Are you remembering to account for the disclosures of PHI? Some healthcare providers are not compliant with this part of the Privacy Rule. Under HIPAA Privacy and as outlined on the NPP, the patient has many rights; one of these is to request an accounting of all non-TPO disclosures (any disclosure that is not for treatment, payment, or health care operations). For this reason, it is required that each patient's chart contains a disclosure log.
Anytime information is disclosed for a non-TPO purpose, except for "incidental disclosures", it must be documented on the patient's "Log for PHI Disclosures" form. For example, if a disclosure is made to an attorney, to a school, or to a public health agency, the disclosure should be added to the patient's Log for PHI Disclosures form. That way, if the patient were to request the accounting of non-TPO disclosures (use the Request for Accounting of PHI Disclosures form), the log is already up-to-date, and you could simply provide the patient with the information contained on the log. The patient may receive one free accounting in a 12-month period.
Even though most non-TPO uses and disclosures of PHI must be logged, there are a few exceptions. Examples of disclosures that do not have to be accounted for are disclosures made pursuant to an authorization; disclosures made while reporting abuse and neglect; the PHI is part of a Limited Data Set; disclosures made to a correctional institution or law enforcement official having lawful custody of an inmate about whom the PHI applies; the disclosure occurred prior to 4/14/03; national security and/or intelligence purposes; other reasons listed on your Notice of Privacy Practices.