Accounting of PHI Disclosures

From University of Nebraska Medical Center
Jump to navigation Jump to search
Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property   Faculty


Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training | Patient Privacy Investigations and Levels of Violation | Use and Disclosure of PHI for Training Health Care Professionals | Disclosures of PHI as Permitted or Required by Law | Disclosure of PHI for Law Enforcement Purposes

Policy No.: 6061
Effective Date: 03/17/03
Revised Date: draft 10/28/22
Revised Date:

Accounting of Protected Health Information Disclosures Policy

Basis for Policy

Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. NIST Special Publication 800-53 and the HIPAA Security Rule outline considerations for the access control family of security controls.

Policy

Nebraska Medicine (Nebraska Medical Center, Bellevue Medical Center, and UNMCP)/UNMC shall provide patients, as required by law and upon written request, with a list of applicable individuals/organizations to which their Protected Health Information (PHI) has been disclosed.

Purpose

To establish guidelines for maintaining patient information subject to the accounting requirement and procedures for responding to individual requests for an accounting of disclosures of PHI.

Procedures

It is the policy of Nebraska Medicine (Nebraska Medical Center, Bellevue Medical Center and UNMCP)/UNMC to comply with the procedures set forth below.

  1. An individual has a right to receive an accounting of disclosures of PHI made by the ACE during a time period specified up to six (6) years prior to the date of the request, except for disclosures:
    • To carry out treatment, payment or health care operations (including permissible disclosures to other providers for their treatment, payment or health care operations);
    • To the individual about his or her own information ;
    • Authorized by the individual (signed authorization) is this Request for Accounting of Disclosures of Health Information Form??;
    • For the facility directory or to persons involved in the individual's care, or other notification purposes permitted under law;
    • For national security or intelligence purposes;
    • To correctional institutions or other law enforcement officials who have custody of an individual as permitted under law;
    • As part of a limited data set (see UNMC Policy No. 6057, Use and Disclosure of Protected Health Information);
  2. Individuals shall make their requests to the Health Information Management Department (HIM), using the is this the most recent form and the correct one to use in place of Attachment 1? If not, I will need a link to Attachment 1 Request for Accounting of Disclosures of Health Information Form??;
  3. Content Requirements. The accounting for each disclosure must include:
    • Date of disclosure;
    • Name of entity or person who received the PHI, and, if known, the address of such entity or person;
    • Brief description of the PHI disclosed;
    • A brief statement of the purpose of the disclosure or a copy of the written request for disclosure; and
    • If the disclosure is made on a recurring basis for a single purpose, the person or entity shall be listed once and the frequency of the disclosure shall be listed, with the date of the first and last disclosure.
  4. Examples of disclosures that must be accounted for include but are not limited to the following:
    • Child abuse reporting
    • Infectious disease/STD reporting
    • Parkinson's disease
    • Infant hearing screening, metabolic diseases
    • Reports to the FDA
    • Immunization reports
    • Organ donation information
    • Reporting wounds of violence
    • Reports to the following registries:
    • Cancer
    • Brain and Head Injury
    • Birth Defects
    • E-Code
    • Trauma
    • Death reporting
    • Disclosures to regulatory agencies with oversight authority
    • Judicial and administrative proceedings
    • Worker's compensation
    • Disclosures to law enforcement
    • Funeral directors/medical examiners
    • Research conducted pursuant to:
    • An IRB waiver;
    • decedent PHI; or
    • use of PHI preparatory to research (if over 50 records reviewed, only need to provide description of protocol, purpose of research, description of type of PHI disclosed, time period disclosure occurred, name address, etc. etc.).
  5. Department Responsibilities. (HIM) is the designated department for release of patient information. In limited circumstances other areas may release minimal information for such purposes as pre-insurance certification, urgent care, provider communication, releasing test results to the patient, or as otherwise expressly permitted by this or another Nebraska Medicine/UNMC policy. All other requests shall be forwarded to the Health Information Management Department for processing. All departments making permitted disclosures of patient information shall document the disclosures in a manner approved by HIM. Departments that maintain health information systems shall alert HIM of the system. When such departments disclose PHI subject to the accounting requirement, department staff shall complete Quick Disclosure tracking documentation in One Chart or establish other record keeping systems for other health information systems and inform HIM of those record keeping systems. A record of such disclosures must be maintained for six (6) years from the date of the disclosure. Departments shall respond to HIM requests for information in response to individual accounting requests within ten (10) days.
  6. Provision of Accounting. HIM, in coordination with the Privacy Officer, shall respond to accounting requests no later than sixty (60) days after receipt. The response time may be extended by no more than thirty (30) additional days, provided that within the first sixty (60) days, the individual is given a written statement of the reasons for the delay and the date by which the accounting will be provided.
  7. Accounting Charges. The first accounting in any twelve-month period must be provided to the individual without charge. A reasonable, cost-based fee may be charged for additional accountings within the twelve-month period, as long as the individual is notified of the fee in advance.
  8. Suspension of the Right to Accounting. Upon request by a health oversight agency or a law enforcement official, a patient/legal guardian's right to an accounting of disclosures to a health oversight agency or law enforcement official may be suspended for the time period specified by the official if the official asserts that the provision of the accounting would be reasonably likely to impede the activities of the official.

Definitions

Affiliated Covered Entity (ACE)

Legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.

Health Care Operations

The following activities related to the Organization's functions as a health care provider and sponsor of a self-insured health plan:

  1. Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities, otherwise these activities may be classified as research if PHI is included;
  2. Population-based activities relating to improving health or reducing health care costs;
  3. Protocol development;
  4. Contacting health care providers and patients with information about treatment alternatives;
  5. Case management and care coordination;
  6. Patient safety activities;
  7. Risk assessment;
  8. Reviewing the competence or qualifications and accrediting/licensing of health care providers;
  9. Training health care professionals;
  10. Conducting or arranging for medical review, legal services and auditing functions (including fraud and abuse detection and compliance programs);
  11. Business planning and development;
  12. Business management activities
  13. General administrative and business functions;
  14. Insurance activities relating to the renewal of a contract of health insurance;
  15. Evaluating health care provider and plan performance;
  16. Resolution of internal grievances; and
  17. Fundraising (see Use/Disclosure of PHI for Marketing).

Payment

Activities undertaken by a health care provider or health plan to obtain premiums, to determine or fulfill its responsibility for coverage and provision of benefits under the health plan or to obtain or provide reimbursement for the provision of health care. Some of these types of activities include determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), billing, collection activities, claims management, medical necessity determinations, utilization review activities including pre-certification and pre-authorization of services, disclosure to consumer reporting agencies related to collection of premiums or reimbursement and health care data processing related to the above-listed activities.

Protected Health Information (PHI)

Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:

  • is created or received by UNMC/ACE; and
  • relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.

PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):

  • an Individual’s genetic tests;
  • the genetic tests of an Individual’s family members; or
  • the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history).

PHI excludes:

  • individually identifiable health information of a person who has been deceased for more than fifty (50) years.
  • education records covered by the Family Educational Rights and Privacy Act (FERPA); and
  • employment records held by UNMC in its role as employer.

Treatment

The provision, coordination or management of health care and related services by one or more health care providers including the coordination or management of health care by a health care provider with a third party, consultation between health care providers relating to a patient, or the referral of a patient for health care from one health care provider to another.

Additional Information

This page maintained by dkp