Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Privacy Policies & Procedures

Section 12 - Right to an Accounting of Disclosures of Protected Health Information

 

Title: Right to an Accounting of Disclosures of Protected Health Information Policy: PRV-12.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.528(a)
Standard: Right to an Accounting of Disclosures of Protected Health Information Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To layout the Patient’s rights regarding an accounting of disclosures of their own PHI.

Policy
  1. An individual has a right to receive an accounting of disclosures of protected health information made OSU in the six years prior to the date on which the accounting is requested, except for disclosures: §164.528(a)(1)
    • To carry out treatment, payment and healthcare operations as provided in §164.506;  §164.528(a)(1)(i)
      • One exception is that any records contained with an Electronic Health Record at OSU, the individual has a right to receive an accounting of disclosures made by OSU during only the three years prior to the date on which the accounting is requested. Sec. 13405(c)
    • To individuals of PHI about them as provided in §164.502;  §164.528(a)(1)(ii)
    • Incident to a use or disclosure otherwise permitted or required by the Privacy Rule, as provided in §164.502;  §164.528(a)(1)(iii)
    • Pursuant to an authorization as provided in §164.508;  §164.528(a)(1)(iv)
    • For OSU facility directory or to persons involved in the individual’s care or other notification purposes as provided in §164.510;  §164.528(a)(1)(v)
    • For national security or intelligence purposes as provided in §164.512(k)(2);  §164.528(a)(1)(vi)
    • To correctional institutions or law enforcement officials as provided in §164.512(k)(5);  §164.528(a)(1)(vii)
    • As part of a limited data set in accordance with §164.514(e); or   §164.528(a)(1)(viii)
    • That occurred prior to the HIPAA compliance date for OSU.  §164.528(a)(1)(ix)
  2. OSU must temporarily suspend an individual's right to receive an accounting of disclosures to a health oversight agency or law enforcement official, as provided in § 164.512(d) or (f), respectively, for the time specified by such agency or official, if such agency or official provides OSU with a written statement that such an accounting to the individual would be reasonably likely to impede the agency's activities and specifying the time for which such a suspension is required.   §164.528(2)(i)
  1. If the agency or official makes such a request orally, OSU must:  §164.528(a)(2)(ii)
    • Document the statement, including the identity of the agency or official making the statement.  §164.528(a)(2)(ii)(A)
    • Temporarily suspend the individual’s right to an accounting of disclosures subject to the statement and;  §164.528(a)(2)(ii)(B)
    • Limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless a written statement is submitted during that time.  §164.528(a)(2)(ii)(C)
  2. An individual may request an accounting of disclosures for a period of time less than six years from the date of the request.  §164.528(a)(3)
Procedure
  1. An individual requesting an accounting of disclosures shall fill out the required form, found here.
  2. The form must be completed in its entirety and returned to the HIPAA Compliance Office.
  3. If the form is returned to other staff at OSU, they shall forward the request on to the HIPAA Compliance Office without delay.
Reference

45 CFR §164.528(a)
HITECH Sec.13405(c)


top of page top

 

Title: Content of the Accounting Policy: PRV-12.02
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.528(b)
Standard: Right to An Accounting of Disclosure of Protected Health Information  Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify the required elements OSU must provide those individuals who request an accounting of disclosure.

Policy

OSU must provide the individual with a written accounting that meets the following requirements:  §164.528(b)

