Q&A: Accounting of disclosures
Q. It is my understanding that we can make PHI disclosures using our electronic health record (EHR) for payment/treatment/healthcare operations without a consent and that we do not need to track these requests for an accounting of disclosures. Has this changed?
A. There appear to be two different questions here. One is regarding the disclosure of PHI without patient consent and the other is regarding the requirements around a patient-requested accounting of disclosures. In response to the first question, that is correct. If you are disclosing PHI as part of treatment, payment, and healthcare operations (TPO), you do not need to obtain patient consent as long as the disclosure is for TPO. That doesn’t mean you don’t need to track such disclosures—you do need to retain the documentation related to the disclosure. For example, if you receive a fax from a clinic requesting you fax patient information to the clinic, you need to retain the fax that, in essence, authorized the disclosure.
As to the second question, if a patient requests an accounting of disclosures for PHI disclosed for reasons other than TPO, you do need to track the disclosures made and the patient’s request. OCR indicated last month it would be scrapping the accounting of disclosures draft rule it published in 2011 and will “go back to the drawing board” in an effort to comply with the HITECH Act accounting of disclosures requirement. Although today you don’t need to account for disclosures for TPO or when a patient authorizes the disclosure, you may be required to do so in the future.
Editor's note: This question was answer by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a Briefings on HIPAA editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Editor Nicole Votta at firstname.lastname@example.org.