Overview:
§164.528(b)
Implementation specifications: Content of the accounting.
The covered entity must provide the individual with a written accounting that meets the following requirements.
(1) Except as otherwise provided by paragraph (a) of this section, the accounting must include disclosures of protected health information that occurred during the six years (or such shorter time period at the request of the individual as provided in paragraph (a)(3) of this section) prior to the date of the request for an accounting, including disclosures to or by business associates of the covered entity.
(2) Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure: (i) The date of the disclosure; (ii) The name of the entity or person who received the protected health information and, if known, the address of such entity or person; (iii) A brief description of the protected health information disclosed; and (iv) A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure under §§ 164.502(a)(2)(ii) or 164.512, if any.
(3) If, during the period covered by the accounting, the covered entity has made multiple disclosures of protected health information to the same person or entity for a single purpose under §§ 164.502(a)(2)(ii) or 164.512, the accounting may, with respect to such multiple disclosures, provide: (i) The information required by paragraph (b)(2) of this section for the first disclosure during the accounting period; (ii) The frequency, periodicity, or number of the disclosures made during the accounting period; and (iii) The date of the last such disclosure during the accounting period.
(4)(i) If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with § 164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: (A) The name of the protocol or other research activity; (B) A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records; (C) A brief description of the type of protected health information that was disclosed; (D) The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period; (E) The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and (F) A statement that the protected health information of the individual may or may not have been disclosed for a particular protocol or other research activity. (ii) If the covered entity provides an accounting for research disclosures, in accordance with paragraph (b)(4) of this section, and if it is reasonably likely that the protected health information of the individual was disclosed for such research protocol or activity, the covered entity shall, at the request of the individual, assist in contacting the entity that sponsored the research and the researcher.
Action Items:
1) Obtain and review policies and procedures to determine whether the policies and procedures accurately provide for inclusion of the content listed in the established performance criterion.
2) Obtain and review a sample of requests for accounting and entity fulfillment of those requests to consider whether the accountings provided meet the established performance criterion.
Related Documents:
1) Policies and procedures to determine whether the policies and procedures accurately provide for inclusion of the content listed in the established performance criterion.
2) Sample of requests for accounting and entity fulfillment of those requests.
Additional Guidance:
Individuals have a right to an accounting of the disclosures of their protected health information by a covered entity or the covered entity’s business associates. The maximum disclosure accounting period is the six years immediately preceding the accounting request, except a covered entity is not obligated to account for any disclosure made before its Privacy Rule compliance date.
The Privacy Rule does not require accounting for disclosures: (a) for treatment, payment, or health care operations; (b) to the individual or the individual’s personal representative; (c) for notification of or to persons involved in an individual’s health care or payment for health care, for disaster relief, or for facility directories; (d) pursuant to an authorization; (e) of a limited data set; (f) for national security or intelligence purposes; (g) to correctional institutions or law enforcement officials for certain purposes regarding inmates or individuals in lawful custody; or (h) incident to otherwise permitted or required uses or disclosures. Accounting for disclosures to health oversight agencies and law enforcement officials must be temporarily suspended on their written representation that an accounting would likely impede their activities.
Article ID: 574
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-privacy-content-of-the-accounting-164-528-b-574.html