The following practice brief is based on the HIPAA Privacy Rule (45 CFR, Parts 160-164) published 12/28/00. It does not reflect final changes to the Privacy Rule published in the Federal Register on 8/14/02.
In the past, facility practice or state laws were the drivers behind maintaining a tracking log for release of information. Until the HIPAA privacy rule, there was no federal law requiring a tracking mechanism for release of information. Under HIPAA, covered entities are required to track disclosures of protected health information (PHI).
The purpose of tracking disclosures is to provide an individual with an account of disclosures for the six years prior to the date of their request. To accommodate this requirement, a tracking mechanism and reporting process will need to be developed.
The standards for privacy of individually identifiable health information give an individual the right to receive a written accounting of disclosures of their protected health information made by a covered entity in the six years prior to the date of which the accounting is requested (§164.528). An individual may request an accounting for a period of time less than six years.
HIPAA defines disclosure as "the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information." This includes disclosures to or by business associates of the covered entity. There are a number of exclusions that do not require tracking.
Disclosures That Do Not Require Tracking
Not all disclosures require tracking or need to be accounted for upon request by an individual. The following disclosures of PHI are excluded:
- Disclosures made for treatment, payment, and healthcare operation purposes (§164.502)
- Disclosures made to the individual (§164.502)
- Disclosures made for directory purposes (§164.510)
- Disclosures made to persons involved in the individual's care (§164.510)
- Disclosures made for national security or intelligence purposes (§164.512(k)(5))
- Disclosures to correctional institutions or law enforcement officials (§164.512(k)(5))
- Disclosure made prior to the date of compliance with the privacy standards
Additional criteria/clarification can be found in the sections referenced after each statement.
All other disclosures of PHI must be tracked. Disclosures are not limited to hard-copy information but any manner that divulges information, including verbal release. Many disclosures that require tracking will be accompanied by an authorization or written request. A mechanism will need to be in place to track other types of disclosures that do not have a paper trail.
Required Content of the Accounting
When an individual makes a request for an accounting of disclosures, the written accounting for each disclosure must include:
- date of disclosure
- name and address, if known, of
the entity or person who received the PHI
- brief description of the PHI disclosed
- brief statement of purpose that reasonably informs the individual of the purpose or a copy of the authorization or a copy of the written request for disclosure
- if multiple disclosures are made to the same entity or person for the same reason, it is not necessary to document items 1-4 for each disclosure. The covered entity may document instead the first disclosure, the frequency or number of disclosures made during the accounting period, and the date of the last disclosure in the accounting period
Right to Accounting Suspended Based on Law Enforcement or Health Oversight Agency Request
A health oversight agency or law enforcement official may request that disclosures made to them not be provided to the individual on a temporary basis. The temporary suspension of the individual's right to receive an accounting must be made in writing, include the reason why the disclosure would impede the activities of the agency, and indicate the time frame the suspension is required. Sections 164/512(d) and (f) describe activities related to health oversight agencies and law enforcement officials.
If the request is made orally, a covered entity should document the request for suspension and identify the person making the statement. The individual's right to an accounting is then suspended for no more than 30 days unless the written request is submitted during that time frame.
Upon request, the entity must provide the individual with a written accounting of disclosures for the six years prior to the date of the request. The time period requested can be less than six years. The written accounting must contain the elements listed above.
The entity must retain a copy of the written accounting that is provided to the individual.
The entity must document and retain the titles of the staff or the department or offices that are responsible for receiving and processing requests for an accounting.
The covered entity has 60 days to act on the request for an accounting of disclosures. One 30-day extension is allowed, but the individual must be informed in writing of the delay, the reason for the delay, and the date the accounting will be provided.
Options for Tracking Disclosures
Covered entities may choose the best method to track disclosures. The following list provides examples of different tracking methods and how the information can be provided to an individual:
- Computerized tracking system:
Develop a computerized tracking method such as a spreadsheet or database that collects the required content for an accounting. A computerized tracking system should have the ability to sort by individual and by date. The advantages include:
- manual records or forms don't have to be pulled to document disclosures
- when the log is on a computer network, multiple individuals in an organization can enter disclosures into one location
- one tracking log or computer file can be used for all entries with sorting capabilities
- a report can be printed from the computerized tracking log when the individual requests an accounting of the disclosures
- Manual log: A manual or paper log can be used to track disclosures. One log should be maintained per individual for ease in pulling together a report upon request. A copy of the log can be provided to the individual on their request for an accounting. If multiple individuals disclose information, a mechanism would need to be in place to capture all disclosures-for example, each person who discloses information would have to pull the form or the medical record to log the disclosure information.
- Authorization form: Another method for tracking disclosures is to use the authorization form (ensure that all required information is included on the form). Not all disclosures to be tracked will require an authorization form, so another method will also need to be in place. When an individual requests an accounting, the authorizations can be copied along with the log for other types of disclosures.
A covered entity must provide the first accounting free in any 12-month period. Subsequent requests in the 12-month period can be charged a reasonable fee based on the entity's costs of providing the accounting.
Before charging a fee, the entity must inform the individual and allow them the opportunity to withdraw or modify their request to avoid or reduce the fee.
1. Check state laws, regulations, and standards for your practice setting to determine if there are any requirements to maintain a disclosure and release of information tracking system.
2. Determine how information will be collected. If a log is already in place, evaluate how to combine into one system. (See "Sample Disclosure Tracking Log".)
- determine if a manual or computerized database is to be retained. If keeping one chronological log, the ability to sort by patient over a six-year period is necessary
- if a manual log will be used, determine where it will be located (for example, kept in the medical record or with the release of information staff)
- determine how to consolidate information for accounting when other departments disclose PHI
- determine if the retention schedule for medical records will need to change if authorizations or written requests are kept in the medical record and used to document the description of PHI released
3. Establish a process to request an accounting.
4. Determine how to document and where to retain a copy of the accounting provided to the individual. If providing a copy of the actual log, include an area to document the individual's request (see "Sample Request for An Accounting of Disclosures").
5. Establish a reasonable fee based on the costs for requests.
6. Write policy and procedures that include the legal requirements and address requesting, maintaining, and delivering an accounting of disclosures.
7. Educate and train appropriate staff in the health information department and other departments.
Michelle Dougherty, RHIA, HIM practice manager
Kathleen Frawley, JD, MS, RHIA
Gwen Hughes, RHIA
"Standards for the Privacy of Individually Identifiable Health Information; Final Rule." 45 CFR Parts 160 through 164. Federal Register 65, no. 250 (December 28, 2000). Available at http://aspe.hhs.gov/admnsimp/.
Abdelhak, Mervat et al. Health Information: Management of a Strategic Resource, Second Edition. Philadelphia: W.B. Saunders Company 2001.