It is the policy of the University and its Health Care Components (HCC) to abide by the Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191, standards for privacy of individually identifiable health information. A patient has the right to receive a written Accounting of Disclosures of their protected health information (PHI) made by the UHF in the six years prior to the date of which the accounting is requested. (45 CFR § 164.528). A patient may request an accounting of a period of time less than six years. Beginning on April 14, 2003, a patient is only entitled to request an Accounting of Disclosures from April 14, 2003 to the current date. After April 14, 2009, a patient is entitled to request a full six years worth of disclosures.
The University, its HCC and workforce
- Patient: any individual who has received or is receiving services from HCC.
- Disclosure is defined as, "the release, transfer, provision of access to, or divulging in any other manner of information outside the entity which holds the information." This includes disclosures to or by business associates of the covered entity.
- Individually Identifiable Health Information: any information, including demographic information, collected from an individual that –
- Is created or received by a healthcare provider, health plan, employer, healthcare clearinghouse or pharmacy clearinghouse; and
- Related to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual, and
- Identifies the individual, or
- With respect to which, there is reasonable basis to believe that the information can be used to identify the individual.
- Protected Health Information (PHI) is defined as, "individually identifiable health information that is (i) transmitted by electronic media; (ii) maintained in any medium described in the definition of electronic media; or (iii) transmitted or maintained in any other form or medium"
- All disclosures of PHI need to be accounted for upon the request of the individual. This is not limited to hard copy information but any manner of communication that discloses information, including verbal release. However, the following list of exceptions to this requirement do not require tracking or need to be accounted for upon the request of the individual:
- Disclosures made for treatment, payment, and healthcare operation purposes as set out in 45 CFR §164.502.
- Disclosures made to the patient. (45 CFR §164.502)
- Disclosures made for facility directory purposes, if utilized (45 CFR §164.510). (Please note that no HCC will utilize a facility directory as defined under HIPAA without University Privacy Officer approval).
- Disclosures made for national security or intelligence purposes. (45 CFR §164.512 (k)(5))
- Disclosures made to correctional institutions or law enforcement officials related to health or safety of an inmate or other person. (45 CFR §164.512(k)(5)).
- Disclosures made prior to the date of compliance with the privacy standards, meaning prior to April 14, 2003.
- There are further exceptions for disclosures to health oversight agencies (see section 164.528(a)(2)(i) et seq.). Please contact the Unit Privacy Officer should this situation arise.
- University Privacy Officer and each Unit Privacy Officer shall assure that a mechanism is in place which tracks disclosure of PHI. One format shall be utilized for all HCCs. See HIPAA Procedure 1.060, Form 2.
- The HCC will include the following required content in the Accounting of Disclosures.
- The name and identification number of the patient whose PHI was disclosed.
- Date of disclosure
- Name and address, if known, of the entity or person who received the PHI
- Brief description of the PHI disclosed
- Brief statement of purpose that reasonably informs the patient of the purpose for the disclosure, or provide the patient with a copy of the authorization, or provide the patient with a copy of the written request for disclosure.
- If multiple disclosures are made to the same entity or person for the same reason, it is not necessary to document items 4.a.-d. for each disclosure. The HCC may document instead the first disclosure, the frequency or number of disclosures made during the accounting period, and the date of the last disclosure in the accounting period.
- The patient (or legal guardian) must make a written request for an Accounting of Disclosures to the University or HCC Privacy Officer, or designee, (whichever is applicable). The request shall be on the HIPAA Procedure 1.060, Form 1, as attached to this policy. Staff may assist the patient in completing the form if requested to do so.
- The HCC has sixty (60) days after receipt of the request for such an accounting to respond to the request for an accounting of disclosure. If the HCC has disclosed information to a business associate regarding the patient requesting the accounting, then the HCC through its Privacy Officer or designee must request an accounting of disclosures of that patient’s information from that business associate, who has twenty (20) calendar days to provide the accounting. The HCC may request one 30-day extension, which is allowed, but the patient must be informed in writing:
- Of the delay:
- The reason for the delay,
- The date the accounting will be provided, and
- Such notification to the patient or person requesting the accounting of disclosures of any delay must take place within the 60-day timeframe.
- The HCC must provide the first accounting of disclosures free of charge in any 12-month period. Any subsequent request can be charged based on Missouri Statute (RSMO Section 191.227, § 610.010 et seq.). Before charging a fee, the HCC must inform the patient and allow the opportunity to withdraw or modify the request to avoid or reduce the fee. No additional handling fee is allowed.
- The HCC must retain a copy of the written accounting that is provided to the patient in the patient’s medical record.
- Review Process. The University Privacy Officer will collect information from the Unit Privacy Officers during the month of April each year beginning in 2004 for the purpose of providing feedback to the HIPAA Management Team as to compliance with the procedure and any proposed modification or recommendation that additional training be implemented.
- Sanctions. Any person found to have violated the requirements of this policy shall be subject to sanctions up to and including dismissal.
HISTORY: Effective March 21, 2003