Bottom Line

HIPAA requires that all Covered Entities have a system in place to track the release of protected health information (PHI).  This regulation impacts the processes surrounding Release of Information. ScanSTAT is always willing to share best practices to ensure compliance with these tracking requirements. Despite popular belief, it is not necessary to maintain an Accounting of Disclosure log for each Release of Information request. [1]  The tracking methods in this document are less invasive and less time consuming for healthcare organizations, yet still maintain compliance as it relates to the tracking the transmission of PHI. Disclosures made pursuant to an authorization do not need to be tracked on Accounting of Disclosures. Uses and disclosures of PHI to carry out treatment, payment or healthcare operations (TPO) also do not need to be tracked at this time.

What are Best Practices?

To accommodate this HIPAA mandate, healthcare organizations are required to have tracking mechanisms and reports in place.  Many believe that in order to comply with HIPAA their disclosure logs must be burdened with meticulous details of each and every ROI request ever made.  However, many of the details we see included by healthcare organizations in these logs are not required for compliance.  For example, one false assumption we see organizations make is the documentation of the number of pages for ROI purposes on the disclosure log.  This is not stated in the HIPAA regulations anywhere.  Disclosure of the number of pages will not inform a forensic analysis what was disclosed.

Below are the HIPAA compliant parameters surrounding Release of Information.  You will find that all of the reporting and documentation that ScanSTAT produces for our clients fulfills the required parameters.  Should an Accounting of Disclosure be initiated, more information than what appears below may be required.  In such an incidence, ScanSTAT is willing to share further guidance with our clients.

Appropriate Tracking of Release of Information Includes

  1. Date of disclosure[1]
  2. Name and address of recipient (business or person’s name)[2]
  3. Brief description of PHI disclosed[3]
  4. Brief statement of purpose of disclosure[4] (a basis for the disclosure)[5]

A properly signed authorization has all of the details on it to fulfill the HIPAA compliance needed. At ScanSTAT, we follow the same parameters listed above for ROI purposes because the information is easily tracked, captured and produced. As a ScanSTAT ROI client, know that we will document our activity and records request fulfillment in your EHR and document the actual information disclosed in our internal systems to meet compliance measures.

[1] 45 CFR 164.528 (a)(1)(iv)

[2] 45 CFR 164.528(b)(2)(ii)

[3] 45 CFR 164.528(b)(2)(iii)

[4] 45 CFR 164.528(b)(2)(iv)

[5] 45 CFR 164.528(b)(2)(v)