OCR Requests Input on Pending Accounting of Disclosures Regulation

The Office for Civil Rights published a request for information on accounting of disclosures today, seeking input on its upcoming regulation to enact new provisions specified under the HITECH Act.

The information, OCR writes, will help it “better understand the interests of individuals with respect to learning of such disclosures” as well as “the administrative burden on covered entities and business associates of accounting for such disclosures.”

Most notably, HITECH requires covered entities to account for disclosures made for purposes of treatment, payment, and healthcare operations, disclosures which had been exempted under HIPAA. It also requires entities that purchased EHR systems on or after January 1, 2009, to begin providing these accountings on January 1, 2011. (Entities with older systems have until 2014 to comply.)

In all, OCR poses nine questions (abbreviated here):

  1. What are the benefits to the individual of an accounting of disclosures, particularly of disclosures made for treatment, payment, and health care operations purposes?
  2. Are individuals aware of their current right to receive an accounting of disclosures?
  3. If you are a covered entity, how do you make clear to individuals their right to receive an accounting of disclosures? How many requests for an accounting have you received from individuals?
  4. For individuals that have received an accounting of disclosures, did the accounting provide the individual with the information he or she was seeking?
  5. Should an accounting for treatment, payment, and health care operations disclosures include to whom a disclosure was made (i.e., recipient) and the reason or purpose for the disclosure?
  6. For entities with existing EHRs, OCR asks several questions about the system’s capabilities, including its ability to distinguish between use and disclosure, the data it captures,  whether the system is centralized or decentralized, and whether it currently generates and accounting of disclosure.
  7. For entities that purchased a system on or after January 1, 2009, OCR asks if they will be able to begin accounting for disclosures for treatment, payment, and operations by the January 1, 2011, deadline? If not, how much time would it take vendors to implement such a feature?
  8. Is it feasible for an EHR module to handle the accounting function, particularly in entities with a decentralized EHR system?
  9. Is there any other information that would be helpful to the Department regarding accounting for disclosures through an electronic health record to carry out treatment, payment, and health care operations?

Earlier this year the Journal polled AHIMA members on the number of requests their organizations had filled under HIPAA. Nearly 60 percent had not received a request since the privacy rule took effect in April 2003. Most reported that disclosures were made throughout their organizations via decentralized systems, making it a challenge to ensure all disclosures are properly and fully recorded.

Comments are due to OCR by May 18. Share your answers here, too–what benefits, demand for, and challenges do you see in accounting for disclosures?


  1. Having experience from my prior role as the Privacy Official for our organization, the patient really only wants to know if their ‘record’ has been accessed and/or disclosed inappropriately. If I put my shoes on as a patient (with 25+ year health care experience)I fully understand that it’s not within my realm as a patient to interpret why 100+ users would access my EHR in a 2 day LOS. How many times have I asked my Bank to tell me who had reviewed my information and why?

    How would a patient (or the health care organization) have the resources to do this and what’s the purpose if we’re all trying to be transparent with the public about ‘who is snooping in my record?’ or ‘help me figure out who stole my identity?’

    Privacy programs should already have the resources to readily identify inappropriate access (albeit wide differences in what is audited per vendor/app per organization exist). I recommend that this should be our focus – develop industry standards of WHAT is audited to demonstrate inappropriate access and potential disclosure.

    Post a Reply
  2. In the world of HIE it is important to note that we have the same audit requirements that any other Business Associate has. Our current policy for accounting of disclosures requires the request to come from a participating provider (we do not currently permit direct patient access). Accounting for disclosures includes only which providers have accessed within our systems.
    Obviously thihs is a limited set of information and must be added to the audit within the document source systems and the document consumer systems to provide a complete accounting of disclosures.

    Post a Reply
  3. I work at a LTC facility and I would like clarification on the specifics of what to disclose. I’ve had different disciplines ask such questions as:
    1) If I call a guardian about a diet change,
    2) If I say to a residents daughter/son – your Mom had a restless night,
    3) If I call the residents doctor for any reason,
    4) If I call a residents POA requesting that they may go on an outing,
    5) If I set up a transfer to a doctor’s appt. or set up for a lab,
    JUST how specific are we to be when accounting for disclosures? Guidelines would be great!
    Thank you – Peg Lefeber

    Post a Reply
  4. In my business as an ROI provider, keeping an accounting of disclosures is pretty straight forward – we have a written request and authorization and we release what has been authorized. I’ve heard from clients that in the realm of providing good patient care and customer service, keeping an accounting of disclosures can be a challenge in large and small organizations. What was the intent of this requirement in the HITECH Act? If this is not a requirement in other business entities such as banking, why is healtcare being targeted to provide the AOD for all who must access the patient record to provide care?
    Thank You
    Bonnie Coffey

    Post a Reply
  5. Question #6 poses an interesting question regarding the ability to distinguish between use and disclosure. I would be interested in knowing more about the definitions of use verses disclosure in any medium, not just the electronic media. The questions from Peg L. seem to me to be for use. I would think that disclosure would be more if another entity or provider requested the record, not the LTC Facility trying to treat the patient.

    When the facility reviews a chart for quality purposes, would it be use or disclosure? Would we need to log this activity?

    Post a Reply
  6. Tracking the accounting of disclosures is a very burdensome piece of the HIPAA legislation. The proposed HITECH modifications add tremendously to the buren. Patients sign authorizations upon admissin that explain information will be used for treatment and billing purposes. If the facilities have to account for every time they give a result to a treatment physician it will be a huge drain financially and in staffing. I agree that what the patient wants to know is was their record accessed inappropriately. Let’s but our resources to better use that this overwhelming clerical funciton.

