ROWAN UNIVERSITY POLICY
Title: Accounting of Disclosures of Health Information
Subject: Office of Compliance & Corporate Integrity (OCCI)
Policy No: OCCI:2013:P01
Applies: RowanSOM
Issuing Authority: President
Responsible Officer: Chief Audit, Compliance and Privacy Officer; Director of Information Security
Adopted: 07/1/2013
Last Revision: 01/26/2021
Last Reviewed: 01/26/2021
I. PURPOSE
To establish a policy and procedure to ensure Rowan University’s School of Osteopathic Medicine (RowanSOM) compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the Omnibus Privacy Final Rule of 2013 in providing an individual the right to receive an accounting of disclosures of his/her Protected Health Information (PHI), made by RowanSOM and/or its covered entities.
II. ACCOUNTABILITY
Under the direction of the President, the Senior VP for Medical Initiatives and Affiliated Campuses, Dean, the Chief Audit, Compliance & Privacy Officer, and Vice President for Research shall ensure compliance with this policy.
III. APPLICABILITY
This policy shall apply to health information that is generated during provisions of health care to patients in any of the University’s patient care units, patient care centers or faculty practices as well as Human Subjects research under the auspices of the University or by any of its agents in all RowanSOM Schools, Units, Departments and University owned or operated facilities.
IV. DEFINITIONS
“Protected Health Information (PHI)” means individually identifiable health information that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual and identifies or could reasonably be used to identify the individual. If a patient has been deceased for more than fifty (50) years, the PHI is no longer considered protected. This is not a record retention requirement and covered entities may destroy medical records according to the State or other applicable laws. When individually identifiable health information is created, received, maintained or transmitted by a Business Associate and tied to a covered entity is considered PHI.
Except as provided in paragraph (b) of this definition that is:
transmitted by electronic media
maintained in electronic media
transmitted or maintained in any other form or medium
Protected health information excludes individually identifiable health information in:
Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g
Records described at 20 U.S.C. 1232g(a)(4)(B)(iv)
Employment records held by a covered entity in its role as employer
V. REFERENCES
- 45 CFR 164.528, Title 45, Code of Federal Regulations, Part 164, Section 528, Security and Privacy, Accounting of Disclosures of Protected Health Information
- 45 CFR 164.512 (i), Title 45, Code of Federal Regulations, Part 164, Section 512, Security and Privacy, Uses and Disclosures for Which Consent, an Authorization or Opportunity to Agree or Object is not Required, Uses and Disclosures for Research Purposes
- 45 CFR 164.514(e), Title 45, Code of Federal Regulations, Part 164, Section 514, Subpart E, Security and Privacy, Privacy of Individually Identifiable Health Information
- Uses and Disclosures of Health Information With and Without an Authorization
- Health Information Technology for Economic and Clinical Health Act of 2009 (part of the American Recovery and Reinvestment Act of 2009)
- Omnibus Privacy Final Rule of 2013
The following policies provide additional and related information:
- Standards for Privacy of Individually Identifiable Health Information
- Access of Individuals to Health Information
VI. POLICY
A. Requirements:
- RowanSOM and/or its units will provide an individual with an accounting of all disclosures of their PHI upon the individual’s written request as required by state and federal law. A request for Accounting of Disclosures Form can be accessed on the Rowan Compliance website.
- RowanSOM units will act on an individual’s request for an accounting within thirty (30) days of receipt of the request. If a unit is unable to provide the accounting within thirty (30) days, it may extend the time period to provide the accounting by no more than thirty (30) days; however, within the original thirty (30) days, units must provide the individual with a written statement of the reasons for the delay and the date by which units will provide the accounting. RowanSOM units are only permitted one extension per request.
- The first accounting in a twelve-month period to an individual must be provided without charge. However, units may impose a reasonable cost-based fee for each subsequent request for an accounting made by the same individual within the twelve-month period provided the unit informs the individual of the fee prior to complying with the request, thus giving the individual the opportunity to withdraw or modify the request.
- As part of the accounting of the disclosures, the unit will coordinate the releases of PHI with business associates.
