Skip to Content

HIPAA Privacy - Provision of the Accounting 164.528(c)

575  Matthew Burdick September 29, 2022  Accounting of Disclosures of PHI (Privacy)

Overview:
§164.528(c)
Implementation specifications: Provision of the accounting.
(1) The covered entity must act on the individual’s request for an accounting, no later than 60 days after receipt of such a request, as follows.
(i) The covered entity must provide the individual with the accounting requested; or
(ii) If the covered entity is unable to provide the accounting within the time required by paragraph (c)(1) of this section, the covered entity may extend the time to provide the accounting by no more than 30 days, provided that: (A) The covered entity, within the time limit set by paragraph (c)(1) of this section, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will provide the accounting; and (B) The covered entity may have only one such extension of time for action on a request for an accounting.


§164.528(c)(2)
The covered entity must provide the first accounting to an individual in any 12 month period without charge. The covered entity may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period, provided that the covered entity informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee.


Action Items:
1) Obtain and review policies and procedures to determine if the process to provide the individual with the requested accounting of PHI complies with the established performance criterion.


Related Documents:
1) Policies and procedures to determine if the process to provide the individual with the requested accounting of PHI complies with the established performance criterion.


Additional Guidance:
Individuals have a right to an accounting of the disclosures of their protected health information by a covered entity or the covered entity’s business associates. The maximum disclosure accounting period is the six years immediately preceding the accounting request, except a covered entity is not obligated to account for any disclosure made before its Privacy Rule compliance date.


The Privacy Rule does not require accounting for disclosures: (a) for treatment, payment, or health care operations; (b) to the individual or the individual’s personal representative; (c) for notification of or to persons involved in an individual’s health care or payment for health care, for disaster relief, or for facility directories; (d) pursuant to an authorization; (e) of a limited data set; (f) for national security or intelligence purposes; (g) to correctional institutions or law enforcement officials for certain purposes regarding inmates or individuals in lawful custody; or (h) incident to otherwise permitted or required uses or disclosures. Accounting for disclosures to health oversight agencies and law enforcement officials must be temporarily suspended on their written representation that an accounting would likely impede their activities.
Not Rated
Secure Code