PHI Disclosures
Health Insurance Portability and Accountability Act

Accounting for Disclosures of PHI (45 CFR 164.528) 

A covered entity upon request must provide an accounting of disclosures of PHI made in the six years prior to the date on which the accounting is requested, EXCEPT for the following types of disclosures:  

  1. To carry out treatment, payment and health care operations;  


  2. To individuals of PHI which is about the individual (on the principle that if the disclosure was made to the individual about whom the PHI pertains, the individual is already aware of the disclosure); 


  3. Disclosures that are incident to a use or disclosure otherwise permitted or required. Incidental disclosures are permitted as long as reasonable safeguards and minimum necessary standards are observed; 
  4. Disclosures made pursuant to an authorization;  


  5. Disclosures made pursuant to the facility’s directory or to persons involved in the individual’s care or other notification purposes;  


  6. For national security or intelligence purposes; 


  7. To correctional institutions or law enforcement officials having lawful custody of an inmate, if the correctional institution or law enforcement official represents that the PHI is necessary for: A) the provision of care to the individual; B) the health and safety of such individual or other inmates; C) The health and safety of the officers or employees of or others at the correctional institution; D) The health and safety of such individuals and officers or other persons responsible for the transportation of inmates from one institution, facility or setting to another; and F) the administration and maintenance of the safety, security, and good order of the correctional institution; 164.512(k)(5)  


  8. As part of a limited data set that complies with 164.514(e), which is PHI that excludes specified direct identifiers and is used only for the purpose of research, public health or health care operations;  


  9. Disclosures that occurred prior to the compliance date for the covered entity. Generally, the compliance date for the HIPAA Privacy Rule is April 14, 2003;  


  10. A covered entity may temporarily suspend an individual’s right to receive an accounting, under the following:  

164.514(d) health oversight agency for oversight activities authorized by law, including audits, civil, administrative, or criminal investigations, inspections, licensure or disciplinary actions; civil, administrative, or criminal proceedings; or other oversight activities of the health care system. 

164.514(f) law enforcement activities 
For the temporary suspension to apply, the agency or official must provide a written statement that an accounting would reasonably likely impede the agency’s activities and specifying the time period for which such suspension is required. If the agency’s statement is oral, the covered entity must document the statement, including the identity of the agency or official making the statement. A suspension of accounting may be no longer than 30 days in the case of an oral statement, unless a written statement is received during that time. 

Content of Accounting

    1. The date of disclosure;

    2. The name of the entity or person who received the PHI and, if known, the address of such entity or person;  


    3. A brief description of the PHI disclosed; 


    4. A brief statement of the purpose of the disclosure that informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of the written request for the disclosure.


    Multiple Disclosures 
    If during the period of the accounting a covered entity has made multiple disclosures of PHI to the same person or entity for a single purpose, with respect to the multiple disclosures, the accounting must provide:


    1. The information required for the first disclosure during the accounting period;  


    2. The frequency, periodicity, or number of the disclosures made during the accounting period;  


    3. The date of the last such disclosure during the accounting period.  


    Administrative Requirements
    A covered entity must have a policy (1) covering the information required to be included in an accounting. The policy must include the name and title of the person responsible for receiving and processing requests for an accounting.


    A covered entity has 60 days after receipt of a request to provide the individual with an accounting. If the covered entity is unable to provide an accounting within 60 days, the covered entity may extend the time to no more than 30 days, with a written explanation of the reasons for the delay. Only one 30 day extension is permitted.


    The covered entity must provide the first accounting to an individual in any 12 month period without charge. The covered entity may impose a reasonable cost based fee for each subsequent request for an accounting by the same individual within the 12 month period, provided that the covered entity informs the individual in advance of the fee.


    Business Associates

    A covered entity is responsible for accounting disclosures made by business associates. Please note that the sample Business Associate Agreement issued by HHS (which is included in MSSNY’s website) includes the statement "Business Associate agrees to document such disclosures of [PHI] and information related to such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of [PHI] in accordance with 45 CFR 164.528."