  1. Except as otherwise provided in Policy PRV-12.01 Right to Accounting of Disclosures of PHI, the accounting must include disclosures of PHI that occurred during the six years (or such shorter time period at the request of the individual) prior to the date of the request for an accounting, including disclosures to or by business associates of OSU.  §164.528(b)(1)
  1. Except as otherwise noted in this policy, the accounting must include for each disclosure:  §164.528(b)(2)
    • The date of the disclosure  §164.528(b)(2)(i)
    • The name of the entity or person who received the PHI and, if known,  the address of such entity or person;  §164.528(b)(2)(ii)
    • A brief description of the PHI disclosed; and  §164.528(b)(2)(iii)
    • A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure under §§164.502(a)(2)(ii) or 164.512, if any.  §164.528(b)(2)(iv)
  2. If, during the period covered by the accounting, OSU has made multiple disclosures of PHI to the same person or entity for a single purpose, OSU may provide:  §164.528(b)(3)
    • The information required for the first disclosure of the accounting period;  §164.528(b)(3)(i)
    • The frequency, periodicity, or number of disclosures made during the accounting period and;  §164.528(b)(3)(ii)
    • The date of the last such disclosure during the accounting period.  §164.528(b)(3)(iii)
  3. If, during the period covered by the accounting, OSU has made disclosures of PHI for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the PHI about the individual may have been included, provide:  §164.528(b)(4)(i)
    • The name of the protocol or other research activity;  §164.528(b)(4)(i)(A)
    • A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records;  §164.528(b)(4)(i)(B)
    • A brief description of the type of PHI that was disclosed;  §164.528(b)(4)(i)(C)
    • The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period;  §164.528(b)(4)(i)(D)
    • The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and  §164.528(b)(4)(i)(E)
    • A statement that the PHI of the individual may or may not have been disclosed for a particular protocol or other research activity.  §164.528(b)(4)(i)(F)
  4. If OSU provides an accounting for research disclosures, in accordance with the above section, and if it is reasonably likely that the PHI of the individual was disclosed for such research protocol or activity, OSU shall, at the request of the individual, assist in contacting the entity that sponsored the research and the researcher.  §164.528(b)(4)(ii)
Procedure

To comply with this requirement, the inside back page of the paper medical record shall be used for documentation of disclosures that must be accounted for or the Electronic Health Record for the Patient under Disclosures, or PHI Log.  To facilitate this, OSU staff may use preprinted adhesive labels for permanent attachment to the record.  Upon a disclosure for which an accounting is required, the individual making the disclosure must enter the relevant data on the form, including the name of the individual making the disclosure for future identification.

The HIPAA Compliance Office shall create the actual list of disclosures for each request.


top of page top

 

Title: Provision of the Accounting Policy: PRV-12.03
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.528(c)
Standard: Right to an Accounting of Disclosure of Protected Health Information Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify how OSU must provide the accounting to the individual.

Policy
  1. OSU must act on the individual’s request for an accounting, no later than 60 days after receipt of such a request, as follows:  §164.528(c)(1)
    • OSU must provide the individual with the accounting requested; or  §164.528(c)(1)(i)
    • If OSU is unable to provide the accounting within the time required as stated above, OSU may extend the time to provide the accounting by no more than 30 days, provided that:  §164.528(c)(1)(ii)
      • OSU, within the time limit provided above, provides the individual with a written statement with the reasons for the delay and the date by which OSU will provide the accounting; and  §164.528(c)(1)(ii)(A)
      • OSU may have only one such extension of time for action on a request for an accounting.  §164.528(c)(1)(ii)(B)
  2. OSU must provide the first accounting to an individual in any 12 month period without charge.  OSU may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period, provided that OSU informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee.  §164.528(c)(2)
Procedure

Upon receipt of the request, the HIPAA Compliance Office shall gather all such known disclosures, if any, and present them to the individual within the time frame listed in this policy.

The HIPAA Compliance Office shall keep record of all requests for an Accounting of Disclosure.


top of page top

 

Title: Documentation Policy: PRV-12.04
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.528(d)
Standard: Right to an Accounting of Disclosure of Protected Health Information Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify what OSU must document in regards to a request for an accounting.

Policy

OSU must document and retain the following as required by §164.530(j):  §164.528(d)

  1. The information required to be included in an accounting for disclosure of PHI that are subject to an accounting;  §164.528(d)(1)
  2. The written accounting that is provided to the individual; and  §164.528(d)(2)
  3. The titles of the persons or offices responsible for receiving and processing such requests for an accounting by individuals.  §164.528(d)(3)
Procedure

Copies of accountings will be retained within the medical record and/or Electronic Health Record of the individual.  The OSU HIPAA Compliance Office is responsible for receiving requests for accounting.


top of page top

 

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube