Q&A: Accounting of disclosures
Q. Is it necessary to log an accounting of disclosures for state-related mandatory reporting? Should it be logged for billing purposes?
A. It is not necessary to log disclosures made for billing purposes at this time. The following circumstances don’t need to be included in an individual’s accounting of disclosures:
- Disclosures for treatment, payment, and healthcare operations (TPO)
- Providing a copy of a designated record set (DRS) to the individual or to a third party at the request of an individual
- Responses to an individual’s authorization
- Disclosures for the facility's directory or to persons involved in the individual's care
- Disclosures for national security or intelligence purposes
- Disclosures to correctional institutions or law enforcement officials
- Disclosures that are part of a limited data set
The HITECH Act included provisions that mandate the accounting of all disclosures of PHI made by CEs that maintain an EHR or those made by a business associate (BA) that maintains an EHR on behalf of a CE, including accounting for disclosures made for TPO. The rule that would mandate the change in what needs to be accounted for has not been finalized, and HHS previously noted that it will not enforce provisions of law until a rule has been finalized. Therefore, at this time, the HITECH Act language is not being enforced. CEs should save disclosure records from EHRs, usually audit logs, for a minimum of three years because of the HITECH Act requirements. That doesn’t mean that CEs need to formally include these disclosures in an individual’s disclosure accounting at this time.
Editor's note: This question was answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon.This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Editor Nicole Votta at firstname.lastname@example.org.