Policy No: 3.11.

304
Page Number: 1 of 13

Effective Date: 04/2003

Board Motion No N/A

POLICY AND REGULATIONS MANUAL Last Review Date: 09/08/2020

Due For Review: 09/08/2023
TITLE: ACCOUNTING OF DISCLOSURES OF PROTECTED HEALTH
INFORMATION

PURPOSE: To provide guidance on documenting required disclosures of protected health

information and responding to requests for an accounting of disclosures from
patients or from patients’ personal representatives.
POLICY STATEMENT:

Harris Health System (Harris Health) and business associates of Harris Health will document,
track, and retain all records pertaining to required disclosures of protected health information.
Patients may request an accounting of disclosures of their PHI from the privacy officer or
designee, who will respond in accordance with the federal and state privacy laws and Harris
Health’s privacy policies and procedures.

POLICY ELABORATIONS:

I. DEFINITIONS:

A. BUSINESS ASSOCIATE: A person or entity that provides certain functions,

activities, or services for, to, or on behalf of a covered entity involving the use
and/or disclosure of protected health information as further defined in the
Health Insurance Portability and Accountability Act (HIPAA) regulations.

B. DESIGNATED RECORD SET (DRS): A group of records maintained by

or for Harris Health that is:

1. The medical and billing records about patients;

2. The enrollment, payment, claims adjudication, and case or medical
management record systems maintained by or for a health plan; or
3. Records used, in whole or part, by or for the Harris Health to make
decisions about patients.

For purposes of this definition, the term “record” means any item,
collection, or grouping of information that includes protected health
information and is maintained, collected, used, or disseminated by or for
Harris Health; the term “record” includes:

Printed versions of this document are uncontrolled. Please go to the Harris Health Document Control Center to retrieve an official controlled version of the
document. https://apps.hchd.local/sites/dcc.
 Policy No: 3.11.304
Page Number: 2 of 13

Effective Date: 04/2003

Board Motion No N/A

POLICY AND REGULATIONS MANUAL Last Review Date: 09/08/2020

Due For Review: 09/08/2023
a. Patient information originated by another healthcare provider and
used by Harris Health to make decisions about the patient; and
b. Tracings, photographs, videotapes, digital, or other images that may
be recorded to document the care of the patient.

C. DISCLOSURE: The release, transfer, provision of, access to, or divulging in any
manner protected health information outside of Harris Health.

D. HEALTH CARE OPERATIONS: Any of the following activities of the Covered

Entity to the extent the activities are related to covered functions:

1. Conducting quality assessment and improvement activities, including

outcomes evaluation and development of clinical guidelines, provided
that the obtaining of generalizable knowledge is not the primary purpose
of any studies resulting from such activities; patient safety activities (as
defined in 42 C.F.R. §3.20); population-based activities relating to
improving health or reducing health care costs, protocol development,
case management and care coordination, contacting of health care
providers and patients with information about treatment alternatives; and
related functions that do not include treatment;
2. Reviewing the competence or qualifications of health care professionals,
evaluating practitioner and provider performance, health plan
performance, conducting training programs in which students, trainees,
or practitioners in areas of health care learn under supervision to practice
or improve their skills as health care providers, training of non-health
care professionals, accreditation, certification, licensing, or credentialing
activities;
3. Except as prohibited under 45 C.F.R. §164.502(a)(5)(i), underwriting,
enrollment, premium rating, and other activities related to the creation,
renewal, or replacement of a contract of health insurance or health
benefits, and ceding, securing, or placing a contract for reinsurance of
risk relating to claims for health care (including stop-loss insurance and
excess of loss insurance), provided that the requirements of 45 C.F.R.
§164.514(g) are met, if applicable;
4. Conducting or arranging for medical review, legal services, and auditing
functions, including fraud and abuse detection and compliance programs;

Printed versions of this document are uncontrolled. Please go to the Harris Health Document Control Center to retrieve an official controlled version of the
document. https://apps.hchd.local/sites/dcc.
 Policy No: 3.11.304
Page Number: 3 of 13

Effective Date: 04/2003

Board Motion No N/A

POLICY AND REGULATIONS MANUAL Last Review Date: 09/08/2020

Due For Review: 09/08/2023
5. Business planning and development, such as conducting cost-
management and planning-related analyses related to managing and
operating the entity, including formulary development and
administration, development or improvement of methods of payment or
coverage policies; and
6. Business management and general administrative activities of the entity ,
including, but not limited to:

a. Management activities relating to implementation of and

compliance with the requirements of this subchapter;
b. Customer service, including the provision of data analyses for
policy holders, plan sponsors, or other customers, provided that
PHI is not disclosed to such policy holder, plan sponsor, or
customer;
c. The sale, transfer, merger, or consolidation of all or part of the
covered entity with another covered entity, or an entity that
following such activity will become a covered entity and due
diligence related to such activity; and
d. Consistent with the applicable requirements of 45 C.F.R. §164.514,
creating de-identified health information or a limited data set, and
fundraising for the benefit of a Covered Entity.

E. INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION (IIHI): Information

that is a subset of health information, including demographic information,
collected from an individual, and:

1. Is created or received by a health care provider, health plan, employer, or

health care clearinghouse; and
2. Relates to the past, present, or future physical or mental health or condition
of an individual; the provision of health care to an individual; or the past,
present, or future payment for the provision of health care to an individual;
and:

a. That identifies the individual; or

b. With respect to which there is a reasonable basis to believe the
information can be used to identify the individual.

Printed versions of this document are uncontrolled. Please go to the Harris Health Document Control Center to retrieve an official controlled version of the
document. https://apps.hchd.local/sites/dcc.
 Policy No: 3.11.304
Page Number: 4 of 13

Effective Date: 04/2003

Board Motion No N/A

POLICY AND REGULATIONS MANUAL Last Review Date: 09/08/2020

Due For Review: 09/08/2023
F. LEGALLY AUTHORIZED REPRESENTATIVE (LAR): An individual with legal
standing to represent the interests of another (e.g., parent of a minor patient) or
with the authority to act on behalf of another (as by legal power of attorney when
applicable, medical power of attorney when the patient is incapacitated, court
order, advance directive, or the executor of a will).1

G. PAYMENT:

1. The activities undertaken by:

a. Except as prohibited under §164.502(a)(5)(i), a health plan to

obtain premiums or to determine or fulfill its responsibility for
coverage and provision of benefits under the health plan; or
b. A health care provider or health plan to obtain or provide
reimbursement for the provision of health care; and

2. The activities in paragraph (1) of this definition relate to the individual

to whom health care is provided and include, but are not limited to:

a. Determinations of eligibility or coverage (including coordination of

benefits or the determination of cost sharing amounts), and
adjudication or subrogation of health benefit claims;
b. Risk adjusting amounts due based on enrollee health status and
demographic characteristics;
c. Billing, claims management, collection activities, obtaining payment
under a contract for reinsurance (including stop-loss insurance and
excess of loss insurance), and related health care data processing;
d. Review of health care services with respect to medical necessity,
coverage under a health plan, appropriateness of care, or justification
of charges;
e. Utilization review activities, including precertification and
preauthorization of services, concurrent and retrospective review of
services; and

1 Texas Health & Safety Code § 241.151.

Printed versions of this document are uncontrolled. Please go to the Harris Health Document Control Center to retrieve an official controlled version of the
document. https://apps.hchd.local/sites/dcc.
 Policy No: 3.11.304
Page Number: 5 of 13

Effective Date: 04/2003

Board Motion No N/A

POLICY AND REGULATIONS MANUAL Last Review Date: 09/08/2020

Due For Review: 09/08/2023
f. Disclosure to consumer reporting agencies of any of the following
protected health information relating to collection of premiums or
reimbursement:

i. Name and address;

ii. Date of birth;
iii. Social Security number;
iv. Payment history;
v. Account number; and
vi. Name and address of the health care provider and/or health
plan.

H. PERSONAL REPRESENTATIVE: A person authorized by law to act on behalf

of a patient. For purposes of this policy only, the term Personal Representative
also includes a patient’s Legally Authorized Representative, defined above.

I. PROTECTED HEALTH INFORMATION (PHI): Individually Identifiable

Health Information that is created, received, transmitted, or maintained by Harris
Health in any form or medium, that relates to the patient’s healthcare condition,
provision of healthcare, or payment for the provision of healthcare, as further
defined in the HIPAA regulations. PHI includes, but is not limited to, the
following identifiers:

1. Name;
2. All geographic subdivisions smaller than a State, including street address,
city, county, precinct, zip code, and their equivalent geocodes, except for
the initial three digits of a zip code if, according to current publicly
available data from the Bureau of the Census:

a. The geographic unit formed by combining all zip codes with the
same three initial digits contains more than 20,000 people; and
b. The initial three digits of a zip code for all such geographic units
containing 20,000 or fewer people is changed to 000.

