Accounting of  Disclosures of Protected Health Information:

 The Privacy Rule gives research subjects the right to an accounting of disclosures of his/her protected health information.  A disclosure of PHI means communicating that information to a person or entity outside of Boston University, BMC, BU Dental Clinic, BU Dental Health Plan, BU Dental Pathology Lab, and the BU Human Genetics Lab.  Investigators who disclose PHI to colleagues at other institutions for the purpose of research, using either a Waiver of Authorization, Preparatory to Research or Decedent Research forms, must keep a record of disclosures.  BMC is responsible for their own accounting of disclosures. (www.internal.bmc.org/hipaa/disclosures.asp.)

When an investigator receives an individual’s request, the investigator must account for disclosures of that individual’s PHI made on or after the compliance date, April 14, 2003 .  For example, an accounting for research purposes is not needed when the PHI disclosure is made:

An individual’s right to receive an accounting of disclosures (unless an exception applies) starts on the compliance date, April 14, 2003 and goes back 6 years from the date of the request, not including periods prior to the compliance date.  The investigator must keep records of PHI disclosures for 6 years.

The Privacy Rule allows three methods for accounting for research-related disclosures that are made without the individual’s Authorization or other than a limited data set: 1) a standard approach, 2) a multiple-disclosures approach, and 3) an alternative for disclosures involving 50 or more individuals.  Whatever approach is selected, the accounting is made in writing and provided to the requesting individual.  Accounting reports to individuals may include results from more than one accounting method.

            Standard Accounting

            Standard accounting includes, for each disclosure, the following information:

§         The date the disclosure was made

§         The name and address of the person or entity receiving the PHI

§         A brief description of the PHI disclosed

§         A brief statement of the reason for the disclosure

Multiple Disclosures Accounting

Multiple disclosures accounting is permissible if the covered entity has made multiple disclosures of PHI to the same person or entity for a single purpose under Sections 164.502(a)(2)(ii) or 164.512 of the Privacy Rule.  For each disclosure, the following must be included

§         The date the initial disclosure was made during the accounting period

§         The name and address of the person or entity receiving the PHI

§         A brief description of the PHI disclosed

§         A brief statement of the reason for the disclosure

§         The frequency or number of the disclosures made during the accounting period

§         The date of the last such disclosure during the accounting period

Alternative Accounting

If a covered entity has made disclosures regarding 50 or more individuals for a particular research project under Section 164.512(i) of the Privacy Rule, the accounting may be limited to the following information:

§         The name of the protocol or research activity

§         A plain-language description of the research protocol or activity, purpose of the research, and criteria for selecting particular records

§         A description of the type of PHI disclosed

§         The date or period of time during which the disclosure(s) occurred, including the date of the last disclosure during the accounting period

§         The name, address, and telephone number of the entity that sponsored the research and of the investigator who received the PHI

§         A statement that the individual’s PHI may or may not have been disclosed for a particular protocol or research activity

If the covered entity uses the alternative accounting method, it must, if requested to by the individual, assist the individual in contacting the research sponsor and the investigator.  Such assistance, however, is limited to those situations in which there is a reasonable likelihood that the individual’s PHI was actually disclosed for the research protocol or activity.

(We refer to this as "tracking disclosures" elsewhere on this Research Privacy web site.) Upon request, a covered entity must provide the individual with an accounting of each disclosure by date, the PHI disclosed, the identity of the recipient of the PHI, and the disclosure. However, where the covered entity has, during the accounting period, made multiple disclosures to the same recipient for the same purpose, the Privacy rule provides for a simplified means of accounting. In such cases, the covered entity need only identify the recipient of such repetitive disclosures, the purpose of the disclosure, and describe the PHI routinely disclosed. The date of each disclosure need not be tracked. Rather, the accounting may include the date of the first and last such disclosure during the accounting period, and a description of the frequency of such disclosures.
A covered entity is not required to account for all disclosures of PHI.
An accounting is not required for disclosures made:


Business Associate (BA): A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity?s workforce. A business associate can also be a covered entity in its own right. Also see Part II, 45 CFR 160.103.


Covered Entity (CE): Under HIPAA, this is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction. Also see Part II, 45 CFR 160.103.

Covered Function: Functions that make an entity a health plan, a health care provider, or a health care clearinghouse. Also see Part II, 45 CFR 164.501.


Data Element: Under HIPAA, this is the smallest named unit of information in a transaction. Also see Part II, 45 CFR 162.103.
Disclosure: Release or divulgence of information by an entity to persons or organizations outside of that entity. Also see Part II, 45 CFR 164.501.


Health Insurance Portability and Accountability Act of 1996 (HIPAA): A Federal law that makes a number of changes that have the goal of allowing persons to qualify immediately for comparable health insurance coverage when they change their employment relationships. Title II, Subtitle F, of HIPAA gives DHHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information. Also known as the Kennedy-Kassebaum Bill, the Kassebaum-Kennedy Bill, K2, or Public Law 104-191. 

Hybrid Entity: A covered entity whose covered functions are not its primary functions. Also see Part II, 45 CFR 164.504.


Minimum Necessary: The Privacy Rule stipulates that covered entities limit the amount of information disclosed to the minimum necessary to achieve the specified goal [45 CFR 164.514(d)(1)]. This requirement would not apply if the disclosure were required by law, authorized by the individual, or for treatment purposes. 


Protected Health Information (PHI): PHI is individually identifiable health information that is transmitted by, or maintained in, electronic media or any other form or medium. This information must relate to 1) the past, present, or future physical or mental health, or condition of an individual; 2) provision of health care to an individual; or 3) payment for the provision of health care to an individual. If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered individually identifiable health information. See Part II, 45 CFR 164.501.


Tracking disclosures: see Accounting for Disclosures


Workforce: Under HIPAA, this means employees, volunteers, trainees, and other persons under the direct control of a covered entity, whether or not they are paid by the covered entity. Also see Part II, 45 CFR 160.103.