Health Information Compliance Alert

Published on Fri Oct 20, 2006 PDF

If a patient wants to see how you've handled his PHI, you have to comply.

OK, pop quiz: Can you recount every single time you've told your name to someone else in the last six years? Whom you told? When you told? Why you told? Probably not. Now can you imagine someone having to track all of that information for you?

While the task of recording such information may seem downright daunting, covered entities are going to have to perform their own version of this tracking in order to comply with HIPAA's accounting of disclosures provision.

The law: Under 164.528 of the privacy rule, covered entities are required to account for certain disclosures of their patients' protected health information. Patients, in turn, have the right to request and receive an accounting of those disclosures made over the previous six years.

"I think the entire accounting of disclosures provision is a difficult one to deal with" because there are so many instances that could be deemed disclosures of PHI, says Rose Dunn, a consultant with St. Louis-based First Class Solutions Inc.

"The accounting rules involve a great deal more tracking of information than I think anybody expected," agrees Stephen Bernstein, an attorney with McDermott Will & Emery.

To help your organization tackle this intimidating responsibility, here's some advice from our team of HIPAA experts:

Understand Accounting As A Customer Service Issue

If a patient requests an accounting of disclosures, "chances are it's not for fun," says Bernstein. Covered entities should therefore realize that a request for an accounting of disclosures is often related to issues of patient satisfaction.

Bernstein believes that, much like requests to amend one's medical records, requests for an accounting generally mean that your patient is either unhappy or curious about something. "And in the end, all of this is about patient expectation management and figuring out what the patient is really trying to get at," he states.

For example, if your patients are annoyed at getting bombarded with fundraising solicitations, then they might demand to know if and to whom your organization has released their personal information.

Best practice: Because of the potential to exacerbate an already tense situation, CEs need to handle accounting requests with speed and efficiency. Don't hesitate to involve your privacy officer or your risk management team, and make sure that you respond to the patient's request quickly and accurately, so as not to inflame an irate patient even more, suggests Bernstein.

And don't be lulled into complacency just because your organization hasn't received many or any such accounting requests yet. "It's a calm before a storm," warns Bernstein. "I think a lot of people are interested in knowing how their information is moving around the system."

Know What To Account For

Your organization must understand what types of PHI disclosures it is and isn't required to account for under HIPAA. According to the privacy rule, there are nine types of disclosures that do not have to be included in any accounting.

Most notably, covered entities do not have to account for PHI disclosures that were made to carry out treatment, payment or health care operations, nor must they account for disclosures where the patient has signed an authorization, states Donna Padnos, a senior management consultant with The Superior Consultant Company in Holly Springs, NC.

Hidden requirement: When the final privacy regulations appeared, many people were surprised to learn that covered entities were expected to account for mandatory disclosures to local, state or federal agencies, recounts Gwen Hughes, a consultant with Chicago-based Care Communications.

"We had considered them part of 'health care operations,'" but the HHS Office for Civil Rights subsequently made it clear that such PHI reporting must be included in the accounting of disclosures, she tells Eli.

The difficulty this creates for CEs is that in many states, there are literally hundreds of types of routine and required disclosures reported to state departments of public health, says Bernstein.

For example, your state might require you to submit information on all new cancer cases to the state's cancer registry. And even though you've been doing this for years prior to HIPAA, you're now required to track these as accountable disclosures, he says.

According to Bernstein, many hospitals are working with the American Hospital Association and their local organizations to identify which types of PHI disclosures would be deemed accountable under HIPAA.

Padnos offers this lengthy -- though certainly not complete -- list of examples where accountable disclosures of PHI can occur:

--suspected abuse reporting

--underage pregnancy

--communicable diseases

--law enforcement purposes

--research involving IRB waiver of authorization

--research involving PHI of decedents

--batch disclosures for state public health databases

--state cancer registry

--birth defects registry

--trauma registry

--death registry

--poison control

--funeral homes

--county medical examiner

Own up to errors: According to Padnos, you're also required to account for any disclosures made by mistake. So if you discover that you've accidentally faxed a patient's PHI to the wrong fax number, then you need to record the error for that patient's accounting of disclosures, she maintains.

In addition, don't forget that any full accounting should also include accountable PHI disclosures made by your business associates.

When a patient submits a request for an accounting of disclosures, the privacy officer should "reach out to the business associates to find out whether the business associates have made any accountable disclosures with respect to that individual," instructs David Ermer, an attorney with Gordon & Barnett in Washington, DC. The privacy regs require business associates to make this information available to the covered entity, he notes.

HIPAA fact: Covered entities are not required to account for disclosures that occurred before the April 14, 2003 compliance deadline. Therefore, a covered entity won't need to produce the maximum six-year accounting of disclosures until April 1, 2009.