- A RowanSOM unit must temporarily suspend an individual’s right to receive an accounting of disclosures made to a health oversight agency or law enforcement official, for the time specified by such agency or official, if such agency or official provides the unit with a written statement that such an accounting to the individual would be reasonably likely to impede the agency’s activities and it must include the time frame for which such a suspension is required.
- A RowanSOM unit must temporarily suspend an individual’s right to receive an accounting of disclosures made to a health oversight agency or law enforcement official, for the time specified by such agency or official, if such agency or official provides the unit with an oral statement that such an accounting to the individual would be reasonably likely to impede the agency’s activities and it must include the time frame for which such a suspension is required. However, inasmuch as the statement was given orally, units must:
- document the statement, including the identity of the agency or official making the statement
- limits the temporary suspension to no longer than thirty (30) days from the date of the oral statement, unless a written statement is submitted during that time
- Requests made for accountings of disclosures of PHI must be made to the employee or department designated by the Dean, President, and Chief Audit, Compliance & Privacy Officer.
B. Responsibilities:
Each RowanSOM unit will implement a process to provide an accounting to individuals of all disclosures except:
disclosures to carry out treatment, payment and healthcare operations
disclosures to the individual of PHI about themselves
disclosures for the facility’s directory or to persons involved in the individual’s care or other notification purposes
disclosures for national security or intelligence purposes
disclosures to correctional institutions or law enforcement officials, as provided
disclosures that occurred prior to April 14, 2003
disclosures pursuant to an authorization
disclosures incident to a use and disclosure otherwise permitted
disclosures that are part of a limited data set in accordance with 45 CFR 164.514(e)
An accounting must cover a period of six (6) years, unless the request specifies a shorter period.
Each RowanSOM unit will implement a process to provide an accounting to individuals of all disclosures. The accounting for each disclosure must include:
the date of the disclosure request
reason why entity needs PHI
name(s) of RowanSOM employee processed the request
log of whether or not the entity was eligible to receive PHI
if the PHI was transmitted to requesting entity
the name and address of the entity or person who received the PHI
accurate description of the PHI disclosed
when the PHI was sent to requesting entity
how the PHI was sent to requesting entity
a copy of a written request for disclosure (i.e. subpoena, etc).
confirmation of entity receiving requested PHI
If a RowanSOM unit has made multiple disclosures of PHI to the same person or entity for a single purpose, the accounting with respect to such multiple disclosures should provide:
the information required as described in section VI.A.3. for the first disclosure during the accounting period
the frequency or number of the disclosures made during the accounting period
the date of the last disclosure during the accounting period
All RowanSOM units must document and retain for six (6) years the following information:
the information required to be included in an accounting as discussed in section VI.B.3
the written accounting itself that was given to the requesting individual
the titles of persons or offices responsible for receiving and processing requests for an accounting
If, during the period covered by the accounting, a unit has made disclosures of PHI for a particular research purpose in accordance with CFR 164.512(i) for fifty (50) or more individuals, the accounting may, with respect to such disclosures for which the PHI about the individual may have been included, provide:
The name of the protocol or other research activity
A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records
A brief description of the type of PHI that was disclosed
The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period
The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed
A statement that the PHI of the individual may or may not have been disclosed for a particular protocol or other research activity
If the unit provides an accounting for research disclosures in accordance with section VI.B.6. and it is reasonably likely that the PHI of the individual was disclosed for such research protocol or activity, the unit must, at the request of the individual, assist in contacting the entity that sponsored the research and the researcher.
VII. NON-COMPLIANCE AND SANCTIONS
Any individual who violates this policy shall be subject to discipline up to and including dismissal from the University in accordance with their union and University rules. Civil and criminal penalties may be applied accordingly. Violations of this policy may require retraining and be reviewed with employee during the annual appraisal process. The Deans of each College, Vice Presidents, and University President, with the assistance of the Department of Human Resources, will enforce the sanctions appropriately and consistently to all violators regardless of job titles or level within the University and in accordance with bargaining agreements for represented employees. Any sanction costs or fines will be borne by the Department and the Department Chair or VP will determine how these funds will be assigned.
By Direction of the President:
Signature on file
Chief Audit, Compliance and Privacy Officer