Patient’s Guide to HIPAA – Basic Rights: E. Right to Receive an Accounting of Disclosures (FAQ 37 – 45)
You are reading the Patient’s Guide to HIPAA, FAQ 37-45.
HIPAA Guide Quick Links:
The HIPAA rule defines seven patient rights, one of them is a right to receive an accounting of disclosures. This page includes all FAQs explaining this right (FAQ 37-45.)
E. Right to Receive an Accounting of Disclosures (FAQ 37 – 45)
FAQ 37: What’s an Accounting of Disclosures?
For a disclosure of medical information about an individual, an accounting is a record of:
• The date of the disclosure
• The name of the person or entity who received the information
• A brief description of the information disclosed
• A brief statement of the purpose of the disclosure (or, as an alternative, a copy of the request for a disclosure).
The non-intuitive term accounting comes from an older privacy law. It’s clearer to think of an accounting as a disclosure history. We will stick with the rule’s accounting terminology here because it is used commonly in HIPAA circles.
FAQ 38: Why Should I Care about Accounting of Disclosures?
Many patients won’t care, and that is okay. However, the accounting of disclosures can be crucial in some instances. You may want to ask for an accounting if you think that your records were improperly disclosed, if you think that you may be a victim of medical identity theft, or even if you are just curious about the circulation of your medical records. Be warned, however, that if you ask for an accounting, the response is likely to undermine whatever faith you had that your medical information is confidential. Records may be disclosed to other institutions that have nothing to do with your treatment or the payment for your treatment.
The accounting of disclosures will be invaluable if you need to follow the trail of your information and learn who has information about you. If you corrected your record through the amendment process, the accounting should allow you to find out who received the original information and who received the corrected information. It provides a way for you to tell whether the covered entity properly distributed the amendment.
The accounting may reveal some disclosures that are normal (e.g., to your health plan). You may also learn that the covered entity disclosed your records to a researcher, public health agency, or government auditor. These disclosures may not have any immediate consequences for you, but you may be either interested to know about the disclosures or unhappy that they occurred.
However, if you learn that your records were disclosed to law enforcement or health oversight agencies, you might have reason to worry that the information disclosed will be used against you in some manner. By learning the purpose of each disclosure, you will be better able to make judgments.
FAQ 39: How Do I Make a Request for an Accounting of Disclosures?
Start by obtaining a copy of the notice of privacy practices that your provider or insurer publishes. You may already have a copy. If not, each HIPAA covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website).
Follow the directions for a request in the notice. You might be asked to write a letter or fill out a form in order to make your request for amendment. The covered entity must act on a request for accounting within 60 days, but it can extend the time limit for another 30 days if it provides a written explanation of the delay.
FAQ 40: Who Has to Provide Me with an Accounting of Disclosures?
Any HIPAA covered entity must provide a copy of an accounting of disclosures. For most individuals, your health care providers (doctors, hospitals, laboratories, pharmacies, etc.) and health insurers (HMOs, health plans, Medicare, etc.) will have accounting records that you may want. You may also want to ask your Pharmacy Benefit Manager or PBM. A PBM is a company that contracts with managed care organizations, self-insured companies, and government programs to manage pharmacy network management, drug utilization review, and other activities. A PBM is likely to be the organization that fills your drug prescriptions by mail.
FAQ 41: What does it Cost to Obtain an Accounting of Disclosures?
You are entitled to receive at no charge one copy of the accounting of your medical record in any 12-month period. If you make more than one request, the institution may impose a reasonable, cost-based fee. The institution must tell you the cost in advance so you have a chance to modify or withdraw your request.
FAQ 42: What are the Limitations of an Accounting of Disclosures?
Limitations in the HIPAA rule make the accounting of disclosures much less valuable than it should be. First, covered entities do not have to account for all disclosures. They don’t have to keep an accounting of disclosures for treatment, payment, or health care operations. Most disclosures are likely to be for one of these purposes so this loophole is large.
Second, covered entities also don’t have to keep an accounting of disclosures if you authorized the disclosure. That means that you may not be able to track if the covered entity actually disclosed records as you directed. If you casually signed an authorization that allowed the disclosure of any or all information about you (e.g., for a background check), a covered entity can disclose your entire medical record and not even keep a record that it did so. This is another large loophole.
