for disclosures of records, right to (HIPAA)
Rule includes a right to an "accounting of disclosures"
-- a listing of all disclosures of an individual's protected
health information (PHI) made by the covered
entity or its business
associates for up to six years preceding the request.
The right is far
less expansive than it might first appear. It does not provide
that individuals are entitled to know about anyone
who has had access to their PHI, as there are many exclusions.
However, covered entities are free to go beyond the minimal
accounting that HIPAA requires.
the accounting may exclude disclosures made by the covered
entity to carry out treatment,
payment and health
care operations, which constitute the overwhelming majority
In addition, the
accounting may exclude disclosures:
- to the individual,
of his or her own protected health information;
- for the facilitys
directory or other notification
to otherwise permissible disclosures; or
- that occurred
prior to the compliance date (14 April 2003 for large entities,
one year later for small ones).
of an accounting is permitted for health
security, or law enforcement
suspensions require that an agency or official provide a written
statement that an accounting would be reasonably likely to
impede their activities. The statement must specify the time
for which such a suspension is required. (Oral requests of
this kind are permitted, but can be in effect for no longer
than 30 days without a written request as a follow-up.)
Note that disclosures
for research operating under
a waiver of authorization are not exempt from the accounting
requirement, though disclosures made pursuant to an authorization
for research are (because all authorization-based disclosures
are exempt). The requirement can be met by providing individuals
with a list of all protocols for which their PHI may have
been disclosed pursuant to a waiver, as well as the researcher's
name and contact information. (Where 50 or fewer records are
involved, the accounting must meet the normal specificity
requirements listed below.)
for information not subject to the above exemptions, must
include for each disclosure:
- the date of
the disclosure (if multiple disclosures, the start and stop
dates and the frequency);
- the name of
the entity or person who received the protected health information
and, if known, the address of such entity or person;
- a brief description
of the protected health information disclosed; and
- a brief statement
of the purpose of the disclosure that reasonably informs
the individual of the basis for the disclosure.
have 60 days to meet such requests. An additional 30-day extension
beyond that is allowed if the requestor is provided with a
written explanation for the delay.
entitled to a single accounting every 12 months without charge.
Additional requests within a 12-month period may be subject
to a "reasonable, cost-based fee" (provided that
this is detailed in the Notice
of Privacy Practices).
As with other HIPAA
rights, institutions must designate a privacy
office/officer to handle disclosure accounting requests,
and must document the processing of any requests that are