Question

Within the VA, we are required to keep an accounting of disclosure, which tracks the information we release to patients and other third parties. Generally, our release of information software keeps the accounting without any additional steps or actions taken by our release of information clerks. The process, however, is different for other individuals in the facility who might be releasing; such as social working, patient advocate, infectious disease, etc. Their process is generally a manual one, in which, they keep track of who they send information to. What type of information should an organization be keeping track of when they disclose information?

Answer 1

An individual has a right to receive an accounting of disclosures (but not uses) of protected health

information made by a covered entity in the six years prior to the date on which the accounting is

requested. The following types of disclosures are expressly not required to be included in the

accounting:

• Disclosures to carry out treatment, payment and health care operations (whether for your

organization or for another provider or covered entity as permitted under the regulations;

• Disclosures made pursuant to an authorization;

• Disclosures made to the individual;

• Disclosures for the facility’s directory or to persons involved in the individual’s care or

other notification purposes;

• Disclosures that are incidental to an otherwise permitted use or disclosure;

• Disclosures that are part of a limited data set;

• Disclosures for national security or intelligence purposes;

• Disclosures to correctional institutions or law enforcement officials; or

• Disclosures that occurred prior to the compliance date of the regulations- April 14, 2003.

The accounting must include disclosures of protected health information that occurred during the

six years (or such shorter time period at the request of the individual) prior to the date of the

request for an accounting (but not before the compliance date), including disclosures to or by

business associates of the covered entity. The accounting must include for each accountable

disclosure:

• The date of the disclosure;

• The name of the entity or person who received the protected health information and, if

known, the address of such entity or person;

• A brief description of the protected health information disclosed; and

A brief statement of the purpose of the disclosure that reasonably informs the individual of the

basis for the disclosure; or, in lieu of such statement, a copy of the written request for a

disclosure.