The HIPAA Privacy Rule requires Covered Entities to account for all disclosures of Protected Health Information (PHI) that were made for purposes other than treatment, payment, or healthcare operations.
HIPAA Disclosure Accounting is the “accounting” (the action or process of keeping records) of these disclosures. This is sometimes referred to as “Accounting of Disclosures” or AOD.
HIPAA Disclosure Accounting and TPO
Within the context of disclosure accounting, disclosure is defined as the access to, delivery of, or transmission to, parties that do not have authorization (outside of TPO or an established Business Associate Agreement (BAA) which falls under healthcare operations).
TPO stands for Treatment, Payment, and Operations.
TPO describes the circumstances in which covered entities are allowed by law to disclose patient information without the need to obtain authorization from patients. (Check out our article on whether or not patient authorization is required here!)
From the HHS’s Guidance on the TPO disclosures:
- “Treatment” generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.
- “Payment” encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.
- “Health Care Operations” are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment.
When is an Accounting of Disclosures Form Necessary?
An accounting of disclosures form may be necessary if you disclose patient records for the purposes of selling them, for scientific research if the data has not been de-identified, if they consented to having their info included in a client marketing story, or if their information has been disclosed for other marketing purposes.
Other instances necessitating Accounting of Disclosures (AOD) include:
- Those Required by Law (Court Orders, subpoenas, state reporting, emergencies)
- Public Health Activities (Prevention of disease, public health investigations)
- Victims of abuse, neglect, or domestic violence
- Health Oversight Activities (HHS investigations, FDA, Medicaid fraud units)
- Decedents (Coroners, funeral directors)
- Cadaveric, tissue, or eye donation (organ procurement organizations)
- Research purpose (IRB or Privacy boards, dependent on scope of study)
- To avert a serious health or safety threat (FDA inquiry, terrorist threat, communicable disease organizations)
- Specialized government functions (Military, veteran, and Presidential activities)
- Worker’s Compensation (Worker’s compensation disclosures necessary to comply with the law, not payment related disclosures)
- Inappropriate or Mistake Disclosures (PHI mailed or faxed to incorrect party)
HIPAA Disclosure Accounting May Not be a Regular Part of Your Business
Ideally, you won’t have many disclosures to account for, and that is the point.
If disclosing patient data for research, data sales, or using PHI for marketing purposes is a part of your business operations, it would need to be strategically analyzed and procedurally assessed to ensure compliance with HIPAA laws.
- HIPAA Disclosure Accounting or Accounting of Disclosures (AOD) is the action or process of keeping records of disclosures of PHI for purposes other than Treatment, Payment, or Healthcare Operations.
- You are required by law to provide patients a list of all the disclosures of their PHI that you have made outside of TPO.
- Ideally, you won’t have many non-TPO disclosures to account for, and that is the point.
Still not sure if or when you need to practice disclosure accounting? The compliance consultants here at Gazelle can help!
Give us a call at (503)-389-5666 or send an email to firstname.lastname@example.org now!