Are you remembering to account for the disclosures of PHI? Even though this is a basic patient right under HIPAA, some healthcare providers are still not compliant with this part of the Privacy Rule. Under HIPAA Privacy and as outlined on your NPP, the patient has many rights; one of these is to request an accounting of allnon-TPO disclosures (any disclosure that is not for treatment, payment, or health care operations). For this reason, we recommend that each patient's chart contain a disclosure log. Anytime information is disclosed for a non-TPO purpose, except for "incidental disclosures", it should be documented. For example, if a disclosure is made to an attorney, to a school, or to a public health agency, the disclosure should be added to the patient's log of PHI disclosures. This logging can be accomplished by either paper or electronic means.
If you keep a disclosure log and the patient was to request an accounting of non-TPO disclosures, the log would be already up-to-date and you could simply provide the patient with the information contained on the log. Keep in mind that the patient may receive one free accounting in a 12-month period. Even though most non-TPO uses and disclosures of PHI have to be logged, there are a few exceptions. Examples of disclosures thatdo not have to be accounted for are:
- disclosures made pursuant to an authorization;
- disclosures made while reporting abuse and neglect;
- the PHI is part of a Limited Data Set;
- disclosures made to a correctional institution or law enforcement officer having lawful custody of an inmate about whom the PHI applies;
- the disclosure occurred prior to 4/14/03;
- national security and/or intelligence purposes;
- other reasons listed on your Notice of Privacy Practices.