Understanding the Meaning of Accounting of Disclosures in HIPAA

The accounting of disclosures is an important aspect of the Health Insurance Portability and Accountability Act (HIPAA) that ensures the privacy and security of protected health information (PHI). It allows individuals to have access to information about who has accessed their PHI and for what purpose.

The Right to an Accounting of Disclosures

Under HIPAA, individuals have the right to request an accounting of disclosures of their PHI. This means that covered entities, such as healthcare providers and health plans, must keep track of and provide information about certain disclosures of PHI.

The purpose of the accounting of disclosures is to provide transparency and accountability regarding the use and disclosure of individuals' PHI. It allows individuals to know who has accessed their information and for what purposes, which can help them identify any unauthorized or inappropriate disclosures.

What Must Be Documented in an Accounting of Disclosures?

Covered entities are required to document certain types of disclosures in an accounting of disclosures. These include:

• Incidental disclosures: Covered entities must document incidental disclosures, which are unintentional disclosures that occur as a byproduct of a permissible use or disclosure of PHI.
• Access to information by business associates: Covered entities must document instances where business associates access individuals' PHI.
• Oral communications: The HIPAA Privacy Rule requires covered entities to document all oral communications that involve the disclosure of PHI.
• Access by public health authorities: Covered entities must document each medical record that may be accessed by a public health authority.
• Date of access: If the date of access is not known for certain, covered entities must account for the date to the best of their knowledge.
• Limited data set disclosures: Covered entities must provide an accounting for disclosures even if the only information disclosed is a limited data set.
• Hiring business associates to create a limited data set: Covered entities may hire a business associate to create a limited data set, but they must still account for disclosures involving that data set.
• Disclosures made during the course of litigation: Covered entities must account for disclosures of PHI made during the course of litigation.

The Proposed Modifications to the HIPAA Privacy Rule

The Department of Health and Human Services (HHS) has proposed modifications to the HIPAA Privacy Rule's standard for accounting of disclosures of protected health information. These modifications aim to enhance individuals' rights to access and control their PHI.

The proposed modifications include:

• Accounting of Disclosures of Protected Health Information: Section 164.528(a) of the HIPAA Privacy Rule would be modified to provide individuals with a right to an accounting of disclosures of their PHI.
• Right to an Access Report: Section 164.528(b) would be added to give individuals the right to obtain an access report that provides information about who has accessed their PHI.
• Confidentiality of Patient Safety Work Product: The proposed rule also addresses the confidentiality of patient safety work product and its relationship to the accounting of disclosures.
• Notice of Privacy Practices: Section 164.520 would be modified to require covered entities to include information about the right to an accounting of disclosures in their notice of privacy practices.

Importance of the Accounting of Disclosures

The accounting of disclosures plays a crucial role in protecting individuals' privacy and ensuring the security of their PHI. It allows individuals to have control over their health information by knowing who has accessed it and for what purposes.

By requiring covered entities to document and provide an accounting of disclosures, HIPAA promotes transparency and accountability in the healthcare industry. It helps prevent unauthorized access to PHI and enables individuals to take action if they suspect any privacy breaches.

Compliance with the Accounting of Disclosures

Covered entities must ensure compliance with the accounting of disclosures requirements under HIPAA. This includes properly documenting all relevant disclosures and providing individuals with access to their accounting of disclosures upon request.

Failure to comply with the accounting of disclosures requirements can result in penalties and legal consequences. Covered entities should have proper systems and procedures in place to accurately track and document disclosures of PHI.

Conclusion

The accounting of disclosures is a critical aspect of HIPAA that gives individuals the right to know who has accessed their PHI and for what purposes. It promotes transparency, accountability, and privacy in the healthcare industry.

The proposed modifications to the HIPAA Privacy Rule aim to enhance individuals' rights and improve the accounting of disclosures process. Covered entities must ensure compliance with the requirements and take appropriate measures to protect individuals' privacy and security of their PHI.