TITLE:

ACCOUNTING OF DISCLOSURES OF A PATIENT'S PROTECTED HEALTH INFORMATION

POLICY:
Columbia University Medical Center will respond appropriately to requests from patients for an Accounting of Disclosures listing the disclosures made of their Protected Health Information (PHI) by Columbia University Medical Center.

PURPOSE :
One of the rights granted to patients under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the right of the patient to request and receive an accounting of the disclosures made of the patient's PHI. While most of the disclosures of a patient's PHI are subject to an accounting, there are some disclosures that are not required to be included on an Accounting of Disclosures provided to the patient.
The patient's right to request and receive an Accounting of Disclosures is described in some detail in the Columbia University Medical Center's Notice of Privacy Practices. Like some of the other rights, this right requires action on the part of the patient before Columbia University Medical Center can respond. This Policy describes what Columbia University Medical Center must do to be able to provide the patient with an accurate Accounting of Disclosures.

PROCEDURES:

1. Responsibility to document disclosures. Individuals who disclose a Columbia University Medical Center patient's PHI will document those disclosures that must be included on an Accounting of Disclosures.



1. Disclosures of a patient's PHI that do not need to be documented are disclosures:
1. made prior to April 14, 2003;



2. made to carry out treatment, payment, or healthcare operations;



3. made to the patient;



4. made pursuant to a valid and effective authorization (one that complies with the requirements of state law as well as with the HIPAA Privacy Regulations) signed by the patient;



5. made to persons involved in the patient's care or other notification and location purposes;



6. to federal officials for national security or intelligence purposes;



7. to a correctional institution or law enforcement official that has custody of a patient;



8. that are part of a limited data set; and



9. to a health oversight or law enforcement official or agency provided the official or agency notifies Columbia University Medical Center in writing that providing an Accounting of Disclosures to a specific patient would be reasonably likely to impede the official's or agency's activities.



2. Disclosures that must be documented include disclosures:
1. to a business associate of Columbia University Medical Center - unless the disclosure to the business associate is made for purposes of the business associate providing treatment, payment, or healthcare operations activities on behalf of Columbia University Medical Center;



2. required by law, including mandatory reporting to local, state, and federal agencies and authorities;



3. for purposes of public health activities (e.g., for preventing or controlling disease, injury, or disability, for reporting of disease, injury, birth, or death, and for conducting public surveillance, public health investigations, and public health interventions);



4. about victims of abuse, neglect, or domestic violence;



5. for health oversight activities;



6. for judicial and administrative proceedings;



7. for law enforcement purposes pursuant to process and for identification and location purposes;



8. to coroners, medical examiners, and funeral directors;



9. for cadaveric organ, eye, or tissue donation purposes;



10. for research purposes;



11. to avert a serious threat to health or safety;



12. for specialized government functions including military and veterans activities, national security and intelligence activities, protective services for the President of the United States and other public officials, correctional institutions and other law enforcement custodial situations; and



13. for workers' compensation.



3. The information that must be documented for each disclosure is:
1. the date of the disclosure;



2. the name of the entity or person who received the PHI and, if known, the address and contact information;



3. a brief description of the PHI disclosed (e.g., records for visit on June 7, 2003, all radiology reports related to broken wrist, etc.); and



4. a brief statement of the purpose of the disclosure that reasonably informs the patient of the basis for the disclosure.



4. Documentation should be maintained so it can be retrieved quickly upon a request from the HIPAA Privacy Officer who is responsible for compiling the disclosures made across Columbia University Medical Center and providing the Accounting of Disclosures to the patient.



5. Questions about what types of disclosures must be documented should be directed to the employee's supervisor or the HIPAA Privacy Officer.



2. Required patient action.
1. If a patient requests an Accounting of Disclosures from Columbia University Medical Center, the individual receiving the request must ask the patient to complete and forward a Request for an Accounting of Disclosures form to the HIPAA Privacy Officer.



2. The individual receiving the patient's request will provide a blank Request for an Accounting of Disclosures form to the patient.
   
   The Request for an Accounting of Disclosures form is available on the Columbia University Medical Center website. Click on Administrative Services or "Patient Care" from the home page (www.cumc.columbia.edu), then click on the link to HIPAA on the right side of the page. Select the form from the list of forms available on the left side of the page.



3. All completed Request for an Accounting of Disclosures forms will be maintained for a minimum of six (6) years.



3. Responding to a patient's request.
1. When the HIPAA Privacy Officer receives a Request for an Accounting of Disclosures form from a patient, the HIPAA Privacy Officer will coordinate compiling the Accounting.



2. The HIPAA Privacy Officer will contact the affected Departments to obtain from each Department a list of any disclosures that have been made of the requesting patient's PHI by that Department.
1. Each Department will provide the requested list of disclosures within ten (10) days of the communication from the HIPAA Privacy Officer.



2. The list of disclosures will include all the information required for complete documentation as specified in 1.c above.



3. The Department will document that an Accounting of Disclosures was requested by the patient in either the Department's or the patient's file.



4. When responding to a request from the HIPAA Privacy Officer for a list of disclosures made of a patient's PHI, the Department will also include the date of any requests for Accountings for that patient made within the past twelve (12) months.



5. The Department will retain all documentation relating to disclosures made and requests from the HIPAA Privacy Officer for a minimum of six (6) years.



3. Definitions

Protected Health Information (PHI) means information, including demographic information that may identify the patient, that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual and identifies or could reasonably be used to identify the individual.

RESPONSIBILITY:         Departments, HIPAA Privacy Officer