Standards
for Privacy of Individually Identifiable Health Information
I. Section 164.528--Accounting
of Disclosures of Protected Health Information
December 2000 Privacy Rule
Under the Privacy Rule at Sec. 164.528, individuals have the right
to receive an accounting of disclosures of protected health information
made by the covered entity, with certain exceptions. These exceptions,
or instances where a covered entity is not required to account for
disclosures, include disclosures made by the covered entity to carry
out treatment, payment, or health care operations, as well as disclosures
to individuals of protected health information about them. The individual
must request an accounting of disclosures.
The accounting is required to include the following: (1) Disclosures
of protected health information that occurred during the six years
prior to the date of the request for an accounting; and (2) for
each disclosure: the date of the disclosure; the name of the entity
or person who received the protected health information, and, if
known, the address of such entity or person; a brief description
of the protected health information disclosed; and a brief statement
of the purpose of the disclosure that reasonably informs the individual
of the basis for the disclosure, or in lieu of such a statement,
a copy of the individual's written authorization pursuant to Sec.
164.508 or a copy of a written request for a disclosure under Secs.
164.502(a)(2)(ii) or 164.512. For multiple disclosures of protected
health information to the same person, the Privacy Rule allows covered
entities to provide individuals with an accounting that contains
only the following information: (1) For the first disclosure, a
full accounting, with the elements described above; (2) the frequency,
periodicity, or number of disclosures made during the accounting
period; and (3) the date of the last such disclosure made during
the accounting period.
March 2002 NPRM
In response to concerns about the high costs and administrative
burdens associated with the requirement to account to individuals
for the covered entity's disclosure of protected health information,
the Department proposed to expand the exceptions to the standard
at Sec. 164.528(a)(1) to include disclosures made pursuant to an
authorization as provided in Sec. 164.508. Covered entities would
no longer be required to account for any disclosures authorized
by the individual in accordance with Sec. 164.508. The Department
proposed to alleviate burden in this way because, like disclosures
of protected health information made directly to the individual--which
are already excluded from the accounting provisions in Sec. 164.528(a)(1)--
disclosures made pursuant to an authorization are also known by
the individual, in as much as the individual was required to sign
the forms authorizing the disclosures.
In addition to the exception language at Sec. 164.528(a)(1), the
Department proposed two conforming amendments at Secs. 164.528(b)(2)(iv)
and (b)(3) to delete references in the accounting content requirements
to disclosures made pursuant to an authorization.
Overview of Public Comments
The following discussion provides an overview of the public comment
received on this proposal. Additional comments received on this
issue are discussed below in the section entitled, "Response
to Other Public Comments."
The majority of comments on the accounting proposal supported the
elimination of the accounting for authorized disclosures. The commenters
agreed that, on balance, since the individual had elected to authorize
the disclosure in the first instance, and that election was fully
informed and voluntary, subsequently accounting for the disclosure
made pursuant to that authorization was not necessary.
Many of the commenters went on to suggest other ways in which the
accounting requirement could be made less burdensome. For example,
several commenters wanted some or all of the disclosures which are
permitted at Sec. 164.512 without individual consent or authorization
to also be exempt from the accounting requirements. Others proposed
alternative means of accounting for disclosures for research, particularly
when such disclosures involve large numbers of records. These commenters
argued that accounting for each individual record disclosed for
a large research project would be burdensome and may deter covered
entities from participating in such research. Rather than an individual
accounting, the commenters suggested that the covered entity be
required only to disclose a listing of all relevant protocols under
which an individual's information may have been released during
the accounting period, the timeframes during which disclosures were
made under a protocol, and the name of the institution and researcher
or investigator responsible for the protocol, together with contact
information for the researcher. The National Committee on Vital
Health Statistics, while not endorsing a protocol listing directly,
recommended the Department consider alternatives to minimize the
burden of the accounting requirements on research.
Finally, several commenters objected to the elimination of the
accounting requirement for authorized disclosures. Some of these
commenters expressed concern that the proposal would eliminate the
requirement to account for the authorized disclosure of psychotherapy
notes. Others were primarily concerned that the proposal would weaken
the accounting rights of individuals. According to these commenters,
informing the individual of disclosures was only part of the purpose
of an accounting. Even with regard to authorized disclosures, an
accounting could be important to verify that disclosures were in
accord with the scope and purpose as stated in the authorization
and to detect potentially fraudulent, altered, or otherwise improperly
accepted authorizations. Since authorizations had to be maintained
in any event, accounting for these disclosures represented minimal
work for the covered entity.
Final Modifications
Based on the general support in the public comment, the Department
adopts the modification to eliminate the accounting requirement
for authorized disclosures. The authorization process itself adequately
protects individual privacy by assuring that the individual's permission
is given both knowingly and voluntarily. The Department agrees with
the majority of commenters that felt accounting for authorized disclosures
did not serve to add to the individual's knowledge about disclosures
of protected health information. The Department does recognize the
role of accounting requirements in the detection of altered or fraudulent
authorizations. However, the Department considers the incidence
of these types of abuses, and the likelihood of their detection
through a request for an accounting, to be too remote to warrant
the burden on all covered entities of including authorized disclosures
in an accounting. As noted by some commenters, the covered entity
must retain a copy of the authorization to document their disclosure
of protected health information and that documentation would be
available to help resolve an individual's complaint to either the
covered entity or the Secretary.
Specific concern about the elimination of the accounting requirement
for authorized disclosures was expressed by mental health professionals,
who believed their patients should always have the right to monitor
access to their personal information. The Department appreciates
theses commenters' concern about the need for heightened protections
and accountability with regard to psychotherapy notes. It is because
of these concerns that the Rule requires, with limited exceptions,
individual authorization for even routine uses and disclosures of
psychotherapy notes by anyone other than the originator of the notes.
The Department clarifies that nothing in modifications adopted in
this rulemaking prevents a mental health professional from including
authorized disclosures of psychotherapy notes in an accounting requested
by their patients. Indeed, any covered entity may account to the
individual for disclosures based on the individual's authorization.
The modification adopted by the Department simply no longer requires
such an accounting.
In response to comment on this proposal, as well as on the proposals
to permit incidental disclosures and disclosures of protected health
information, other than direct identifiers, as part of a limited
data set, the Department has added two additional exclusions to
the accounting requirements. Disclosures that are part of a limited
data set and disclosures that are merely incidental to another permissible
use or disclosure will not require an accounting. The limited data
set does not contain any protected health information that directly
identifies the individual and the individual is further protected
from identification by the required data use agreement. The Department
believes that accounting for these disclosures would be too burdensome.
Similarly, the Department believes that it is impracticable to account
for incidental disclosures, which by their very nature, may be uncertain
or unknown to the covered entity at the time they occur. Incidental
disclosures are permitted as long as reasonable safeguards and minimum
necessary standards have been observed for the underlying communication.
Moreover, incidental disclosures may most often happen in the context
of a communication that relates to treatment or health care operations.
In that case, the underlying disclosure is not subject to an accounting
and it would be arbitrary to require an accounting for a disclosure
that was merely incidental to such a communication.
The Department however disagrees with commenters who requested
that other public purpose disclosures not be subject to the accounting
requirement. Although the Rule permits disclosure for a variety
of public purposes, they are not routine disclosures of the individual's
information. The accounting requirement was designed as a means
for the individual to find out the non-routine purposes for which
his or her protected health information was disclosed by the covered
entity, so as to increase the individual's awareness of persons
or entities other than the individual's health care provider or
health plan in possession of this information. To eliminate some
or all of these public purposes would defeat the core purpose of
the accounting requirement.
The Department disagrees with commenters' proposal to exempt all
research disclosures made pursuant to a waiver of authorization
from the accounting requirement. Individuals have a right to know
what information about them has been disclosed without their authorization,
and for what purpose(s). However, the Department agrees that the
Rule's accounting requirements could have the undesired effect of
causing covered entities to halt disclosures of protected health
information for research. Therefore, the Department adopts commenters'
proposal to revise the accounting requirement at Sec. 164.528 to
permit covered entities to meet the requirement for research disclosures
if they provide individuals with a list of all protocols for which
the patient's protected health information may have been disclosed
for research pursuant to a waiver of authorization under Sec. 164.512(i),
as well as the researcher's name and contact information. The Department
agrees with commenters that this option struck the appropriate balance
between affirming individuals' right to know how information about
them is disclosed, and ensuring that important research is not halted.
