HIPAA Policy Section 4.14: Documentation of Disclosures

Document Information

The HIPAA Privacy Standards require documentation to enable System to respond adequately to an Individual’s request for an accounting of disclosures. Any Disclosure of PHI by System that requires documentation shall be documented in the individual’s designated record set by use of the form Disclosure Log in the Appendix to this Manual. The Documentation must include: (i) the date of the Disclosure; (ii) the name and, if known, address of the person who receives the PHI; (iii) a brief description of the PHI Disclosed; (iv) a brief statement of the basis of the Disclosure; (v) if the Disclosure is done pursuant to a written request, that written request; and (vi) a copy of, or a reference to, any other documents considered by the Privacy Officer in approving the request; all of which shall be maintained as required by Section 9.2 of this Manual. The following chart lists the documentation requirements for the categories of disclosures contained in this Policy:

Category of Disclosure Documentation

Disclosure to the IndividualNo

Disclosure to a Personal RepresentativeYes

Secretary InspectionYes

Under an AuthorizationNo

PaymentNo

Health Care OperationsNo

Another Covered EntityNo

Required by LawYes

Judicial or Administrative ProceedingsYes

Public Health ActivitiesYes

Limited Data SetNo

Notification DisclosuresNo

Imminent Threat to Health or SafetyYes

Health Oversight ActivitiesYes

Workers’ CompensationYes

Law Enforcement PurposesYes

Coroners and Medical ExaminersYes

Funeral DirectorsYes

Required by Military AuthorityYes

National Security ActivitiesNo

Incidental DisclosuresNo

Any other Disclosure, whether intentional
or unintentional, including a Breach

Yes

REFERENCES/CITATIONS

45 CFR §§ 164.502(b), 164.514(d)(3)(i) and 164.530(j)