It has thus become critically important to conserve and maintain privacy for patient information within the healthcare environment. They laid down detailed guidelines concerning the confidentiality, integrity, and availability of protected health information (PHI), as contained in the Health Insurance Portability and Accountability Act (HIPAA). A prime segment of the act is HIPAA Disclosure Accounting, covered entities are required to maintain a detailed accounting of certain disclosures of PHI.
The article covers all features that the guidelines require, including when accounting will be made, the business associate's role, exceptions, and beyond. B&L PC Solutions has over 27 years of experience to help you with all related issues that business faces in cybersecurity services on Long Island.
What is HIPAA Disclosure Accounting?
An accounting of disclosure under HIPAA requires that covered entities account for specific disclosures of an individual's protected health information (PHI) and make such accounts available to the individual upon request.
This usually accounts for disclosures made six years before the request's date. This requirement intends to improve transparency with individuals regarding who has used their health information and for what purpose.
Key Elements:
1. Duration:
Six years before the individual's request date, keeping account of disclosures made by the covered entity.
2. The information included is:
- Date of Disclosure: It is the date when PHI was disclosed.
- Recipient's Details: name and, if known, address of that person or entity to whom the PHI has been disclosed.
- Description of PHI Disclosed: A description of the PHI disclosed.
- Purpose of Disclosure: A short statement stating the reasons for the disclosure or a copy of the written request for disclosure, if appropriate.
3. Format:
Accounting should be made available in writing, either dangling off a page or online, depending on the user's preference.
4. Timeframe for Response:
A 60-day window is allowed after a covered entity requests to provide the accounting to the individual. Suppose the accounting cannot be provided within this timeframe. In that case, a maximum extension of 30 days is allowed, provided the individual has received written notice regarding the delay and the new expected completion date.
5. Cost:
The first accounting provided within any twelve months should be free of charge. Following that, for any requests made within the same period, covered entities may charge a reasonable, cost-based fee after prior written notification to the individual and prior notification of an opportunity to withdraw or modify the request to avoid or reduce the cost.
When is a Disclosure Accounting Required Under HIPAA?
Not every disclosure requires accounting. However, typically, this documentation is needed for the following cases:
1. Public Health Activities:
Disclosures to those public health authorities, as defined legally, that are authorized to collect or receive information for disease, injury, or disability prevention and control purposes
2. Judicial and Administrative Proceedings:
Disclosures are required when all orders and subpoenas from the court are fulfilled.
3. Law Enforcement Purposes:
Disclosures made to aid in law enforcement investigations, such as locating a suspect or reporting a crime.
4. Research:
Disclosures for research without the patient's authorization, under certain conditions.
5. Detention by Health Oversight:
It is an activity legally permitted by audits for investigations relating to health oversight agencies.
6. Required by Law:
For any disclosure required by any Law. Legal Information Institute
7. Whistleblowing:
Reporting to health oversight agencies or public health authorities when an employee has a good faith belief that the covered entity has engaged in illegal acts or violated professional standards and HIPAA regulations.
8. Victims of Abuse or Neglect or Domestic Violence:
Reports made to a government authority that is indicated as an authority mandated to receive reports of abuse, neglect, or domestic violence.
HIPAA Disclosure Accounting and Business Associates
Business associates are entities that may perform a function or activity on behalf of or provide services to a covered entity that involve PHI. They play an essential part in the healthcare ecosystem.
Thus, although the HIPAA Privacy Rule has a primary concern for covered entities, business associates are also subject to some obligations therein:
1. Business Associate Agreements (BAAs):
Covered entities must have Business Associate Agreements (BAAs) in place that outline the business associate's permissible uses and disclosures of PHI. These agreements stipulate that business associates will document disclosures appropriately and provide necessary information to the covered entity to fulfill accounting requests.
2. Direct Obligations:
Business associates also have direct obligations regarding some aspects of HIPAA compliance, such as maintaining records relating to disclosures and ensuring safeguards for PHI.
3. Provision of Information:
Another requirement in Business Associates is that it must make available to the covered entity such information as may be required for compliance with the requirements imposed by an individual's specific right to an accounting of disclosures.
4. Delegate optional terms:
The business associate's accountability for accounting disclosures may be in the BAA, but the covered entity is responsible for compliance therein.
Read More: What Does HIPAA Stand for? HIPAA Compliance and Understanding the Rules
When an Accounting of Disclosures of PHI to Patients is Not Required under HIPAA
There are exemptions from the obligations concerning a few disclosures regarding the covered entities in some situations:
1. Treatment, payment, and health care operations (TPO):
No accounting shall be required to disclose treatment, payment, or health care operations.
2. Incidental Disclosures:
under circumstances otherwise appropriately covered by the rule or regarding treatment, payment, or health care operations. Reasonable safeguards against incidental overhearing would not be a sufficient basis for disclosure.
3. To the Individual:
Information is disclosed directly to the individual or their designated representative.
4. With Authorization: D
isclosures made with the individual's written authorization.
5. National Security or Intelligence Purposes:
Disclosures made to authorized federal officials for intelligence, counter-intelligence, and other national security activities.