The Department considered and rejected a similar proposal by commenters
when it adopted the Privacy Rule in December 2000. While recognizing
the potential burden for research, the Department determined that
the individual was entitled to the same level of specificity in
an accounting for research disclosures as any other disclosure.
At that time, however, the Department added the summary accounting
procedures at Sec. 164.528(b)(3) to address the burden issues of
researchers and others in accounting for multiple disclosures to
the same entity. In response to the Department's most recent request
for comments, researchers and others explained that the summary
accounting procedures do not address the burden of having to account
for disclosures for research permitted by Sec. 164.512(i). These
research projects usually involve many records. It is the volume
of records for each disclosure, not the repeated nature of the disclosures,
that presents an administrative obstacle for research if each record
must be individually tracked for the accounting. Similarly, the
summary accounting procedures do not relieve the burden for covered
entities that participate in many different studies on a routine
basis. The Department, therefore, reconsidered the proposal to account
for large research projects by providing a list of protocols in
light of these comments.
Specifically, the Department adds a paragraph (4) to Sec. 164.528(b)
to provide for simplified accounting for research disclosures as
follows:
- (1) The research disclosure must be pursuant to Sec. 164.512(i)
and involve at least 50 records. Thus, the simplified accounting
procedures may be used for research disclosures based on an IRB
or Privacy Board waiver of individual authorization, the provision
of access to the researcher to protected health information for
purposes preparatory to research, or for research using only records
of deceased individuals. The large number of records likely to
be disclosed for these research purposes justifies the need for
the simplified accounting procedures. The Department has determined
that a research request for 50 or more records warrants use of
these special procedures.
- (2) For research protocols for which the individual's protected
health information may have been disclosed during the accounting
period, the accounting must include the name of the study or protocol,
a description of the purpose of the study and the type of protected
health information sought, and the timeframe of disclosures in
response to the request.
- (3) When requested by the individual, the covered entity must
provide assistance in contacting those researchers to whom it
is likely that the individual's protected health information was
actually disclosed.
Support for streamlining accounting for research disclosures came
in comments and from NCVHS. The Department wants to encourage research
and believes protections afforded information in hands of researcher,
particularly research overseen by IRB or Privacy Board, provides
assurance of continued confidentiality of information. The Department
does not agree that the individual has no need to know that his
or her information has been disclosed for a research purpose. Covered
entities, of course, may account for research disclosures in the
same manner as all other disclosures. Even when the covered entity
elects to use the alternative of a protocol listing, the Department
encourages covered entities to provide individuals with disclosure
of the specific research study or protocol for which their protected
health information was disclosed, and other specific information
relating to such actual disclosures if they so choose. If the covered
entity lists all protocols for which the individual's information
may have been disclosed, the Department would further encourage
that the covered entity list under separate headings, or on separate
lists, all protocols relating to particular health issues or conditions,
so that individuals may more readily identify the specific studies
for which their protected health information is more likely to have
been disclosed.
The Department intends to monitor the simplified accounting procedures
for certain research disclosures to determine if they are effective
in providing meaningful information to individuals about how their
protected health information is disclosed for research purposes,
while still reducing the administrative burden on covered entities
participating in such research efforts. The Department may make
adjustments to the accounting procedures for research in the future
as necessary to ensure both goals are fully met.
Response to Other Public Comments
Comment: A few commenters opposed the proposal to eliminate
the accounting requirement for all authorized disclosures arguing
that, absent a full accounting, the individual cannot meaningfully
exercise the right to amend or to revoke the authorization. Others
also felt that a comprehensive right to an accounting, with no exceptions,
was better from an oversight and enforcement standpoint as it encouraged
consistent documentation of disclosures. One commenter also pointed
to an example of the potential for fraudulent authorizations by
citing press accounts of a chain drug store that allegedly took
customers signatures from a log that waived their right to consult
with the pharmacist and attached those signatures to a form authorizing
the receipt of marketing materials. Under the proposal, the commenter
asserted, the chain drug store would not have to include such fraudulent
authorizations as part of an accounting to the individual.
