Are you remembering to account for the disclosures of PHI? Some healthcare providers are not compliant with this part of the Privacy Rule. Under HIPAA Privacy and as outlined on the NPP, the patient has many rights; one of these is to request an accounting of all non-TPO disclosures (any disclosure that is not for treatment, payment, or health care operations). For this reason, it is required that each patient's chart contains a disclosure log.
Anytime information is disclosed for a non-TPO purpose, except
for "incidental disclosures", it must be documented on the patient's "Log for
PHI Disclosures" form. For example, if a disclosure is made to an attorney, to
a school, or to a public health agency, the disclosure should be added to the
patient's Log for PHI Disclosures form. That way, if the patient were to
request the accounting of non-TPO disclosures (use the Request for Accounting
of PHI Disclosures form), the log is already up-to-date, and you could simply
provide the patient with the information contained on the log. The patient may
receive one free accounting in a 12-month period.
Even though most non-TPO uses and disclosures of PHI must
be logged, there are a few exceptions. Examples of disclosures that do not have
to be accounted for are disclosures made pursuant to an authorization;
disclosures made while reporting abuse and neglect; the PHI is part of a
Limited Data Set; disclosures made to a correctional institution or law
enforcement official having lawful custody of an inmate about whom the PHI
applies; the disclosure occurred prior to 4/14/03; national security and/or
intelligence purposes; other reasons listed on your Notice of Privacy
Practices.