6. Correctional Facility or Law Enforcement Disclosures:
Disclosures made to correctional facilities or law enforcement officials lawfully exercising custody over an inmate.
7. Limited Data Set Disclosures:
These do not need accounting when the disclosure concerns a limited data set (with specific direct identifiers removed) related to research, public health, or health care operations.
8. Facility Directories:
Disclosures for facility directory purposes (e.g., a hospital listing its patients in a directory) for which the individual has not objected are also exempt from accounting.
9. De-identified Information:
There will be no accounting requirements for its disclosure under HIPAA after the information is de-identified.
Significance of HIPAA Disclosure Accounting
HIPAA Disclosure accounting is more than a mere recordkeeping activity—it's essential to complying with HIPAA. Failure to account for disclosures properly can attract heavy penalties.
Why It Matters:
1 Builds trust:
It assures the patient of transparency and thus helps build a strong bond with him or her.
2. Helps organizations:
It allows organizations to prevent unauthorized or suspicious disclosures.
3. Defense against liability:
It prevents any liability that may creep into a formal organization's audit or breach.
4. Alignment:
It ensures that the organization's rules and requirements follow those enforced by the Office for Civil Rights (OCR).
Potential Penalties for Non-compliance:
| Violation Category | Penalty Per Violation | Annual Maximum |
|---|---|---|
| Unknowing | $100 - $50,000 | $1.5 million |
| Reasonable Cause | $1,000 - $50,000 | $1.5 million |
| Willful Neglect (Corrected) | $10,000 - $50,000 | $1.5 million |
Best Practices in HIPAA Accounting for Disclosure
A defined process will mitigate compliance risks while providing an easy path for accounting.
1. Automated Tracking Software
After obtaining patient consent, the HIPAA software will automatically track and log disclosures of PHI and aid in reporting as required.
2. Training of Personnel
Training of employees and contractors should regularly cover:
- What constitutes a "disclosure"
- When accounting is necessary
- How to accurately document disclosures
3. Audit Trails
Logs should include who accessed PHI, when, and why for external and internal disclosures, if there is doubt about whether it is exempt.
4. Clear Policies & Procedures
Create written policies that clearly state how and when to account for disclosures and how to respond to individual requests.
5. Oversight of Business Associates
Ensure that the Business Associate Agreements (BAAs) specify:
- They are required to maintain records of disclosures.
- How will they provide support for accounting requests?
Best Practices for Managing HIPAA Disclosure Accounting
1. Automated Tracking Systems
Use HIPAA-compliant software tools to log all PHI disclosures automatically, making it easy to generate requested reports.
2. Staff Training
Give regular training to employees and business associates on:
- Held the name of disclosure
- When is accounting needed
- What does an accurate document mean?
3. Audit Trails
Maintain logs, which will track who accessed PHI at what time and why, even from internal-only disclosures, and ensure it appears there. They may not be sure whether they are exempt.
4. Well-articulated Policy & Procedure
Well-documented policies should be developed that spell out how and when to account for disclosures and host individual requests.
5. Overseeing Business Associates
Under BAAs, ensure that:
- Stipulates the obligation to maintain disclosure records.
- State how they will support accounting requests.
Conclusion
One pillar for a culture of transparency in managing patient data is HIPAA Disclosure Accounting. Maintaining accurate records of each PHI disclosure was a requirement with which it had come, and entities knew the way to build a trust base, both for patients and stakeholders.
Understanding when accounting is necessary, what it may entail regarding business associates, and what may be exempt from accounting requirements can save organizations significant fines and reputational damage. We at B&L PC Solutions ensure that all doctors and covered entities enjoy complete compliance with HIPAA, from risk assessments to data security solutions.
Do you need help in understanding HIPAA compliance?
Contact B&L PC Solutions for expert help with everything from HIPAA Disclosure Accounting to cybersecurity products to secured IT infrastructures.
Let us hear from you today and schedule a free consultation to discuss your current posturing regarding HIPAA compliance.
FAQs
1. What does a HIPAA accounting of disclosures comprise?
An accounting of disclosures under HIPAA must specify the date of resolution, the recipient's name and address, a brief identification of the PHI, and a description giving the reason for each disclosure.
2. What is the maximum period I may provide HIPAA disclosure accounting?
The covered entities are bound to provide the computer-generated accounting within sixty days. After this, an extension may be granted for thirty more days only upon written notification to the patient.
3. Is it mandatory to account for disclosures made for treatment purposes?
No. Accounting under HIPAA is not required for disclosures made for treatment, payment, or healthcare operations.
4. Are patients allowed to request any kind of disclosures?
Yes. The patient can reasonably expect an accounting of disclosures of their PHI made during the last six years, excluding exempted disclosures.
5. Must business associates maintain disclosure records?
Yes. Business associates are also required to maintain records of their disclosures and make them available to the covered entity upon request to give effect to the accounting obligations.
6. When is a disclosure accounting required under HIPAA?
A disclosure accounting is required under HIPAA when a patient's health information is shared without their authorization and not for treatment, payment, or healthcare operations. This includes disclosures to public health agencies, law enforcement, oversight authorities, and for legal or compliance purposes.
Tags: DisclosureAccounting, HealthIT, HIPAA