Response: The Department does not agree that the individual's
right to amendment is materially affected by the accounting requirements
for authorized disclosures. The covered entity that created the
protected health information contained in a designated record set
has the primary obligation to the individual to amend any erroneous
or incomplete information. The individual does not necessarily have
a right to amend information that is maintained by other entities
that the individual has authorized to have his or her protected
health information. Furthermore, the covered entity that has amended
its own designated record set at the request of the individual is
obligated to make reasonable efforts to notify other persons, including
business associates, that are known to have the protected health
information that was the subject of the amendment and that may rely
on such information to the detriment of the individual. This obligation
would arise with regard to persons to whom protected health information
was disclosed with the individual's authorization. Therefore, the
individual's amendment rights are not adversely affected by the
modifications to the accounting requirements. Furthermore, nothing
in the modification adversely affects the individual's right to
revoke the authorization.
The Department agrees that oversight is facilitated by consistent
documentation of disclosures. However, the Department must balance
its oversight functions with the burden on entities to track all
disclosures regardless of purpose. Based on this balancing, the
Department has exempted routine disclosures, such as those for treatment,
payment, and health care operations, and others for security reasons.
The addition of authorized disclosures to the exemption from the
accounting does not materially affect the Department's oversight
function. Compliance with the Rule's authorization requirements
can still be effectively monitored because covered entities are
required to maintain signed authorizations as documentation of disclosures.
Therefore, the Department believes that effective oversight, not
the happenstance of discovery by an individual through the accounting
requirement, is the best means to detect and prevent serious misdeeds
such as those alleged in fraudulent authorizations.
Comment: A number of commenters recommended other types
of disclosures for exemption from the accounting requirement. Many
recommended elimination of the accounting requirement for public
health disclosures arguing that the burden of the requirement may
deter entities from making such disclosures and that because many
are made directly to public health authorities by doctors and nurses,
rather than from a central records component of the entity, public
health disclosures are particularly difficult to track and document.
Others suggested exempting from an accounting requirement any disclosure
required by another law on the grounds that neither the individual
nor the entity has any choice about such required disclosures. Still
others wanted all disclosures to a governmental entity exempted
as many such disclosures are required and often reports are routine
or require lots of data. Some wanted disclosures to law enforcement
or to insurers for claims investigations exempted from the accounting
requirement to prevent interference with such investigatory efforts.
Finally, a few commenters suggested that all of the disclosures
permitted or required by the Privacy Rule should be excluded from
the accounting requirement.
Response: Elimination of an accounting requirement for authorized
disclosures is justified in large part by the individual's knowledge
of and voluntary agreement to such disclosures. None of the above
suggestions for exemption of other permitted disclosures can be
similarly justified. The right to an accounting of disclosures serves
an important function in informing the individual as to which information
was sent to which recipients. While it is possible that informing
individuals about the disclosures of their health information may
on occasion discourage some worthwhile activity, the Department
believes that the individual's right to know who is using their
information and for what purposes takes precedence.
Comment: One commenter sought an exemption from the accounting
requirement for disclosures to adult protective services when referrals
are made for abuse, neglect, or domestic violence victims. For the
same reasons that the Rule permits waiver of notification to the
victim at the time of the referral based on considerations of the
victim's safety, the regulation should not make such disclosures
known after the fact through the accounting requirement.
