What is a HIPAA Accounting?
Under the HIPAA Privacy Rule, an individual, under certain circumstances, has the right to receive an accounting of disclosures — HIPAA Accounting — of that individual’s protected health information (PHI) made by a covered entity in the last six years prior to the date on which the account is requested.
What Information Must be Included in a HIPAA Accounting?
The HIPAA Privacy Rule requires certain information to be included in a HIPAA accounting made by a covered entity. This information must include disclosures of protected health information that occurred during the six years prior to the date of the request of the accounting. The accounting must include disclosures to or by business associates of the covered entity.
An individual may request a HIPAA accounting of disclosures of PHI for a period of time less than six years from the date of the request. If such request is made, the accounting must include disclosures of PHI that occurred during this shorter time period.
Generally, the HIPAA accounting of disclosures of PHI must include, for each disclosure:
- The date of the disclosure;
- The name of the entity or person who received the protected health information and, if known, the address of such entity or person;
- A brief description of the protected health information disclosed; and
- A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure. In lieu of such a statement, the accounting may consist of a copy of a written request for disclosure, if that request was made:
- By the Secretary of the Department of Health and Human Services, to investigate or determine the covered entity‘s compliance with this subchapter.
- Under circumstances for which written authorization to use or disclose PHI was not required.
By When Must the HIPAA Accounting be Provided?
The covered entity must provide the requested accounting no later than 60 days after receipt of such a request.
If the covered entity is unable to provide the accounting within the 60 days, the covered entity may extend the time to provide the accounting for up to an additional 30 days, provided that:
- The covered entity, during the initial 60 days, provides the requesting individual with a written statement of the reasons for the delay and the date by which the covered entity will provide the accounting; and
- The covered entity may have only one such extension of time for action on a request for an accounting.
Can a Covered Entity Charge a Fee for a HIPAA Accounting?
Under the HIPAA Privacy Rule, the covered entity must provide the first accounting to an individual in any 12 month period without charge.
The covered entity may charge a reasonable, cost-based fee (i.e., a fee based on costs incurred by the covered entity with respect to responding to the accounting) for each subsequent request for an accounting by the same individual within the 12 month period, provided that:
- The covered entity informs the individual in advance of the fee; and
- The covered entity provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee.
When is a Covered Entity Not Required to Provide a HIPAA Accounting?
The HIPAA Privacy Rule requires certain information to be included in a HIPAA accounting made by a covered entity. This information must include disclosures of protected health information that occurred during the six years prior to the date of the request of the accounting. The accounting must include disclosures to or by business associates of the covered entity.
The individual has the right to a HIPAA accounting except for disclosures that are made:
- To carry out treatment, payment and health care operations.
- To individuals of protected health information about them.
- If a healthcare provider discloses PHI to an individual in the course of the doctor-patient relationship, the provider need not also provide a formal accounting for that disclosure.
- Incident to a use or disclosure otherwise permitted or required by the HIPAA Privacy Rule.
- Pursuant to (under) a patient’s written authorization.
- For the healthcare facility’s directory.
- To persons involved in the individual‘s care or other notification purposes.
- Under the HIPAA Privacy Rule, a covered entity is generally permitted to disclose PHI about an individual:
- To a family member,
- Other relative,
- A close personal friend of the individual,
- or any other person identified by the individual.
- If that PHI is directly relevant to:
- The person‘s involvement with the individual‘s health care, or
- Payment related to the individual‘s health care.
- Under the HIPAA Privacy Rule, a covered entity may use or disclose protected health information:
- To notify, or assist in the notification, of
- A family member, a personal representative of the individual, or another person responsible for the care of the individual, of
- The individual‘s location, general condition, or death.
- For national security or intelligence purposes
- To correctional institutions or law enforcement officials, as authorized, or
- As part of a limited data set in accordance with § 164.514(e).
- A limited data set under the HIPAA Privacy rule is a set of identifiable healthcare information that covered entities may share with certain entities for research purposes, public health activities, and healthcare operations, all without obtaining prior authorization from patients, if certain conditions are met.
- Under the HIPAA Privacy Rule, a covered entity is generally permitted to disclose PHI about an individual: