HIPAA Accounting for Disclosures of Protected Health Information

Version 1 (Current Version)
All Versions:
  • Version 1
PolicyREG12.60.18
TitleHIPAA Accounting for Disclosures of Protected Health Information
CategoryHealth Affairs
Sub-categoryHealth Affairs Matters - General
AuthorityChancellor
History

Effective:September 19, 2013

Revised:January 8, 2004; October 12, 2010; September 18, 2013

Transitioned from Interim to Permanent: July 17, 2014.

Related Policies
Additional References

45 CFR 164 Subpart E: Privacy of Individually Identifiable Health Information
"Modification to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule," 78 Federal Register 17 (25 January 2013), pp. 5566-5702
University & Medical Center Institutional Review Board (UMCIRB)
ECU Healthcare Components
ECU HIPAA Privacy Forms


1. Purpose

1.1. East Carolina University's Health Care Components ("ECU Health Care Components") have a legal duty to provide an individual with a written accounting of disclosures of that individual's protected health information ("PHI"). The purpose of this regulation is to provide guidance on how to process individual requests for an accounting of disclosures of PHI.

2. Regulation

2.1. Right to an Accounting of Disclosures of PHI. ECU Health Care Components must, upon request of the individual, provide an accounting of disclosures of his or her PHI made by an ECU Health Care Component in the six years prior to the date on which the accounting is requested.

2.1.1. Exceptions to the Right to an Accounting. The following items are exceptions to the accounting of disclosures requirement:

2.1.1.1. To carry out treatment, payment and health care operations;

2.1.1.2. To individuals of PHI about them;

2.1.1.3. Incident to a use or disclosure otherwise permitted or required by HIPAA;

2.1.1.4. Pursuant to an authorization;

2.1.1.5. To persons involved in the individual's care or other notification purposes;

2.1.1.6. For national security or intelligence purposes;

2.1.1.7. To correctional institutions or law enforcement officials;

2.1.1.8. As part of a limited data set; or

2.1.1.9. That occurred prior to April 14, 2003.

2.1.2. Suspension of Accounting Rights.

ECU Health Care Components must temporarily suspend an individual's right to receive an accounting of disclosures to a health oversight agency or law enforcement official for the time specified by such agency or official, if such agency or official provides the Component with a written statement that such an accounting to the individual would be reasonably likely to impede the agency's activities and specifying the time for which such a suspension is required.

2.1.2.1. If the agency or official statement in paragraph 2.1.2 is made orally, the Component must:

2.1.2.1.1. Document the statement, including the identity of the agency or official making the statement;

2.1.2.1.2. Temporarily suspend the individual's right to an accounting of disclosures subject to the statement; and

2.1.2.1.3. Limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless a written statement pursuant to paragraph 2.1.1 is submitted during that time.

2.1.2.2. All requests for suspension of accounting of disclosures should be referred to the ECU HIPAA Privacy Officer for further actions.

2.1.3. Time Period for an Accounting.

An individual may request an accounting of disclosures for a period of time less than six years from the date of the request.

2.2. Content of the Accounting.

ECU Health Care Components must provide the individual with a written accounting that meets the following requirements:

2.2.1. Except as otherwise provided in paragraph 2.1.1, the accounting must include disclosures of PHI that occurred during the six years (or such shorter time period at the request of the individual as provided in paragraph 2.1.3) prior to the date of the request for an accounting, including disclosures to or by business associates of an ECU Health Care Component.

2.2.2. Except as otherwise provided by paragraphs 2.3 and 2.4, the accounting must include:

2.2.2.1. The date of the disclosure;

2.2.2.2. The name of the entity or person who received the PHI, and, if known, the address of such entity or person;

2.2.2.3. A brief description of the PHI disclosed (e.g., August 3, 2003 lung x-ray); and

2.2.2.4. A brief statement of the purpose of the disclosure that would reasonably inform a reader of the basis for the disclosure.

2.3. Multiple Disclosures.

If, during the period covered by the accounting, an ECU Health Care Component has made multiple disclosures of PHI to the same person or entity for a single purpose, the accounting may, with respect to such multiple disclosures, provide:

2.3.1. The information required by paragraph 2.2.2 for the first disclosure during the accounting period;

2.3.2. The frequency, periodicity, or number of the disclosures made during the accounting period; and

2.3.3. The date of the last such disclosure during the accounting period.

2.4. Research Disclosures.

2.4.1. If, during the period covered by the accounting, an ECU Health Care Component has made disclosures of PHI for a particular research purpose for 50 or more individuals, the accounting may, with respect to such disclosures for which the PHI about the individual may have been included, provide:

2.4.1.1. The name of the protocol or other research activity;

2.4.1.2. A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records;

2.4.1.3. A brief description of the type of PHI that was disclosed;

2.4.1.4. The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period;

2.4.1.5. The name, address, and telephone number of the entity that sponsored the research and of the research to whom the information was disclosed; and

2.4.1.6. A statement that the PHI of the individual may or may not have been disclosed for a particular protocol or other research activity.

