Accounting of Disclosure Policy

Reference 45 CFR 164.528 Ver. No. 1.0

Doc ID Version # Process Owner(s) Effective Date

EXT/HIPAA/ADP/ Version 1.0 CISO 15th July 2019
01

Revision History

Ver. Date of Release Author(s) History of Changes Approver

No.

1.0 15th July 2019 CISO First Baseline CISO

EXT/HIPAA/ADP/01 Page 1 of 7
 Accounting of Disclosure Policy
Reference 45 CFR 164.528 Ver. No. 1.0

1. Objective
Individuals and the CE have the right to receive an accounting of disclosures of their
Protected Health Information (PHI) as set forth by the HIPAA Privacy Rule (45 CFR
164.528).The objective of this Policy and Procedure is to support the Exterprise
process for Accounting of disclosure made by the Organization for TPO, subsequent
to the issuance of an disclosure authorization. This process also addresses situations
under which Exterprise is not obligated to track the accounting process.

2. Scope
This policy applies to all Exterprise workforce members including, but not limited to
full-time employees, part-time employees, trainees, volunteers, contractors, and
temporary workers.

3. Process Overview
The accounting of disclosure policy and procedure of Exterprise involves Covered
Components and those working on behalf of the covered components, designated as
such for purposes of complying with the privacy provisions of the Health Insurance
Portability and Accountability Act of 1996. The Covered components may include
Brokers, Service providers and the actual beneficiary.

4. Policy
1. An individual or CE has the right to receive an accounting of disclosures of PHI
made by Exterprise in the six (6) years prior to the date on which the
accounting is requested.

2. The following are disclosures, which Exterprise is required to track on the

individual’s record:

 When required by law or for law enforcement purposes.

 When requested by a government authority regarding information about

victims of abuse, neglect or domestic violence.

EXT/HIPAA/ADP/01 Page 2 of 7
 Accounting of Disclosure Policy
Reference 45 CFR 164.528 Ver. No. 1.0

 Health oversight activities.

 Judicial and administrative proceedings (ex: court orders, discovery

requests).

 To comply with workers’ compensation investigations.

 To avert a serious threat to health or safety.

3. For multiple disclosures to the same recipient for a single purpose, a

summary of accounting addressing the series of disclosures is acceptable,
rather than detailing an account of each disclosure.

4. Exterprise is also required to track all accidental disclosures. Some examples

of common accidental disclosures are:
 PHI faxed to wrong location.

 Document containing PHI mailed to wrong person.

 Paid wrong provider (claims remit containing PHI sent to wrong provider).

5. The individuals or CE must request, in writing, the accounting of disclosures,

specifying the time period to which the accounting applies, which may not be
for a period of more than six (6) years, and be reviewed and approved by the
Privacy Officer.

6. Exterprise must provide the accounting, in writing, within 30 days of the date
the request for the accounting was received. The contents of the accounting
should include the following:

 The date of the disclosure.

 The name of the entity or persons who received the PHI and if known, the
addresses of such persons.

EXT/HIPAA/ADP/01 Page 3 of 7
 Accounting of Disclosure Policy
Reference 45 CFR 164.528 Ver. No. 1.0

 A brief description of the PHI disclosed.

 A brief statement of the purposes of the disclosure.
 Any relevant documentation, such as a written request from a
government or law enforcement agency.

7. Exterprise is not required to track the following disclosures:

 Use and Disclosure of PHI as Permitted or Required by a Business

Associates Agreement Policy.
 For national security or intelligence purposes.
 To correctional institutions or law enforcement officials having lawful
custody of an inmate.
 Incidental disclosures permitted under applicable federal or state law. For
purposes of this policy an incidental disclosure is a secondary disclosure
that cannot reasonably be prevented and that occurs as a result of an
otherwise permitted use or disclosure. Example: a conversation that is
overheard despite attempts by the speakers to avoid being heard.
 Disclosures that occurred prior to the compliance date (April 14, 2003).

Recording Disclosures

Authorized Employee

 Discloses PHI that Exterprise is required to document or is made

aware of an accidental disclosure that has been made.

 Complete the form for recording Accounting of Disclosures.

EXT/HIPAA/ADP/01 Page 4 of 7
 Accounting of Disclosure Policy
Reference 45 CFR 164.528 Ver. No. 1.0

 Attach the supporting documentation to the form.

 Forward completed form and supporting documentation to the

Privacy Officer.

Privacy Officer

 Receives completed form for Accounting of Disclosures and

supporting documentation.

 Reviews for appropriate Accounting of Disclosure.

 Maintain Records of Disclosures.

ACCOUNTING OF DISCLOSURE REQUEST FROM THE MEMBER

Authorized Employee

 Receives a request from an individual, the individual’s Personal

Representative, or the CE for Accounting of disclosures.

 Sends the Accounting of Disclosures form to the individual,

individual’s Personal Representative, or CE to complete, sign and
return to the Privacy Officer.

Privacy Officer

 Receives a completed Accounting of Disclosures form from an

individual, Personal Representatives, or CE.

 Reviews the request to determine which disclosures are reportable.

 Maintain Records of Requests

EXT/HIPAA/ADP/01 Page 5 of 7
 Accounting of Disclosure Policy
Reference 45 CFR 164.528 Ver. No. 1.0

 If the request for an accounting of disclosures is granted:

 Works with the appropriate staff to obtain documents of the
specified information.
 Sends documents to the requestor within 60 days.

 If the request cannot be granted within 60 days, sends letter to the

member. The letter must state the reason for the delay and the date
on which the accounting will be provided to the requestor.

 If the request for an accounting of disclosures is denied based on

the exceptions in the policy section, send a denial letter.

 Maintain proper documentation of denial in the Accounting

Binder.

 Files a copy of the written accounting and request in the privacy

files.

Retention:
Every policy and procedure revision/replacement will be maintained for a
minimum of six years from the date of its creation or when it was last in effect,
whichever is later. Other Exterprise requirements may stipulate a longer
retention. Log-in audit information and logs relevant to security incidents must
be retained for six years.

Compliance:
Failure to comply with this or any other privacy policy will result in disciplinary
actions. Legal actions also may be taken for violations of applicable regulations
and standards such as the HIPAA Privacy Rule and others.

EXT/HIPAA/ADP/01 Page 6 of 7
 Accounting of Disclosure Policy
Reference 45 CFR 164.528 Ver. No. 1.0

References.
 Omnibus HIPAA Final Rulemaking,
http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/index.html
 HIPAA Final Privacy Rule, 45 CFR Part 164.514(h), Department of Health and
Human Services,
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/August
14, 2002.
 HIPAA Breach Notification Rule:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule
/
 Health Information Privacy, Security, and EHR
http://www.healthit.gov/providers-professionals/ehr-privacy-security
 Achieve Meaningful Use: Protect Electronic Health Information
http://www.healthit.gov/providers-professionals/achieve-meaningful-
use/core-measures/protect-electronic-health-information
http://www.healthit.gov/providers-professionals/achieve-meaningful-
use/core-measures-2/protect-electronic-health-information

EXT/HIPAA/ADP/01 Page 7 of 7