NRPM: Standards for Privacy of Individually Identifiable Health Information. ii. Content of the accounting of disclosures.

11/03/1999

We are proposing that the accounting include all disclosures for purposes other than treatment, payment, and health care operations, subject to certain exceptions for disclosures to law enforcement and oversight agencies, discussed below. This would also include disclosures that are authorized by the individual. The accounting would include the date of each disclosure; the name and address of the organization or person who received the protected health information; and a brief description of the information disclosed. For all disclosures that are authorized by the individual, we are proposing that the covered entity maintain a copy of the authorization form and make it available to the individual with the accounting.

We considered whether the accounting of disclosures should include the name of the person who authorized the disclosure of information. The proposed Security Standard would require covered entities to have an audit mechanism in place to monitor access by employees. We concluded that it was unnecessary and inappropriate to require the covered entity to include this additional information in the accounting. If the individual identifies an improper disclosure by an entity, he or she should hold the entity – not the employee of the entity – accountable. It is the responsibility of the entity to train its workforce about its policies and procedures for the disclosure of protected health information and to impose sanctions if such policies and procedures are violated.

We are proposing that protected health information that is disclosed to a health oversight or law enforcement agency would be excluded from the accounting if the oversight or law enforcement agency provides a written request stating that the exclusion is necessary for a specified time period because access by the individual during that time period would be reasonably likely to impede the agency’s activities. The written request must specifically state how long the information should be excluded. At the expiration of that period, the covered entity would be required to include the information in an accounting for the individual.

We are proposing this time-limited exclusion for law enforcement and oversight activities because we do not intend to unreasonably interfere with investigations and other activities that are in the public interest. The Recommendations simply provide that disclosures to law enforcement and oversight agencies should be excluded from the accounting where access by the individual could be reasonably likely to impede the agency’s activities. We were concerned that it would be difficult for covered entities to determine whether access by the individual was "reasonably likely to impede the agency’s activities." In order to address this concern, we considered excluding all disclosures to law enforcement and oversight from the accounting, but concluded that such an exclusion would be overly broad. As a means of creating a clearly defined rule for the covered entity to follow, we are proposing that covered entities require a time-limited, written statement from the oversight or law enforcement agency. We are soliciting comment on whether this time-limited exclusion strikes the appropriate balance between ensuring individual access to an accounting of disclosures and preserving the integrity of law enforcement and oversight investigations.