The HIPAA Privacy Standards require documentation to enable System to respond adequately to an Individual’s request for an accounting of disclosures. Any Disclosure of PHI by System that requires documentation shall be documented in the individual’s designated record set by use of the form Disclosure Log in the Appendix to this Manual. The Documentation must include: (i) the date of the Disclosure; (ii) the name and, if known, address of the person who receives the PHI; (iii) a brief description of the PHI Disclosed; (iv) a brief statement of the basis of the Disclosure; (v) if the Disclosure is done pursuant to a written request, that written request; and (vi) a copy of, or a reference to, any other documents considered by the Privacy Officer in approving the request; all of which shall be maintained as required by Section 9.2 of this Manual. The following chart lists the documentation requirements for the categories of disclosures contained in this Policy:
Category of Disclosure Documentation
Disclosure to the IndividualNo
Disclosure to a Personal RepresentativeYes
Secretary InspectionYes
Under an AuthorizationNo
PaymentNo
Health Care OperationsNo
Another Covered EntityNo
Required by LawYes
Judicial or Administrative ProceedingsYes
Public Health ActivitiesYes
Limited Data SetNo
Notification DisclosuresNo
Imminent Threat to Health or SafetyYes
Health Oversight ActivitiesYes
Workers’ CompensationYes
Law Enforcement PurposesYes
Coroners and Medical ExaminersYes
Funeral DirectorsYes
Required by Military AuthorityYes
National Security ActivitiesNo
Incidental DisclosuresNo
Any other Disclosure, whether intentional
or unintentional, including a Breach
Yes
REFERENCES/CITATIONS
45 CFR §§ 164.502(b), 164.514(d)(3)(i) and 164.530(j)
