Health Information Management

Q&A: Accounting of disclosures

HIM-HIPAA Insider, August 16, 2011

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Q: Must a covered entity (CE) provide an accounting of the following disclosures?

  • A CE discloses PHI to a business associate (BA), and it is beyond the scope of the BA agreement (BAA) or more than the minimum necessary for the BA to accomplish the intended purpose. For example, the CE sends a report that includes a patient’s name, date of birth, age, gender, address, service type, and provider name to a BA to aggregate the data for purposes described in the BAA. The BA does not need the patient’s address, gender, or provider name.
  • A CE sends a BA information it should not receive (i.e., intended for a different BA), such as a package of referral letters that includes patient names, medical record numbers, and approved/denied referral services. The package is returned to the CE.
A: The HIPAA Privacy Rule does not require inclusion of disclosures for healthcare operations in an accounting of disclosures, but ARRA does. If disclosures are made from an electronic record system acquired after January 1, 2009, you must account for them by January 1, 2013. If you had an electronic record system in place on or before January 1, 2009, you have until January 1, 2014, to comply.
Are these disclosures considered breaches that must be reported pursuant to ARRA? No. ARRA's definition of a breach does not include any unintentional acquisition, access, or use of PHI by a CE or BA made in good faith within the course and scope of a professional relationship if the information is not further acquired, accessed, used, or disclosed.
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of HIM at Scott & White Healthcare in Temple, TX, answered this question in the August issue of Briefings on HIPAA.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular