Standards for Privacy of Individually Identifiable Health Information

I. Section 164.528--Accounting of Disclosures of Protected Health Information

December 2000 Privacy Rule

Under the Privacy Rule at Sec. 164.528, individuals have the right to receive an accounting of disclosures of protected health information made by the covered entity, with certain exceptions. These exceptions, or instances where a covered entity is not required to account for disclosures, include disclosures made by the covered entity to carry out treatment, payment, or health care operations, as well as disclosures to individuals of protected health information about them. The individual must request an accounting of disclosures.

The accounting is required to include the following: (1) Disclosures of protected health information that occurred during the six years prior to the date of the request for an accounting; and (2) for each disclosure: the date of the disclosure; the name of the entity or person who received the protected health information, and, if known, the address of such entity or person; a brief description of the protected health information disclosed; and a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or in lieu of such a statement, a copy of the individual's written authorization pursuant to Sec. 164.508 or a copy of a written request for a disclosure under Secs. 164.502(a)(2)(ii) or 164.512. For multiple disclosures of protected health information to the same person, the Privacy Rule allows covered entities to provide individuals with an accounting that contains only the following information: (1) For the first disclosure, a full accounting, with the elements described above; (2) the frequency, periodicity, or number of disclosures made during the accounting period; and (3) the date of the last such disclosure made during the accounting period.

March 2002 NPRM

In response to concerns about the high costs and administrative burdens associated with the requirement to account to individuals for the covered entity's disclosure of protected health information, the Department proposed to expand the exceptions to the standard at Sec. 164.528(a)(1) to include disclosures made pursuant to an authorization as provided in Sec. 164.508. Covered entities would no longer be required to account for any disclosures authorized by the individual in accordance with Sec. 164.508. The Department proposed to alleviate burden in this way because, like disclosures of protected health information made directly to the individual--which are already excluded from the accounting provisions in Sec. 164.528(a)(1)-- disclosures made pursuant to an authorization are also known by the individual, in as much as the individual was required to sign the forms authorizing the disclosures.

In addition to the exception language at Sec. 164.528(a)(1), the Department proposed two conforming amendments at Secs. 164.528(b)(2)(iv) and (b)(3) to delete references in the accounting content requirements to disclosures made pursuant to an authorization.

Overview of Public Comments

The following discussion provides an overview of the public comment received on this proposal. Additional comments received on this issue are discussed below in the section entitled, "Response to Other Public Comments."

The majority of comments on the accounting proposal supported the elimination of the accounting for authorized disclosures. The commenters agreed that, on balance, since the individual had elected to authorize the disclosure in the first instance, and that election was fully informed and voluntary, subsequently accounting for the disclosure made pursuant to that authorization was not necessary.

Many of the commenters went on to suggest other ways in which the accounting requirement could be made less burdensome. For example, several commenters wanted some or all of the disclosures which are permitted at Sec. 164.512 without individual consent or authorization to also be exempt from the accounting requirements. Others proposed alternative means of accounting for disclosures for research, particularly when such disclosures involve large numbers of records. These commenters argued that accounting for each individual record disclosed for a large research project would be burdensome and may deter covered entities from participating in such research. Rather than an individual accounting, the commenters suggested that the covered entity be required only to disclose a listing of all relevant protocols under which an individual's information may have been released during the accounting period, the timeframes during which disclosures were made under a protocol, and the name of the institution and researcher or investigator responsible for the protocol, together with contact information for the researcher. The National Committee on Vital Health Statistics, while not endorsing a protocol listing directly, recommended the Department consider alternatives to minimize the burden of the accounting requirements on research.

Finally, several commenters objected to the elimination of the accounting requirement for authorized disclosures. Some of these commenters expressed concern that the proposal would eliminate the requirement to account for the authorized disclosure of psychotherapy notes. Others were primarily concerned that the proposal would weaken the accounting rights of individuals. According to these commenters, informing the individual of disclosures was only part of the purpose of an accounting. Even with regard to authorized disclosures, an accounting could be important to verify that disclosures were in accord with the scope and purpose as stated in the authorization and to detect potentially fraudulent, altered, or otherwise improperly accepted authorizations. Since authorizations had to be maintained in any event, accounting for these disclosures represented minimal work for the covered entity.

Final Modifications

Based on the general support in the public comment, the Department adopts the modification to eliminate the accounting requirement for authorized disclosures. The authorization process itself adequately protects individual privacy by assuring that the individual's permission is given both knowingly and voluntarily. The Department agrees with the majority of commenters that felt accounting for authorized disclosures did not serve to add to the individual's knowledge about disclosures of protected health information. The Department does recognize the role of accounting requirements in the detection of altered or fraudulent authorizations. However, the Department considers the incidence of these types of abuses, and the likelihood of their detection through a request for an accounting, to be too remote to warrant the burden on all covered entities of including authorized disclosures in an accounting. As noted by some commenters, the covered entity must retain a copy of the authorization to document their disclosure of protected health information and that documentation would be available to help resolve an individual's complaint to either the covered entity or the Secretary.

Specific concern about the elimination of the accounting requirement for authorized disclosures was expressed by mental health professionals, who believed their patients should always have the right to monitor access to their personal information. The Department appreciates theses commenters' concern about the need for heightened protections and accountability with regard to psychotherapy notes. It is because of these concerns that the Rule requires, with limited exceptions, individual authorization for even routine uses and disclosures of psychotherapy notes by anyone other than the originator of the notes. The Department clarifies that nothing in modifications adopted in this rulemaking prevents a mental health professional from including authorized disclosures of psychotherapy notes in an accounting requested by their patients. Indeed, any covered entity may account to the individual for disclosures based on the individual's authorization. The modification adopted by the Department simply no longer requires such an accounting.

In response to comment on this proposal, as well as on the proposals to permit incidental disclosures and disclosures of protected health information, other than direct identifiers, as part of a limited data set, the Department has added two additional exclusions to the accounting requirements. Disclosures that are part of a limited data set and disclosures that are merely incidental to another permissible use or disclosure will not require an accounting. The limited data set does not contain any protected health information that directly identifies the individual and the individual is further protected from identification by the required data use agreement. The Department believes that accounting for these disclosures would be too burdensome. Similarly, the Department believes that it is impracticable to account for incidental disclosures, which by their very nature, may be uncertain or unknown to the covered entity at the time they occur. Incidental disclosures are permitted as long as reasonable safeguards and minimum necessary standards have been observed for the underlying communication. Moreover, incidental disclosures may most often happen in the context of a communication that relates to treatment or health care operations. In that case, the underlying disclosure is not subject to an accounting and it would be arbitrary to require an accounting for a disclosure that was merely incidental to such a communication.

The Department however disagrees with commenters who requested that other public purpose disclosures not be subject to the accounting requirement. Although the Rule permits disclosure for a variety of public purposes, they are not routine disclosures of the individual's information. The accounting requirement was designed as a means for the individual to find out the non-routine purposes for which his or her protected health information was disclosed by the covered entity, so as to increase the individual's awareness of persons or entities other than the individual's health care provider or health plan in possession of this information. To eliminate some or all of these public purposes would defeat the core purpose of the accounting requirement.

The Department disagrees with commenters' proposal to exempt all research disclosures made pursuant to a waiver of authorization from the accounting requirement. Individuals have a right to know what information about them has been disclosed without their authorization, and for what purpose(s). However, the Department agrees that the Rule's accounting requirements could have the undesired effect of causing covered entities to halt disclosures of protected health information for research. Therefore, the Department adopts commenters' proposal to revise the accounting requirement at Sec. 164.528 to permit covered entities to meet the requirement for research disclosures if they provide individuals with a list of all protocols for which the patient's protected health information may have been disclosed for research pursuant to a waiver of authorization under Sec. 164.512(i), as well as the researcher's name and contact information. The Department agrees with commenters that this option struck the appropriate balance between affirming individuals' right to know how information about them is disclosed, and ensuring that important research is not halted.

The Department considered and rejected a similar proposal by commenters when it adopted the Privacy Rule in December 2000. While recognizing the potential burden for research, the Department determined that the individual was entitled to the same level of specificity in an accounting for research disclosures as any other disclosure. At that time, however, the Department added the summary accounting procedures at Sec. 164.528(b)(3) to address the burden issues of researchers and others in accounting for multiple disclosures to the same entity. In response to the Department's most recent request for comments, researchers and others explained that the summary accounting procedures do not address the burden of having to account for disclosures for research permitted by Sec. 164.512(i). These research projects usually involve many records. It is the volume of records for each disclosure, not the repeated nature of the disclosures, that presents an administrative obstacle for research if each record must be individually tracked for the accounting. Similarly, the summary accounting procedures do not relieve the burden for covered entities that participate in many different studies on a routine basis. The Department, therefore, reconsidered the proposal to account for large research projects by providing a list of protocols in light of these comments.

Specifically, the Department adds a paragraph (4) to Sec. 164.528(b) to provide for simplified accounting for research disclosures as follows:

1. The research disclosure must be pursuant to Sec. 164.512(i) and involve at least 50 records. Thus, the simplified accounting procedures may be used for research disclosures based on an IRB or Privacy Board waiver of individual authorization, the provision of access to the researcher to protected health information for purposes preparatory to research, or for research using only records of deceased individuals. The large number of records likely to be disclosed for these research purposes justifies the need for the simplified accounting procedures. The Department has determined that a research request for 50 or more records warrants use of these special procedures.
2. For research protocols for which the individual's protected health information may have been disclosed during the accounting period, the accounting must include the name of the study or protocol, a description of the purpose of the study and the type of protected health information sought, and the timeframe of disclosures in response to the request.
3. When requested by the individual, the covered entity must provide assistance in contacting those researchers to whom it is likely that the individual's protected health information was actually disclosed.

Support for streamlining accounting for research disclosures came in comments and from NCVHS. The Department wants to encourage research and believes protections afforded information in hands of researcher, particularly research overseen by IRB or Privacy Board, provides assurance of continued confidentiality of information. The Department does not agree that the individual has no need to know that his or her information has been disclosed for a research purpose. Covered entities, of course, may account for research disclosures in the same manner as all other disclosures. Even when the covered entity elects to use the alternative of a protocol listing, the Department encourages covered entities to provide individuals with disclosure of the specific research study or protocol for which their protected health information was disclosed, and other specific information relating to such actual disclosures if they so choose. If the covered entity lists all protocols for which the individual's information may have been disclosed, the Department would further encourage that the covered entity list under separate headings, or on separate lists, all protocols relating to particular health issues or conditions, so that individuals may more readily identify the specific studies for which their protected health information is more likely to have been disclosed.

The Department intends to monitor the simplified accounting procedures for certain research disclosures to determine if they are effective in providing meaningful information to individuals about how their protected health information is disclosed for research purposes, while still reducing the administrative burden on covered entities participating in such research efforts. The Department may make adjustments to the accounting procedures for research in the future as necessary to ensure both goals are fully met.

Response to Other Public Comments

Comment: A few commenters opposed the proposal to eliminate the accounting requirement for all authorized disclosures arguing that, absent a full accounting, the individual cannot meaningfully exercise the right to amend or to revoke the authorization. Others also felt that a comprehensive right to an accounting, with no exceptions, was better from an oversight and enforcement standpoint as it encouraged consistent documentation of disclosures. One commenter also pointed to an example of the potential for fraudulent authorizations by citing press accounts of a chain drug store that allegedly took customers signatures from a log that waived their right to consult with the pharmacist and attached those signatures to a form authorizing the receipt of marketing materials. Under the proposal, the commenter asserted, the chain drug store would not have to include such fraudulent authorizations as part of an accounting to the individual.

Response: The Department does not agree that the individual's right to amendment is materially affected by the accounting requirements for authorized disclosures. The covered entity that created the protected health information contained in a designated record set has the primary obligation to the individual to amend any erroneous or incomplete information. The individual does not necessarily have a right to amend information that is maintained by other entities that the individual has authorized to have his or her protected health information. Furthermore, the covered entity that has amended its own designated record set at the request of the individual is obligated to make reasonable efforts to notify other persons, including business associates, that are known to have the protected health information that was the subject of the amendment and that may rely on such information to the detriment of the individual. This obligation would arise with regard to persons to whom protected health information was disclosed with the individual's authorization. Therefore, the individual's amendment rights are not adversely affected by the modifications to the accounting requirements. Furthermore, nothing in the modification adversely affects the individual's right to revoke the authorization.

The Department agrees that oversight is facilitated by consistent documentation of disclosures. However, the Department must balance its oversight functions with the burden on entities to track all disclosures regardless of purpose. Based on this balancing, the Department has exempted routine disclosures, such as those for treatment, payment, and health care operations, and others for security reasons. The addition of authorized disclosures to the exemption from the accounting does not materially affect the Department's oversight function. Compliance with the Rule's authorization requirements can still be effectively monitored because covered entities are required to maintain signed authorizations as documentation of disclosures. Therefore, the Department believes that effective oversight, not the happenstance of discovery by an individual through the accounting requirement, is the best means to detect and prevent serious misdeeds such as those alleged in fraudulent authorizations.

Comment: A number of commenters recommended other types of disclosures for exemption from the accounting requirement. Many recommended elimination of the accounting requirement for public health disclosures arguing that the burden of the requirement may deter entities from making such disclosures and that because many are made directly to public health authorities by doctors and nurses, rather than from a central records component of the entity, public health disclosures are particularly difficult to track and document. Others suggested exempting from an accounting requirement any disclosure required by another law on the grounds that neither the individual nor the entity has any choice about such required disclosures. Still others wanted all disclosures to a governmental entity exempted as many such disclosures are required and often reports are routine or require lots of data. Some wanted disclosures to law enforcement or to insurers for claims investigations exempted from the accounting requirement to prevent interference with such investigatory efforts. Finally, a few commenters suggested that all of the disclosures permitted or required by the Privacy Rule should be excluded from the accounting requirement.

Response: Elimination of an accounting requirement for authorized disclosures is justified in large part by the individual's knowledge of and voluntary agreement to such disclosures. None of the above suggestions for exemption of other permitted disclosures can be similarly justified. The right to an accounting of disclosures serves an important function in informing the individual as to which information was sent to which recipients. While it is possible that informing individuals about the disclosures of their health information may on occasion discourage some worthwhile activity, the Department believes that the individual's right to know who is using their information and for what purposes takes precedence.

