What is Accounting of Disclosures and Why Does It Matter for HIPAA Compliance?

If you are a healthcare provider, a business associate, or a patient, you may have heard of the term "accounting of disclosures" in relation to HIPAA. But what does it mean, and why is it important for HIPAA compliance? In this article, we will explain what accounting of disclosures is, what are the requirements and exceptions under HIPAA, and how it can help you protect your privacy and security.

What is Accounting of Disclosures?

Accounting of disclosures is the process of keeping track of and reporting certain disclosures of protected health information (PHI) made by a covered entity or a business associate. PHI is any information that relates to the past, present, or future health or condition of an individual, and that can be used to identify the individual. Examples of PHI include medical records, billing information, lab results, and prescriptions.

Under the HIPAA Privacy Rule, individuals have the right to request and receive an accounting of disclosures of their PHI made by a covered entity or a business associate in the past six years. The accounting of disclosures must include the following information:

  • The date of the disclosure.
  • The name and address of the person or entity who received the PHI.
  • A brief description of the PHI disclosed.
  • The purpose of the disclosure.

The accounting of disclosures must be provided to the individual within 60 days of the request, and the covered entity or business associate may charge a reasonable fee for the service.

What are the Requirements and Exceptions under HIPAA?

The HIPAA Privacy Rule requires covered entities and business associates to account for disclosures of PHI for purposes other than treatment, payment, or health care operations (TPO). TPO are the core functions of health care providers and business associates, and they do not require the individual's authorization or consent. Examples of TPO include:

  1. Providing, coordinating, or managing health care and related services.
  2. Billing, claims management, collection, or reimbursement.
  3. Conducting quality assessment, improvement, or evaluation activities.
  4. Reviewing the competence or qualifications of health care professionals.
  5. Training or educating health care students or staff.
  6. Developing clinical guidelines or protocols.
  7. Conducting accreditation, certification, licensing, or credentialing activities.
  8. Performing business planning, development, or management.

However, there are some exceptions to the accounting of disclosures requirement, even for disclosures that are not for TPO. These include:

  1. Disclosures to or authorized by the individual.
  2. Disclosures for facility directories or notification purposes.
  3. Disclosures for national security or intelligence purposes.
  4. Disclosures to law enforcement or correctional institution officials.
  5. Disclosures of PHI in a limited data set.
  6. Disclosures that are incidental to a permitted or required use or disclosure.

These exceptions are based on the assumption that the individual is either aware of or has a low expectation of privacy for these types of disclosures, and that accounting for them would be impractical or burdensome for the covered entity or business associate.

How Can Accounting of Disclosures Help You Protect Your Privacy and Security?

Accounting of disclosures is an important tool for individuals to exercise their rights and monitor their PHI. By requesting and reviewing an accounting of disclosures, individuals can:

  • Verify that their PHI has been disclosed only for legitimate purposes and to authorized recipients.
  • Identify and report any unauthorized or suspicious disclosures of their PHI.
  • Request corrections or amendments to their PHI if they find any errors or inaccuracies.
  • File complaints or lawsuits against the covered entity or business associate if they believe their privacy or security rights have been violated.

Accounting of disclosures is also an important tool for covered entities and business associates to demonstrate their compliance and accountability. By maintaining and providing an accounting of disclosures, covered entities and business associates can:

  • Document and justify their disclosures of PHI for purposes other than TPO.
  • Respond to individuals' requests and inquiries about their PHI.
  • Cooperate with investigations or audits by the Office for Civil Rights (OCR) or other authorities.
  • Prevent or mitigate potential breaches or violations of PHI.
  • Enhance their reputation and trustworthiness among their patients, clients, and partners.

How Can EPICompliance Help You with Accounting of Disclosures?

If you are a covered entity or a business associate, you may find it challenging to keep track of and report all the disclosures of PHI that you make, especially if you have multiple systems, locations, or vendors involved. That's why you need EPICompliance, the best solution for accounting of disclosures and HIPAA compliance.

EPICompliance is an online platform that makes HIPAA compliance easy and convenient. With EPICompliance, you can:

  • Access all the necessary compliance tools in one place.
  • Cover all the aspects of HIPAA Privacy, Security, ACA/OIG-Medicare, and OSHA for Healthcare.
  • Enroll in online training courses and certification for HIPAA Privacy, Security, ACA/OIG-Medicare (Waste, Fraud, and Abuse Laws), and OSHA for Healthcare with Bloodborne Pathogens Training.
  • Receive monthly HIPAA security reminders and compliance tasks.
  • Use mandated policies and procedures, template forms, and business associate agreements.
  • And much more!

Don't let accounting of disclosures or HIPAA compliance overwhelm you. Contact EPICompliance today for a free consultation and demo of our platform. Let us help you protect your privacy and security and achieve your compliance goals.

#EPICompliance #AccountingofDisclosures #HIPAACompliance

In conclusion, accounting of disclosures is an essential component of HIPAA compliance for both individuals and covered entities/business associates. It empowers individuals to exercise control over their PHI and ensures that their sensitive health information is handled responsibly. For covered entities and business associates, accounting of disclosures serves as a valuable tool for demonstrating compliance, preventing unauthorized disclosures, and safeguarding the confidentiality and integrity of individuals' health data.

References:

  1. Right to an Accounting of Disclosures | HHS.gov https://www.hhs.gov/hipaa/for-professionals/faq/right-to-an-accounting-of-disclosures/index.html
  2. Tracking and Accounting for Research Disclosures of PHI https://www.hopkinsmedicine.org/institutional-review-board/hipaa-research/tracking
  3. U.S. Department of Health & Human Services - Office for Civil Rights https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
  4. Breach Reporting | HHS.gov https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html
  5. File a Breach: General Tab - HHS.gov https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true
  6. Four HIPAA Enforcement Actions Hold Healthcare Providers Accountable ... https://www.hhs.gov/about/news/2022/03/28/four-hipaa-enforcement-actions-hold-healthcare-providers-accountable-with-compliance.html