HIPAA (Health Insurance Portability & Accountability Act) keeps a check on all medical practices and insurance providers, working in favor of the consumer when and where necessary. The idea is to present the patient with a clear picture of how, when and where their money and Protected Health Information (PHI) is used. In turn, it serves to help you, a covered entity, mitigate damages as much as possible.
The HIPAA accounting disclosure requirement provision dictates that you must keep an account of when and where PHI was disclosed. However, this doesn’t mean that every PHI disclosure must go through the patient – but only as a subset of Release of Information (ROI) requests.
An ROI request is a patient or their attorney’s tool to review how their PHI was used over the years. They will need to fill a form and submit it to you – the covered entity. The request comprises a form and a letter attached with it that includes the sender’s name, address, zip code, subject, and most importantly, why they need said information.
Here, we’ll discuss what you as a covered entity need to be mindful of if a patient requests an accounting of PHI disclosures.
So, let’s dive in!
Records That Should Be Maintained According to HIPAA Accounting Disclosures Provisions
As a HIPAA covered medical practice, your disclosure account should include the following information:
- Any disclosure of PHI you made in the last 6 years (from the date an ROI was submitted)
- Date of disclosure
- Name of entity who received the PHI from you and the address of such entity
- Description of the PHI disclosed, and
- A statement of purpose about why you disclosed said information
- If you made multiple disclosures over the last 6 years, your accounting of disclosures will also include:
- The information you disclosed the first time
- The number of disclosures made (or frequency)
- Date of last disclosure
- If you disclosed PHI for research purposes, your account will include the name of the research activity, facility (address and contact information), date(s), duration and a brief description(s) of type of information disclosed.
If the information disclosed was for research, as the medical practitioner that disclosed said information, you will assist the individual (upon request) in contacting the researcher and its sponsor.
Automatic Accounting of Disclosure
While the basic HIPAA accounting disclosure requirements have you compile an accounting of disclosures list when a patient requests for it, your medical practice may also have to compile it if you disclose PHI without informing a patient or aren’t authorized to do so.
These situations can include, but aren’t limited to:
- Unauthorized disclosures to researchers, outside staff or any other third party,
- Breaches or information security lapses,
- Subpoenas,
- Requests for Workers Compensation cases, and more..
The core concept to grasp here is that you must immediately create an accounting of disclosure if a patient’s PHI was disclosed without their consent. As the log maintains a comprehensive list of all disclosures at the same time, you are fulfilling the patient’s Accounting of Disclosures right and therefore reducing or even mitigating the risk of liability, should things take a wrong turn.
When a Patient Asks for This Information, How Soon Should It Be Provided?
Apart from the what, HIPAA accounting of disclosure requirements also suggests a timeline of how soon you need to provide access to individuals. The provision you get as a medical practitioner is 30 calendar days. Not working days.
However, remember that the 30-day limit is an outer limit. We urge you to respond as soon as possible.
Usually, larger medical practices have the capacity to give their patients instantaneous electronic access to PHI or an accounting of disclosure via their internal EHR system. Small medical practices might not have such a luxury. We recommend that you implement such a functionality if you can, to make things easier.
The process is simple and requires an electronic compilation of personal health records and a list of who you do business with.
Failing to Provide Accounting of Disclosure Within 30 Days
If you’re manually compiling data, the 30-day limit might not be sufficient for you – especially for patients who’ve been with you for quite a while. If you’re facing such an issue, as a HIPAA-covered entity, you may buy some time.
Once the initial 30 days are nearing completion, you can inform your patient in writing of the delay and a detailed account of why the delay took place. Your letter should also include the time you need and the expected date by which you’ll be able to provide them with the account.
You can get an extension of only 30 days. Keep in mind, though, that you can request an extension only once.
Form & Format of Accounting of Disclosure
The main provision about the form and format as per HIPAA accounting of disclosure requirements is that it should be readable. There is a recommendation that you should provide access to the patient about their information in the form and format they requested it in, if producible.
If you are unable to produce the accounting in said format, a readable hard copy will work too. Other forms, such as electronic access, are also acceptable, provided that you and the person making the request can agree to it.
Requests for Electronic Copies
As a small medical practice, chances are that you might be relying on paper to manage information about your clients – files with their PHI, history, and more. If a patient requests that you send them an electronic copy of the accounting of disclosures, you won’t have said copy readily available.
If you can produce it, well and good. If not, a readable alternative electronic format or even a hard copy will also be acceptable, provided you both can agree upon it. This means that you aren’t required to purchase new software/equipment to fulfill their request.
The problem only begins if the patient declines any other format than the requested electronic copy. In case they agree to accept any other format, it’s up to you to make sure the delivery is seamless and on their terms.
HIPAA accounting of disclosure requirements may seem to be rather harsh at times if you have a medical practice, but it is important to understand that at the end of the day, the goal of these requirements is to give patients full control over their health information, and also to minimize liability.
It is every patient’s right to know how their PHI is being disclosed and it is your duty to ensure that it’s being kept safe.