45 CFR § 164.528
HIPAA Privacy Rule currently requires covered entities to make available, upon request, an accounting of certain disclosures of an individual’s PHI made up to six years prior to the request.
- Accounting should include date, name of recipient (and address, if known), brief description of the PHI disclosed and purpose of disclosure.
- Privacy Rule accounting requirements apply to disclosures of both paper and electronic PHI, regardless of whether such information is in a designated record set (DRS).
- A DRS is a group of records maintained for or by the covered entity to make decisions about the individuals, such as medical bills and billing records.
Accounting of Disclosures Hitech Act
The HITECH Act requires new rulemaking to implement changes to the Accounting of Disclosures requirements:
- The exception for disclosures to carry out TPO would no longer apply if made through an EHR.
- Individuals would have a right to receive an accounting of disclosures made during the three years prior to the request, as opposed to six.
- Covered entities would be required to provide either an accounting of a business associate’s disclosures or a list and contact information of all business associates to the individual requesting the accounting.
The HITECH Act also requires the adoption of an initial set of standards, implementation specifications and certification criteria for accounting of disclosures in EHR technology.
Security Incident Breach Notification
45 CFR § 164.304
Following a breach of unsecured protected health information, the HIPAA Security Officer or designated representative must ensure that the procedures identified below are met based on the conditions of the breach.