Accounting for All Disclosures

Many in healthcare still haven’t made their peace with HIPAA’s accounting of disclosure requirements—the provision under which covered entities, upon request, must provide patients with a record of the entities to whom they have disclosed the patient’s protected health information (PHI). They consider it an undue administrative burden for requests they rarely receive. Now new requirements in the American Recovery and Reinvestment Act have upped the accounting ante.

The law singles out covered entities that maintain PHI in electronic health records, requiring them to account for disclosures of PHI made even for purposes of treatment, payment, and healthcare operations—actions exempted under HIPAA. Under the new law, covered entities must be able to provide disclosures dating back three years from the patient request.

ARRA also requires that covered entities account for the disclosures of their business associates, or require them to make their own accounting. Business associates must respond to individual requests made directly to them.

The secretary of Health and Human Services is charged with determining what information patients may request and covered entities and business associates must provide.

Early Warning for EHR Systems

Covered entities currently using EHR systems have until January 1, 2014, to comply. Existing systems will need to be adapted to meet the new requirement, since few were likely designed to account for disclosures this finely.

Covered entities that purchase EHR systems dating from the first of this year must be compliant as of January 1, 2011. Systems purchased after that date must be capable of compliance right out of the box.

That means covered entities in the market for EHR systems now must get assurance from vendors that the systems will be able to meet the new disclosure criteria.

The secretary’s regulations are required no later than August.


  1. Under the new requirements of ARRA does this require that facilities produce the computerized audit trail of employees who have accessed PHI for use within their own facility if this audit trail is requested by a patient?

    Post a Reply
  2. Will the ARRA requirements for disclosure negatively affect the development of RHILO’s like the one recently stood-up in California? With the ARRA disclosure rules physician’s will be reluctant to digitize their office, to be able to share information (PHI) with others. For fear that it will increase the need for data input of what was released and to whom. If HIPAA was a mess on the disclosure reporting side, why confuse the matter with the passing of the ARRA provision?

    Post a Reply
  3. Vicki,
    At this point, no one is sure whether the accounting would include an audit trail of staff access. ARRA itself didn’t go into that level of detail. Instead it charged HHS with determining exactly what information providers will have to include in the accounting.

    Post a Reply
  4. The secretary’s regulations are required no later than August.

    This is not true. Quote: The secretary shall promulgate regulations on what information shall be collected about each disclosure…not later than 6 months after the date on which the secretary adopts standards on accounting for disclosure…

    When is the deadline for the standards to be adopted? Nowhere is it stated. Once we know that, then we can figure out 6 months afterward.

    Post a Reply
  5. Jeff, thank you for the pointing this out. I should have written that by August HHS is required to issue regulations defining the content of the accounting. By December 31, the department must adopt technical standards that enable EHRs to produce that content in an accounting. Six months after that, HHS must promulgate the rule.

    So that takes us to June 2010.

    That deadline, by the way, appears in ONC’s recently released implementation plan at

    Post a Reply
  6. Do you have to disclose all release of Health Information to the patients. Court Orders,continum of care?


    Post a Reply
  7. How does ARRA, Accounting of Disclosures, and the changes apply to a Radilogy Film Library?
    We release images burned to a CD and/or hard copy films. We are also separate from the HIM Dept. Should we keep a log of all requests?

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!