Third, health care institutions do not have to account for uses. A use of information occurs when a record is made available to someone within the institution that maintains the record. A disclosure occurs when a covered entity shares a record with someone outside the covered entity. The accounting requirement only covers some disclosures and no uses.
If you are hospitalized, hundreds of different individuals in the hospital may see your record. The use exemption to accounting can seriously undermine your ability to hold an institution accountable for leaks or other inappropriate activities. Still, in hospitals with modern computers, there is a greater likelihood that a complete audit trail, including uses, will be maintained routinely. Unfortunately, HIPAA does not expressly require that a covered entity share that audit trail for uses, although there may be an argument that disclosure of an entire audit trail is required otherwise by HIPAA or by state law. Ask for a copy of the entire accounting because a reasonable institution will share it with you. Institutions with computerized systems that track all activity might find it easier to provide a requester with the entire history rather than part of it. However, they are not required to do so. It doesn’t hurt to ask.
Fourth, sometimes a covered entity must withhold a particular accounting record from an individual who requests a copy of the accounting. A covered entity may make some disclosures to law enforcement, for example, without telling the record subject for a limited time.
Fifth, the HIPAA requirement for an accounting started on April 14, 2003. A health care institution covered by HIPAA did not have to maintain accounting records before that date.
Finally, perhaps the biggest limitation is that the federal health privacy rule does not require an accounting of disclosures for treatment and payment. This means that a lot of information that you would want to find in an accounting will not be available. Covered entities also don’t have to tell you about disclosures for health care operations, an expansive category that covers many management and other functions.
For example, if a hospital gave care to someone in your name and billed your insurance company, you would want to know the details. You may not be able to obtain that information from the accounting of disclosures. Even worse, if a hospital told a credit bureau or collection agency that you did not pay your bill (i.e., a bill run up by an identity thief), the accounting may not reveal the disclosures. These disclosures may be exempt from the accounting requirement because they fall within the exception for disclosures for payment and health care operations.
Sidebar: In 2011, HHS proposed changes to the accounting for disclosures rule. As of 2013, the changes have not yet been made final. It may be a while before covered entities must implement the changes. As proposed, some of the accounting changes were better for patients and some were not. We will have to wait and see when and what will happen.
FAQ 43: Why Bother Asking for an Accounting if It Has so Many Loopholes?
Why seek an accounting of disclosures? First, obtaining a copy of the accounting is free. All you have to do is fill out a form or write a simple letter.
Second, an accounting may help even if it isn’t complete. You should be able to learn something about how the covered entity disclosed your records from the accounting. It may point you to some record keepers you didn’t realize had records about you.
Finally, even though there are many exceptions to accounting, some institutions will nevertheless have a record about disclosures (and even uses) even though the records are not required by HIPAA. If you ask for more, you might just get what you want. Nothing in HIPAA prevents a covered entity from providing a more complete accounting than the minimum required by the rule.
FAQ 44: Do I have Greater Rights under State Laws, Other Federal Laws, or Hospital Policies?
Maybe. A few states may have health privacy laws that require health care institutions to maintain better accounting records or to disclose more accounting records to you. If your records are held by the federal government (e.g., Medicare or VA), your rights to have a copy of an accounting under the Privacy Act of 1974 will be greater than under HIPAA. These two sets of privacy rules overlap to your benefit. See FAQ 2 to find other online resources that may help you understand state laws.
FAQ 45: What’s the Best Strategy for Making a Request?
You only are entitled to one free request in any 12-month period. Think about the best timing to make that request. If you learn that you were a medical identity theft victim two years ago, you probably should make the request right now. However, if the reason you are asking relates to a current activity (perhaps a hospitalization that just ended), it can take time for your records to be updated. Actions that follow a hospitalization, such as submitting a bill to an insurer or to the government, may not occur immediately. You might want to wait a week or two before asking for the accounting. If the institution’s privacy officer is helpful, the officer may be able to offer useful advice about timing.
Roadmap: Patient’s Guide to HIPPA: Part 2: Basic Patient Rights: E. Right to Receive an Accounting of Disclosures (FAQ 37 – 45)