Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Title: Accounting of Disclosures of Health Information
Subject: Office of Compliance & Corporate Integrity (OCCI)
Policy No: OCCI:2013:P01
Applies: RowanSOM
Issuing Authority: President
Responsible Officer: Chief Audit, Compliance and Privacy Officer; Director of Information Security 
Date Adopted: 07/1/2013
Last Revision: 03 01/2426/20202021
Last Reviewed: 03 01/2426/20202021


To establish a policy and procedure to ensure Rowan University’s School of Osteopathic Medicine (RowanSOM) compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the Omnibus Privacy Final Rule of 2013 in providing an individual the right to receive an accounting of disclosures of his/her Protected Health Information (PHI), made by RowanSOM and/or its covered entities.


  1. Each RowanSOM unit will implement a process to provide an accounting to individuals of all disclosures except:

    1. disclosures to carry out treatment, payment and healthcare operations

    2. disclosures to the individual of PHI about themselves

    3. disclosures for the facility’s directory or to persons involved in the individual’s care or other notification purposes

    4. disclosures for national security or intelligence purposes

    5. disclosures to correctional institutions or law enforcement officials, as provided

    6. disclosures that occurred prior to April 14, 2003

    7. disclosures pursuant to an authorization

    8. disclosures incident to a use and disclosure otherwise permitted

    9. disclosures that are part of a limited data set in accordance with 45 CFR 164.514(e)

  2. An accounting must cover a period of six (6) years, unless the request specifies a shorter period.

  3. Each RowanSOM unit will implement a process to provide an accounting to individuals of all disclosures. The accounting for each disclosure must include:

    1. the date of the disclosure request

    2. reason why entity needs PHI

    3. name(s) of RowanSOM employee processed the request

    4. log of whether or not the entity was eligible to receive PHI

    5. if the PHI was transmitted to requesting entity

    6. the name and address of the entity or person who received the PHI

    7. accurate description of the PHI disclosed

    8. when the PHI was sent to requesting entity

    9. how the PHI was sent to requesting entity

    10. a copy of a written request for disclosure (i.e. subpoena, etc).

    11. confirmation of entity receiving requested PHI

  4. If a RowanSOM unit has made multiple disclosures of PHI to the same person or entity for a single purpose, the accounting with respect to such multiple disclosures should provide:

    1. the information required as described in section VI.A.3. for the first disclosure during the accounting period

    2. the frequency or number of the disclosures made during the accounting period

    3. the date of the last disclosure during the accounting period

  5. All RowanSOM units must document and retain for six (6) years the following information:

    1. the information required to be included in an accounting as discussed in section VI.B.3

    2. the written accounting itself that was given to the requesting individual

    3. the titles of persons or offices responsible for receiving and processing requests for an accounting

  6. If, during the period covered by the accounting, a unit has made disclosures of PHI for a particular research purpose in accordance with CFR 164.512(i) for fifty (50) or more individuals, the accounting may, with respect to such disclosures for which the PHI about the individual may have been included, provide:

    1. The name of the protocol or other research activity

    2. A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records

    3. A brief description of the type of PHI that was disclosed

    4. The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period

    5. The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed

    6. A statement that the PHI of the individual may or may not have been disclosed for a particular protocol or other research activity

  7. If the unit provides an accounting for research disclosures in accordance with section VI.B.6. and it is reasonably likely that the PHI of the individual was disclosed for such research protocol or activity, the unit must, at the request of the individual, assist in contacting the entity that sponsored the research and the researcher.


Any individual who violates this policy shall be subject to discipline up to and including dismissal from the University in accordance with their union and University rules.  Civil and criminal penalties may be applied accordingly.  Violations of this policy may require retraining and be reviewed with employee during the annual appraisal process. The Deans of each College, Vice Presidents, and University President, with the assistance of the Department of Human Resources, will enforce the sanctions appropriately and consistently to all violators regardless of job titles or level within the University and in accordance with bargaining agreements for represented employees. Any sanction costs or fines will be borne by the Department and the Department Chair or VP will determine how these funds will be assigned.

By Direction of the President:

Signature on file