Response: The Department appreciates the concerns expressed
by the commenter for the safety and welfare of the victims of abuse,
neglect, or domestic violence. In recognition of these concerns,
the Department does give the covered entity discretion in notifying
the victim and/or the individual's personal representative at the
time of the disclosure. These concerns become more attenuated in
the context of an accounting for disclosures, which must be requested
by the individual and for which the covered entity has a longer
timeframe to respond. Concern for the safety of victims of abuse
or domestic violence should not result in stripping these individuals
of the rights granted to others. If the individual is requesting
the accounting, even after being warned of the potential dangers,
the covered entity should honor that request. However, if the request
is by the individual's personal representative and the covered entity
has a reasonable belief that such person is the abuser or that providing
the accounting to such person could endanger the individual, the
covered entity continues to have the discretion in Sec. 164.502(g)(5)
to decline such a request.
Comment: One commenter suggested elimination of the accounting
requirement in its entirety. The commenter argued that HIPAA does
not require an accounting as the individual's right and the accounting
does not provide any additional privacy protections to the individual's
information.
Response: The Department disagrees with the commenter. HIPAA
authorized the Secretary to identify rights of the individual with
respect to protected health information and how those rights should
be exercised. In absence of regulation, HIPAA also authorized the
Secretary to effectuate these rights by regulation. As stated in
the preamble to the December 2000 Privacy Rule, the standard adopted
by the Secretary that provides individuals with a right to an accounting
of disclosures, is consistent with well-established privacy principles
in other law and with industry standards and ethical guidelines,
such as the Federal Privacy Act (5 U.S.C. 552a), the July 1977 Report
of the Privacy Protection Study Commission, and NAIC Health Information
Privacy Model Act. (See 65 FR 82739.)
Comment: A few commenters requested that the accounting
period be shortened from six years to two years or three years.
Response: The Department selected six years as the time
period for an accounting to be consistent with documentation retention
requirements in the Rule. We note that the Rule exempts from the
accounting disclosures made prior to the compliance date for Rule,
or April 14, 2003. Therefore, it will not be until April 2009 that
a full six year accounting period will occur. Also, the Rule permits
individuals to request and the covered entity to provide for an
accounting for less than full six year period. For example, an individual
may be interested only in disclosures that occurred in the prior
year or in a particular month. The Department will monitor the use
of the accounting requirements after the compliance date and will
evaluate the need for changes in the future if the six year period
for the accounting proves to be unduly burdensome.
Comment: Commenters requested clarification of the need
to account for disclosures to business associates, noting that while
the regulation states that disclosures to and by a business associate
are subject to an accounting, most such disclosures are for health
care operations for which no accounting is required.
Response: The Department clarifies that the implementation
specification in Sec. 164.528(b)(1), that expressly includes in
the content of an accounting disclosures to or by a business associate,
must be read in conjunction with the basic standard for an accounting
for disclosures in Sec. 164.528(a). Indeed, the implementation specification
expressly references the standard. Read together, the Rule does
not require an accounting of any disclosure to or by a business
associate that is for any exempt purpose, including disclosures
for treatment, payment, and health care operations.
Comment: One commenter wanted health care providers to be
able to charge reasonable fees to cover the retrieval and preparation
costs of an accounting for disclosures.
Response: In granting individuals the right to an accounting,
the Department had to balance the individual's right to know how
and to whom protected health information is being disclosed and
the financial and administrative burden on covered entities in responding
to such requests. The balance struck by the Department with regard
to cost was to grant the individual a right to an accounting once
a year without charge. The covered entity may impose reasonable,
cost-based fees for any subsequent requests during the one year
period. The Department clarifies that the covered entity may recoup
its reasonable retrieval and report preparation costs, as well as
any mailing costs, incurred in responding to subsequent requests.
The Rule requires that individuals be notified in advance of these
fees and provided an opportunity to withdraw or amend its request
for a subsequent accounting to avoid incurring excessive fees.
Comment: One commenter wanted clarification of the covered
entity's responsibility to account for the disclosures of others.
For example, the commenter wanted to know if the covered entity
was responsible only for its own disclosures or did it also need
to account for disclosures by every person that may subsequently
handle the information.
Response: The Department clarifies in response to this comment
that a covered entity is responsible to account to the
individual for certain disclosures that it makes and
for disclosures by its business associates. The covered
entity is not responsible to account to the individual
for any subsequent disclosures of the information by
others that receive the information from the covered
entity or its business associate.
|
