Question: When required, the information provided to the data subject in a HIPAA disclosure accounting?
Answer: Must be more detailed for disclosures that involve fewer than 50 subject records.
When the requirement is in place for a HIPAA disclosure, the information provided to the data subject must be more detailed and in most cases, it will involve fewer than 50 subject records. In some specific cases, there is a possibility of including more than 50 subject records in the information provided to the data subject.
Disclosure accounting is only required when one or more of HIPAA’s limited exceptions to authorization exists. The law requires these disclosures to include a brief description of the uses and disclosure, as well as the names (or other specific designation) of the program or person permitted to make the uses or disclosures.’
In cases where there are more than 50 subject records involved, then a summary record can be used as an alternate. This is limited to only those limited exceptions where the accounting of disclosures would not be related to each individual’s right to access their PHI information.
For a summary record disclosure, the following information must be included:
- The dates (including start and end dates of the time period covered);
- The reason for the disclosure;
- A brief description of the PHI disclosed; and,
- The business associate provides the data or discloses it on behalf of the covered entity.
If more than 50 subject records are involved in such a disclosure, then the individual subject records should be provided to the data subject separately.
- Which statement best describes ICS Form 201?
- [True or false]. The Incident Command System (ICS) is only applicable to large, complex incidents
- 7 Easy Steps: How to Fill Out a Receipt Book
What is HIPAA?
HIPAA is a US legislation that provides data privacy and security provisions for safeguarding medical information. Recent years have seen the law gain more prominence with many healthcare data breaches caused by cyberattacks and ransomware attacks on health insurers and providers.
On August 21, 1996, President Bill Clinton signed the HIPAA legislation into law. Unless the state legislation is more stringent than HIPAA, it is preempted by federal law.
The HIPAA rules are enforced by federal agencies including the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR), state health departments, state attorney general offices, the Federal Trade Commission (FTC), the HHS secretary, and in some cases the US Department of Justice.
Under HIPAA, covered entities must comply with rules regarding protected health information (PHI). PHI is defined as individually identifiable health information that is transmitted by electronic media or stored in any medium.
This includes demographic data, medical histories, test results, insurance information, and other personal data about a person’s health. Under HIPAA rules, PHI must be used responsibly. HIPAA rules apply to all forms of PHI including handwritten notes—if they are stored electronically.
HIPAA rules limit who can look at PHI and under what circumstances, as well as how PHI is shared with outside organizations. For example, patients must give their consent for their PHI to be shared with third parties unless the disclosure falls into one of HIPAA’s exceptions. There are also minimum security standards that covered entities must follow.
HIPAA Civil Penalties
Covered entities that violate HIPAA rules are subject to civil penalties of up to US$50,000 per violation, with an annual maximum of $1.5 million. Criminal penalties for HIPAA violations can be as high as ten years in prison and a fine of up to $250,000 for individuals or $500,000 for organizations.
Under HIPAA rules, patients have the right to access their PHI and request corrections or amendments if they believe their PHI is incorrect or incomplete.
Roughly one in four US adults has medical errors on their records, according to a 2017 study by Johns Hopkins University School of Medicine researchers published in JAMA Internal Medicine. These errors can lead to medical errors or misdiagnosis, which can in turn cause serious problems.
The Department of Health and Human Services says that under HIPAA rules, patients have the right to request their PHI be sent to them electronically if they wish. Patients also may ask for copies of the record to be provided in an electronic format by email or through a secure transmission portal.
HIPAA rules require a standard way to report disclosures of PHI to HHS involving unauthorized access, use, or disclosure—and require covered entities to document all such incidents. The OCR website tracks HIPAA breaches and provides information for individuals about their rights under HIPAA rules.
What does the HIPAA Privacy Rule do?
- The regulations are designed to inform individuals about how their health information is used and disclosed, create national standards to protect the privacy of personal health
- Give patients more control over their personal health information.
- It specifies what personal data is protected (e.g., social security numbers, address, telephone number).
- There are specific requirements for how covered entities must identify and limit uses and disclosures of protected health information in order to ensure compliance with the regulation.
Your Rights Under HIPAA
HHS OCR – Your Health Information, Your Rights
Patients have the right to keep their health information private, and neither doctors nor hospitals can just take it away. They also have the right to know how their records are used and shared and the option of requesting a copy of their records or having changes made in them.
HIPAA Resources: HIPPA Basic Knowledge PDF
I hope this article has helped you with information on When required, the information provided to the data subject in a HIPAA disclosure accounting. Thanks for Reading!