal nature of the access provided, the documentation required for the disclosure can be easily maintained. The covered entity need only document the identity (and address if known) of the public health authority to which access was provided, a description of the records and PHI subject to access, the purpose for the disclosure, and when access was provided. This documentation need not be noted in each record. It would be sufficient, for instance, for the covered entity to maintain a separate notation of such disclosures, applicable to all records so accessed. Then, if an individual requests an accounting, the covered entity need only determine whether the individual’s records were among the universe of records to which the public health authority was granted access. All individuals whose records were accessed in this fashion would receive the same accounting for the disclosure.
For example, if on August 1, 2003, a hospital began providing a public health authority ongoing access to the medical charts of all patients treated in its emergency department to identify reportable cases and extract relevant information required for a particular surveillance activity, it would be sufficient, under §164.528(b)(2), for the accounting to include the following:
- the identity, and address, if known, of the public health authority;
- a statement that the public health authority had access to medical charts for patients treated in the emergency department
- the date (or approximate range of dates) when the individual’s record was subject to access (e.g., access provided within a week of treatment in ER on [fill in date of individual visit]); and
- a statement of the purpose of the access (e.g., identify the particular public health surveillance activity).
The same basic statement could then be provided in response to a request for an accounting by any individual who was seen in the emergency department of the hospital on or after August 1, 2003.
No. The Privacy Rule does not require covered entities to document any information, including oral information, that is used or disclosed for treatment, payment or health care operations.
The Rule includes, however, documentation requirements for some information disclosures for other purposes. For example, some disclosures must be documented in order to meet the standard for providing a disclosure history to an individual upon request. Where a documentation requirement exists in the Rule, it applies to all relevant communications, whether in oral or some other form. For example, if a covered physician discloses information about a case of tuberculosis to a public health authority as permitted by the Rule at 45 CFR 164.512, then he or she must maintain a record of that disclosure regardless of whether the disclosure was made orally, by phone, or in writing.
No, a covered entity is not required to provide an accounting for a disclosure where the only information disclosed is in the form of a limited data set, and the covered entity has a data use agreement with the public health authority receiving the information. (See 45 CFR 164.514(e) for limited data set and data use agreement requirements.)
Moreover, a covered entity is not required to provide an accounting when it uses protected health information to create a limited data set. For example, when a covered entity’s workforce member – whether a paid employee or volunteer – reviews medical records to identify reportable cases and extracts facially unidentifiable information to be reported as part of a limited data set to the public health authority, the covered entity is using, rather than disclosing, protected health information. In that case, the covered entity does not have to provide an accounting for its uses of protected health information. Further, even though a disclosure occurs when the limited data set is received by the public health authority for its own public health purposes, the covered entity is not required to account for this disclosure. Limited data sets are excepted from the accounting requirement at 45 CFR 164.528(a)(1)(viii).
Individuals have a right to receive, upon request, an accounting of disclosures of protected health information made by a covered entity (or its business associate), with certain exceptions. These exceptions, or instances where a covered entity is not required to account for disclosures, include disclosures for treatment, payment, or health care operations and disclosures authorized by the individual. See 45 CFR 164.528 (GPO). Disclosures that are subject to the accounting for disclosures requirement include disclosures made by a covered entity that is not a party to the litigation or proceeding and that are made:
- as required by law (under §§ 164.512(a) and (e)(1)(i));
- for a proceeding before a health oversight agency (under § 164.512(d)); or
- in response to a subpoena, discovery request, or other lawful process (under § 164.512(e)).
Conversely, covered entities need not account for disclosures of protected health information for litigation that are made with the individual’s authorization or, in cases where the covered entity is a party to the litigation, when such disclosures are part of the covered entity’s health care operations.
In many cases, covered entities share protected health information for litigation purposes with a lawyer who is a business associate of the covered entity. These disclosures by a covered entity to its lawyer-business associate are not themselves subject to the accounting. However, if (as described above) the lawyer makes disclosures that are subject to the accounting requirement, the business associate agreement required by the Privacy Rule must provide that the lawyer-business associate must make information about these disclosures available to the covered entity, so that the covered entity can fulfill its obligation to provide an accounting to the individual. Alternatively, the covered entity and the lawyer can agree through the business associate contract that the lawyer will provide the accounting to individuals who request one.
No. The Privacy Rule includes a specific exception from the accounting standard for incidental disclosures permitted by the Rule. See 45 CFR 164.528(a)(1).
A covered entity may enter into a business associate agreement with the public health authority for the sole purpose of creating a limited data set, even if the same public health authority is also the intended recipient of the information (45 CFR 164.514(e)(3)(ii)). For example, the covered entity may contract with the public health authority as a business associate for the exclusive purpose of reviewing medical charts and extracting the facially unidentifiable information needed for the particular public health surveillance activity. In these cases, the public health authority, as the covered entity’s business associate for purposes of creating a limited data set, must agree to return, destroy or not remove from the covered entity’s premises the protected health information that includes the direct identifiers, once the public health authority has completed the conversion of the information into a limited data set for its own public health use. Because the public health authority is not only the covered entity’s business associate for creating the limited data set, but also the intended recipient of the limited data set, the public health authority must enter into both a data use agreement and a business associate agreement. The data use agreement can be combined with the business associate agreement into a single agreement so long as the agreement meets the requirements of both provisions. See 45 CFR 164.504(e)(2) and 164.514(e)(4).
While there are two disclosures in this case – the disclosure to the public health authority in its role as the covered entity’s business associate in creating the limited data set, and the disclosure to the public health authority as the recipient of the limited data set – neither disclosure requires an accounting. A disclosure to a business associate for the purpose of creating a limited data set is a health care operation, as defined by the Rule at 45 CFR 164.501. Disclosures for health care operations and disclosures made as a limited data set are both excepted from the accounting requirement at 45 CFR 164.528(a)(1)(i) and (viii), respectively.
The Privacy Rule regulates covered entities, not business associates. The Rule requires covered entities to include specific provisions in agreements with business associates to safeguard protected health information, and addresses how covered entities may share this information with business associates. Covered entities are responsible for fulfilling Privacy Rule requirements with respect to individual rights, including the rights of access, amendment, and accounting, as provided for by 45 CFR 164.524, 164.526, and 164.528. With limited exceptions, a covered entity is required to provide an individual access to his or her protected health information in a designated record set. This includes information in a designated record set of a business associate, unless the information held by the business associate merely duplicates the information maintained by the covered entity. Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate must make such protected health information available if and when needed by the covered entity to provide an individual with access to the information. However, the Privacy Rule does not prevent the parties from agreeing through the business associate contract that the business associate will provide access to individuals, as may be appropriate where the business associate is the only holder of the designated record set, or part thereof.
Under 45 CFR 164.526, a covered entity must amend protected health information about an individual in a designated record set, including any designated record sets (or copies thereof) held by a business associate. Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate must amend protected health information in such records (or copies) when requested by the covered entity. The covered entity itself is responsible for addressing requests from individuals for amendment and coordinating such requests with its business associate. However, the Privacy Rule also does not prevent the parties from agreeing through the contract that the business associate will receive and address requests for amendment on behalf of the covered entity.
Under 45 CFR 164.528, the Privacy Rule requires a covered entity to provide an accounting of certain disclosures, including certain disclosures by its business associate, to the individual upon request. The business associate contract must provide that the business associate will make such information available to the covered entity in order for the covered entity to fulfill its obligation to the individual. As with access and amendment, the parties can agree through the business associate contract that the business associate will provide the accounting to individuals, as may be appropriate given the protected health information held by, and the functions of, the business associate.