Comment: One commenter sought an exemption from the accounting requirement for disclosures to adult protective services when referrals are made for abuse, neglect, or domestic violence victims. For the same reasons that the Rule permits waiver of notification to the victim at the time of the referral based on considerations of the victim's safety, the regulation should not make such disclosures known after the fact through the accounting requirement.

Response: The Department appreciates the concerns expressed by the commenter for the safety and welfare of the victims of abuse, neglect, or domestic violence. In recognition of these concerns, the Department does give the covered entity discretion in notifying the victim and/or the individual's personal representative at the time of the disclosure. These concerns become more attenuated in the context of an accounting for disclosures, which must be requested by the individual and for which the covered entity has a longer timeframe to respond. Concern for the safety of victims of abuse or domestic violence should not result in stripping these individuals of the rights granted to others. If the individual is requesting the accounting, even after being warned of the potential dangers, the covered entity should honor that request. However, if the request is by the individual's personal representative and the covered entity has a reasonable belief that such person is the abuser or that providing the accounting to such person could endanger the individual, the covered entity continues to have the discretion in Sec. 164.502(g)(5) to decline such a request.

Comment: One commenter suggested elimination of the accounting requirement in its entirety. The commenter argued that HIPAA does not require an accounting as the individual's right and the accounting does not provide any additional privacy protections to the individual's information.

Response: The Department disagrees with the commenter. HIPAA authorized the Secretary to identify rights of the individual with respect to protected health information and how those rights should be exercised. In absence of regulation, HIPAA also authorized the Secretary to effectuate these rights by regulation. As stated in the preamble to the December 2000 Privacy Rule, the standard adopted by the Secretary that provides individuals with a right to an accounting of disclosures, is consistent with well-established privacy principles in other law and with industry standards and ethical guidelines, such as the Federal Privacy Act (5 U.S.C. 552a), the July 1977 Report of the Privacy Protection Study Commission, and NAIC Health Information Privacy Model Act. (See 65 FR 82739.)

Comment: A few commenters requested that the accounting period be shortened from six years to two years or three years.

Response: The Department selected six years as the time period for an accounting to be consistent with documentation retention requirements in the Rule. We note that the Rule exempts from the accounting disclosures made prior to the compliance date for Rule, or April 14, 2003. Therefore, it will not be until April 2009 that a full six year accounting period will occur. Also, the Rule permits individuals to request and the covered entity to provide for an accounting for less than full six year period. For example, an individual may be interested only in disclosures that occurred in the prior year or in a particular month. The Department will monitor the use of the accounting requirements after the compliance date and will evaluate the need for changes in the future if the six year period for the accounting proves to be unduly burdensome.

Comment: Commenters requested clarification of the need to account for disclosures to business associates, noting that while the regulation states that disclosures to and by a business associate are subject to an accounting, most such disclosures are for health care operations for which no accounting is required.

Response: The Department clarifies that the implementation specification in Sec. 164.528(b)(1), that expressly includes in the content of an accounting disclosures to or by a business associate, must be read in conjunction with the basic standard for an accounting for disclosures in Sec. 164.528(a). Indeed, the implementation specification expressly references the standard. Read together, the Rule does not require an accounting of any disclosure to or by a business associate that is for any exempt purpose, including disclosures for treatment, payment, and health care operations.

Comment: One commenter wanted health care providers to be able to charge reasonable fees to cover the retrieval and preparation costs of an accounting for disclosures.

Response: In granting individuals the right to an accounting, the Department had to balance the individual's right to know how and to whom protected health information is being disclosed and the financial and administrative burden on covered entities in responding to such requests. The balance struck by the Department with regard to cost was to grant the individual a right to an accounting once a year without charge. The covered entity may impose reasonable, cost-based fees for any subsequent requests during the one year period. The Department clarifies that the covered entity may recoup its reasonable retrieval and report preparation costs, as well as any mailing costs, incurred in responding to subsequent requests. The Rule requires that individuals be notified in advance of these fees and provided an opportunity to withdraw or amend its request for a subsequent accounting to avoid incurring excessive fees.

Comment: One commenter wanted clarification of the covered entity's responsibility to account for the disclosures of others. For example, the commenter wanted to know if the covered entity was responsible only for its own disclosures or did it also need to account for disclosures by every person that may subsequently handle the information.

Response: The Department clarifies in response to this comment that a covered entity is responsible to account to the individual for certain disclosures that it makes and for disclosures by its business associates. The covered entity is not responsible to account to the individual for any subsequent disclosures of the information by others that receive the information from the covered entity or its business associate.

[Top of Page] [Previous] [Next: Research Transition]