Individuals have a right to receive an accounting of certain disclosures of PHI made by the health care component for a time period of up to 6 years prior to the date on which the accounting is requested.
DISCLOSURES EXCLUDED FROM HIPAA ACCOUNTING
Certain disclosures are excluded from the HIPAA accounting requirement. Individuals do not have a right under HIPAA to obtain an accounting of disclosures made:
- to carry out treatment, payment or health care operations
- to the individual or the individual's personal representative
- pursuant to an authorization
- disclosures incidental to a permitted disclosure
- for a facility directory
- to persons (e.g. family) involved in the individuals care
- for national security or intelligence purposes
- to correctional institutions or law enforcement officials about an inmate or other individual in legal custody
- as part of a limited data set with a data use agreement
- as de-identified information
- prior to April 14, 2003
- more than 6 years prior to the request for accounting
DISCLOSURES INCLUDED IN HIPAA ACCOUNTING
All disclosures that are not specifically excluded from the accounting must be provided in the written accounting. The accounting must be kept for 6 years from the date of the disclosure. If one of the following disclosures is made after April 14, 2003, it must be included in the accounting. These include disclosures:
- required by law (e.g. mandated reporting under state law)
- for public health activities and reporting
- about victims of abuse, neglect or domestic violence
- for health oversight activities (e.g. licensure actions)
- in response to a court order
- in response to a subpoena or discovery request
- for law enforcement purposes
- to a medical examiner, funeral director or for cadaveric organ donation.
- for certain specialized government functions (e.g. regarding armed forces personnel)
- as authorized by and to the extent required to comply with worker's compensation laws.
- to business associates (if not in an excluded category)
- made subsequently by business associates (if not in an excluded category)
- not permitted by HIPAA
- to researchers under the following circumstances (irrespective of whether the researcher obtains the MN compliant authorization)
- based on a waiver or alteration of the individual authorization requirement
- for reviews preparatory for research
- under the procedure for access to decedent records
- to the Secretary of the federal Department of Health and Human services
- any other disclosure of PHI that is not specifically excluded.
ACCOUNTINGS REQUIRED UNDER MINNESOTA LAW
Minnesota law also requires that release of records made without patient consent (including those made prior to April 14, 2003) be documented in the patient's health record. Accountings are required under Minnesota law for all disclosures listed under section B above, disclosures to related health care entities for current treatment of the individual and disclosures under items 7 and 8 of section A above.
ACCOUNTINGS SUSPENDED BY LAW ENFORCEMENT OR HEALTH OVERSIGHT OFFICIALS
Upon request by a health oversight agency or law enforcement official the accounting of the disclosures made to the agency or official will be suspended for the time period specified in the request. The request must state that the accounting would be reasonably likely to impede the agency's activities and must specify the time period of the suspension. Any such request must be documented and the accounting for the disclosures must be renewed at the end of the specified time period. If the initial statement by the agency or official is oral, the temporary suspension may not exceed 30 days, unless a written statement is submitted by the agency or official within 30 days of the oral request.
TIME PERIOD FOR ACTION
Generally, health care components must act on an individual's request for an accounting within 60 days from receipt of the request. The time for action on a request may be extended for an additional 30 days if the health care component is unable to take action within the original time period for action. To extend the time period for action, a written statement of the reasons for the delay must be provided to the individual within the 60 days from receipt of the request. One extension of the time period for action is allowed per request.
The first accounting during any 12-month time period must be provided without charge. A reasonable, cost-based fee may be charged for subsequent requests during any one 12-month time period. In situations where a fee would be imposed, the individual will be informed in advance of the fee and given an opportunity to withdraw or modify the request.
HIPAA ACCOUNTING CONTENT GENERALLY
In response to a request for an accounting of disclosures, the health care component must provide a written report of disclosures requiring accounting that were made in the 6 years prior to the request, or during a shorter time period if requested by the individual.
Standard accountings must include:
- Date of disclosure;
- Name of the recipient, and address if known;
- Brief description of the PHI disclosed;
- Brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for disclosure, or a copy of the request for the disclosure.
If multiple disclosures of PHI are made to the Secretary or to the same person or entity for a single purpose during the accounting period, the following must be provided:
- the standard accounting information for the first disclosure during the accounting period;
- the frequency, periodicity, or number of disclosures; and
- the date of the last disclosure.
HIPAA ACCOUNTING CONTENT FOR DISCLOSURES MADE FOR SPECIFIC RESEARCH PURPOSES:
All disclosures for a particular research purpose made pursuant to a research alteration or waiver must be recorded by the health care component and included in the accounting of disclosures.
Research involving less than 50 subjects
If less than 50 subjects were involved, the accounting must follow the standard requirements for an accounting of disclosures, as described above.
Research involving more than 50 subjects
If 50 or more research subjects were involved, following information must be provided for each protocol or activity for which PHI of the individual may have been released:
- the name of the protocol or other research activity;
- a plain language description of the protocol or other research activity, including the research purpose and the criteria for selecting the records;
- brief description of the type of PHI disclosed;
- date or time period during which the disclosures occurred or may have occurred, including at least the last date;
- name, address and phone number of the entity that sponsored the research and the PI to which the information was disclosed; and
- a statement that the PHI may or may not have been disclosed for the particular protocol or other research activity.
Contact Information Requirement:
If it is reasonably likely that the PHI of the individual was disclosed for a particular protocol or research activity, the health care component must assist the individual in contacting the person responsible for the protocol or activity.