2.4.2. If an ECU Health Care Component provides an accounting for research disclosures, in accordance with paragraph 2.4.1 and it is reasonably likely that the PHI of the individual was disclosed for such research protocol or activity, the Component shall, at the request of the individual, assist in contacting the entity that sponsored the research and the researcher.

3. Procedure

3.1. Written Request.

All patients who inquire about obtaining an accounting of disclosures shall be directed to make this request in writing using the Request for Accounting of Disclosures form or contact the ECU HIPAA Privacy Officer.

3.2. Timeline. ECU Health Care Components must act on the individual's request for an accounting, no later than 60 calendar days after receipt of such a request, as follows:

3.2.1.1. The Component must provide the individual with the accounting requested; or

3.2.1.2. If the Component is unable to provide the accounting within 60 calendar days, the Component may extend the time to provide the accounting by no more than 30 calendar days, provided that:

3.2.1.2.1. The Component, within 60 calendar days provides the individual with a written statement of the reasons for the delay and the date by which the Component will provide the accounting; and

3.2.1.2.2. The Component may have only one such extension of time for action on a request for an accounting.

3.3. Review of Request.

The ECU HIPAA Privacy Officer will coordinate with the specific ECU Health Care Component identified in the individual's written request to fulfill the individual's request.

3.3.1. Components should contact all known business associates who have received the PHI of the individual and request a copy of the business associate's accounting of disclosures log regarding the individual.

3.4. Response to Request.

The ECU HIPAA Privacy Officer, in coordination with the ECU Health Care Component, will respond to the individual's request in writing using the ECU Response to Request for Accounting of Disclosures form.

3.4.1. Acceptance of Request.

An accounting of all disclosures in accordance with paragraph 2.1. will accompany the Response to Request for Accounting of Disclosures form.

3.4.2. Denial of Request.

A request, or portion thereof, for accounting of disclosures may be denied if:

3.4.2.1. The disclosure occurred more than six years prior to the date the request is made; or

3.4.2.2. The request includes disclosures described in paragraph 2.1.1.

3.4.2.3. Indicate the reason for denial using the Response to Request for Accounting of Disclosures form and return to the individual.

3.5. Fee for Providing an Accounting.

3.5.1. ECU Health Care Components must provide the first accounting to an individual in any 12 month period without charge. The Component may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period, provided that the Component informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee.

3.6. Documentation.

ECU Health Care Components must document the following and retain the documentation for six years from the date of its creation or the date when it last was in effect, whichever is later:

3.6.1. The information required to be included in an accounting under paragraph 2.2 for disclosures of PHI that are subject to an accounting under paragraph 2.1.

3.6.2. The written accounting that is provided to the individual under this section; and

3.6.3. The titles of the person or offices responsible for receiving and processing requests for an accounting by individuals.

3.7. Accounting of Disclosures for Research Purposes.

As a general rule, an individual can request an accounting of disclosures that includes those disclosures related to research purposes, unless such disclosures were made pursuant to an authorization or those as part of a limited data set. For more information visit UMCIRB at www.ecu.edu/irb

3.7.1. Principal Investigators (PI) must ensure that adequate records are maintained of all disclosures of PHI when:

3.7.1.1. UMCIRB Waiver for Authorization has been granted

3.7.1.2. Uses or disclosures of PHI are made preparatory to research; and

3.7.1.3. Uses or disclosures of decedent's PHI are made.

3.7.2. PIS who access the designated record set of an ECU Health Care Component must use the appropriate ECU Accounting of Disclosures Log and forward a copy along with the names of individuals when a disclosure has occurred to the ECU Health Care Component that is responsible for maintaining the individual's designated record used for the initial research.

3.7.2.1. Disclosures for 50 or more individuals. PIs should use the ECU Accounting of Disclosures Log for 50 or More Individuals Form.

3.7.2.2. Disclosures for less than 50 individuals. PIs should use the ECU Accounting of Disclosure Log.

3.7.3. The ECU HIPAA Privacy Officer must be contacted if the individual, upon receiving an accounting of disclosures that indicate a simplified accounting for research, requests confirmation if their PHI was disclosed for the specific protocol or research activity. The ECU HIPAA Privacy Officer will assist the individual in contacting the sponsor.