    Post a Reply
  7. I concur that the issue here, should it become a regulatory requirement, involves an accounting of DISCLOSURES, not an accounting of USES (or ABUSES, although one could make an argument for that) or VIEWS. As such the issue would become similar to a consumer being able to receive an accounting of DISCLOSURES with one’s Credit Report. As such, the definition of DISCLOSURES must address the strict rules applied for Release of Information in provider organizations (an example of which is provided in an above comment).

    Regarding #8 – Is it feasible for an EHR module to handle the accounting function, particularly in entities with a decentralized EHR system?

    I strongly believe most administrative and accounting-type functions should NOT be included in an EHR system. An EHR system is a clinical system. Since this issue falls into the realm of the Legal EHR (with the following definition — The legal health record is generated at or for a healthcare organization as its BUSINESS RECORD and is the record that will be disclosed upon authorized request.), the function, should it become a regulatory requirement, should be addressed by “administrative / accounting”, ROI-type systems in provider organizations and centrally-managed by HIM Departments, even in entities with decentralized EHR systems.

    Post a Reply
  8. I agree with Andrea that the focus should be on audits to determine inappropriate access to medical records. There was, or maybe still is, a perception by the public that electronic health records will make it easier for breaches to occur. We can counter this by educating people on how secure electronic records are. It is often easier to track inappropriate access in an electronic system than it is with a paper chart, thereby making it more secure, if proper safeguards and audits are in place. The role of Privacy Officer, and system administrator, is more important now than ever, and we should advocate for that rather than for additional requirements to track use/disclosure for TPO. The number of people who request AOD does not justify the additional work or expense.

    I hope that all comments posted here will be forwarded to OCR for their consideration during the comment period.

    Post a Reply
  9. The disclosure of medical records to providers, payors, and attorneys pose little problem. However, under the HITECH rules, we are concerned about how deep the disclosure is suppose to go. A physician employed by the heath system uses our reference lab. The specimen is sent to our reference lab is sent to an outside laboratory for specialized testing. The 2nd lab has subcontracted with a smaller lab that only does the specific specialized testing. Are we to track and disclose all movement of a specimen which does include patient identifiers and diagnoses? This is but one example of our concern.

    Post a Reply
  10. Given the depth and breadth of proposed responsibilities, this regulation gives the definite impression that any small practice that purchases an EHR will also need to hire a full time privacy and security staff, the cost of which will certainly excede financial incentives for EHR puchase. This set of regulatory requirements therefore appears to provide a powerful disincentive to EHR adoption.

    Post a Reply
  11. AOD already goes way beyond what we are tracking in ROI. It is a massive effort to record every disclosure throughout the facility and noone is asking for the information. It has always been my belief that most people understand if they show up with the plague (or a gunshot wound) somebody is going to call somebody. No one is really cares about that. All they really want to know is if someone is accessing their information inappropriately. AOD under the current version or the newer version is never going to cover that.

    Post a Reply
  12. I work in an LTAC facility. We are managing our disclosures and our release of information electronically. I see no purpose or justification in adding an accounting of “uses”. Why add more financial burden to our health care system?
    Since 2004, I have had no requests for an accounting of disclosures.

    Post a Reply
  13. 1. Benefit for the individual would be simply ‘knowledge’ but no benefits seen for including TPO in accounting of disclosures.
    2. Yes
    3. Info in privacy notice, consents, and Client rights info
    4. N/A We have recieved no reqeuests for acct. of disclosures
    5. I do not beleive TPO disclosures should be a part of the acct. of disclosure
    6. no comment
    7. No. Tracking every indviual communication/disclosure for TPO seems mostly impossible. Small, mid size and even large agencies will have extreme difficulty in tracking every disclosure for TPO
    8. feasible for centralized systems only.
    9. Again, I stronlgy beleive that accounting for disclosures specifically for TPO is over kill, and probably very difficult, if not impossible to perform.

    Post a Reply
  14. I work for a LTC facility. I am not clear on what type of request I should be logging if in case I ever have to do an AOA. Is it request only from attorneys office ?

    Post a Reply
  15. The facility I work for has only had one request for AOD through the OCR so far which has lasted over a period of 6 months with revisiting for more information by the OCR, clarifications and copies of patient medical records several times. It has taken extensive time for our facility attorney, the Privacy and Security Officer and the HIM Manager. OCR has quoted regulations which do not even apply yet. The request has been quiet for an entire month but we are expecting another round the end of March since the continued query seems to present at the end of every quarter with a deadline turnaround in a day or two for more information. We have discovered means to trim and improve our processes and our policy and procedure re: AOD, however it is somewhat frustrating to discover that the OCR is not necessary knowledgeable on the regulations and there seems to be no way of reaching out in reason. There is also nothing available as far as an appeal. Certainly hope that this does not continue for years! If this happens with only one OCR request I cannot fathom what would happen with numberous queries!

    Post a Reply
  16. Can I get an electronic copy of who has inappropriately accessed my medical records

    Post a Reply
  17. You have a right to receive an accounting of the disclosures of your protected health information (the current law excludes disclosures for routine purposes of treatment, payment, or the facility’s operations). The accounting could reveal a wrongful disclosure of your information, but you would have to review all the disclosures to find out. As defined by the current law, the accounting is not intended to be a list of only wrongful disclosures.

    HIM professionals please chime in here, but I believe under the current law the covered entity is not required to provide the accounting as an electronic copy. So it would depend on the provider’s ability to produce one.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!