HIPAA Disclosure Accounting

Disclosure Accounting Basics

In HIPAA, we have something called disclosure accounting, and most people are not familiar with this. If you are brand new to having your own practice or brand new to not having a whole HIPAA department available to you, know that HIPAA disclosure accounting is not financial. It is accounting the action of process of keeping records of particular disclosures. These are sometimes referred to as Accounting of Disclosures or AOD, and most entities will keep them in a log, either on a spreadsheet or a written log in a WORD processor format.

So, what’s included in this log? Every disclosure that’s made for purposes other than Treatment, Payment, or Healthcare Operations (TPO). Within the context of disclosure accounting, there are mostly those where the patients have asked for it themselves with a few exceptions to this. So, we will go into the exceptions as well. But disclosure is defined as access to delivery of or transmission to parties that do not have authorization to have access to those records whether they have a business association/agreement with you or whether it’s through Treatment, Payment, and Healthcare Operations.  And additionally, if the patient has given you written authorization to share it, you do not have to log that in the accounting log because you will keep that written authorization in that patient’s file.

Treatment, Payment, and Healthcare Operations (TPO)

Let’s talk about what TPO means. The Department of Health and Human Services (HHS) gives some guidance in this, though the actual language in the code of federal regulations will control them.

HHS guidance includes treatment which means provision, coordination, or management of healthcare & related services among healthcare providers or by a provider and a third party, and consultation between healthcare providers or the referral of a patient from one provider to another. So, that’s treatment basically talking from one healthcare provider to another.

Payment encompasses the various activities of healthcare providers:

• to obtain payment or be reimbursed for their services,
• with a health plan, to obtain premiums to fulfill the covered responsibilities and provide benefits under the plan,
• and to obtain or provide reimbursement for the provision of healthcare.

The insurance industry largely looms over everything. The insurance carriers are subject to HIPAA as well, and also you as providers or covered entities if you are interacting with healthcare insurance companies to get reimbursed or if you are reaching out to the patient or the patient’s representative to obtain payment, that would be a payment disclosure.

Healthcare operations are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment.

These are the ones that you don’t have to account for.

Accounting of Disclosures

When is an Accounting of Disclosures necessary and what do you need to put on the form? It’s necessary if you disclose patient records for the purposes of selling them, for scientific research, if the data had not been pre-identified, if the client has consented to have the information included in client marketing story, or if the client’s information has been disclosed for other marketing purposes.

In addition, the following categories are also required to be accounted for by law in this accounting of disclosures:

• court orders,
• subpoenas,
• state reporting,
• indoor emergencies,
• public healthcare activities (like the pandemic that we just talked about for the last three years),
• prevention of disease,
• public health investigations,
• victims of abuse, neglect or domestic violence,
• health oversight activities from HHS, FDA, Medicaid/care Fraud Units,
• decedents (coroners, funeral directors, personal representatives),
• research purposes,
• perverting serious health and safety threats (terrorism, like communicable disease organizations, such as the CDC),
• specialized government functions (the military),
• workman’s compensation,
• and even accidental disclosures.

If you have to share any of this information, then you should account for that in your log. Usually this shouldn’t be a huge part of your normal HIPAA routine, but you need to be aware of it because as I said earlier, patients have the right to request it, and they have the right to request it for up to 6 years prior to the request. 

You shouldn’t make disclosure outside of the TPO part of your practice, and when it does happen, and inevitably it will, now you know exactly what to do for those disclosures. So, if you don’t have an AOD log, it ought to be part of your HIPAA Policies and Procedures Manual which is a requirement under HIPAA as well. If you don’t have that, we have a template for that at Functional Lawyer. You can then work with your legal representative and often your IT professional, for the HIPAA Security Rule in order to put that in place and customize for your practice.

Conclusion

Disclosure of Accounting law or Accounting of Disclosures is a requirement under HIPAA when you disclose patient health information for purposes other than Treatment, Payment, and Healthcare Operations. You are required by law to provide patients a list upon request of all the disclosures of their patient health information outside of Treatment, Payment and Healthcare Operations, and ideally, you won’t have too many of them on the log, so it shouldn’t be a huge burden to comply with this.

That is the Accounting of Disclosures kind of an arcane area of HIPAA but very important and required, nonetheless. If you have any questions, reach out to Functional Lawyer anytime.

Works Cited

“Health Insurance Portability and Accountability Act of 1996 (HIPAA).”  CDC: Center for Disease Control and Prevention, U.S. Department of Health & Human Services, 27 June 2022, https://www.cdc.gov/phlp/publications/topic/hipaa.html. Accessed 7 Feb. 2023.