Printed versions of this document are uncontrolled. Please go to the Harris Health Document Control Center to retrieve an official controlled version of the
document. https://apps.hchd.local/sites/dcc.
 Policy No: 3.11.304
Page Number: 6 of 13

Effective Date: 04/2003

Board Motion No N/A

POLICY AND REGULATIONS MANUAL Last Review Date: 09/08/2020

Due For Review: 09/08/2023
3. All elements of dates (except year) for dates directly related to an
individual, including birth date, admission date, discharge date, date of
death; and all ages over eighty-nine (89) and all elements of dates
(including year) indicative of such age, except that such ages and elements
may be aggregated into a single category of age ninety (90) or older;
4. Telephone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social Security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images; and
18. Any other unique identifying number, characteristic, or code, except
permitted for re-identification purposes.

J. PRIVACY OFFICER: An individual designated by Harris Health who is

responsible for the development and implementation of privacy related
functions of Harris Health as further defined in Harris Health Policy and
Procedure 3.11.101 Privacy Officer Roles and Responsibilities.

K. TREATMENT: The provision, coordination, or management of health care and

related services by one (1) or more health care providers, including the
coordination or management of health care by a health care provider with a
third party; consultation between health care providers relating to a patient; or
the referral of a patient for health care from one (1) health care provider to
another.

Printed versions of this document are uncontrolled. Please go to the Harris Health Document Control Center to retrieve an official controlled version of the
document. https://apps.hchd.local/sites/dcc.
 Policy No: 3.11.304
Page Number: 7 of 13

Effective Date: 04/2003

Board Motion No N/A

POLICY AND REGULATIONS MANUAL Last Review Date: 09/08/2020

Due For Review: 09/08/2023
L. WORKFORCE: Harris Health System Board of Trustees, employees, Medical Staff,
trainees, contractors, volunteers, and vendors. Employees (permanent or
temporary) include volunteers, trainees and other persons whose conduct, in the
performance of work for Harris Health, is under the direct control of Harris
Health, whether or not they are paid by Harris Health.2

II. IN GENERAL:

A. The patient’s or the patient’s Personal Representative’s request for an

Accounting of disclosures of PHI must be in writing and must specify the
period of time the accounting request covers, but in no case, covering more
than six (6) years from the date of the request.3

B. If the request for an accounting of disclosures of PHI is made by the patient’s

Personal Representative and a licensed health care professional, using his or her
professional judgment, determines that providing the Personal Representative
an account of disclosures is reasonably likely to cause harm to the patient or to
another person, Harris Health may decline the Personal Representative’s request
for the accounting of disclosures.
C. An accounting of Disclosures must include the following information:

1. All methods of release: hard copy, verbal, and electronic;

2. Disclosures of PHI by Harris Health to Business Associates, except for
the exempt purposes listed below;
3. The date of each Disclosure;
4. The name of the entity or person who received the PHI, and, if known,
the address of the entity or person;
5. A brief description of the PHI disclosed; and
6. A brief statement of the purpose of the Disclosure that reasonably informs
the patient or the patient’s Personal Representative of the basis for the
Disclosure; or in place of such statement:

2Medical Staff members are not part of Harris Health’s workforce as the term “Workforce” is defined under HIPAA, and Harris
Health does not directly control members of the Medical Staff. However, Harris Health expects all members of the Medical Staff to
follow and abide by Harris Health’s policies and procedures.
3 45 C.F.R. § 164.528(a)(1).
Printed versions of this document are uncontrolled. Please go to the Harris Health Document Control Center to retrieve an official controlled version of the
document. https://apps.hchd.local/sites/dcc.
 Policy No: 3.11.304
Page Number: 8 of 13

Effective Date: 04/2003

Board Motion No N/A

POLICY AND REGULATIONS MANUAL Last Review Date: 09/08/2020

Due For Review: 09/08/2023
a. A copy of the patient’s or Personal Representative’s Authorization;
or
b. A copy of a written request for Disclosure when required by the
Secretary of United States Department of Health and Human
Services (DHHS) to investigate or determine Harris Health’s
compliance with the HIPAA regulations, or a written request as
outlined in Harris Health Policy and Procedure 3.11.306 Permitted
Use and Disclosure of Protected Health Information without a
Patient’s Authorization.

Note: If during the time period covered by the request for an

accounting of disclosures, Harris Health made multiple Disclosures
of PHI to the same person or entity for a single purpose, or pursuant
to a single authorization, the response to the accounting for
disclosures may, with respect to the multiple Disclosures, provide:

c. The information listed in Section II.C.3-6 above;

d. The frequency or number of the Disclosures made during the
accounting period; and
e. The date of the last Disclosure in the accounting period.4

D. Harris Health does not need to include the following information in the
accounting of disclosures:

1. Disclosures to carry out Treatment, Payment, or Health Care Operations;

2. Disclosures to the patient;
3. Disclosures that are incidental Disclosures to another permissible or
required Use or Disclosure of PHI, as long as reasonable safeguards and
minimum necessary standards have been observed for the underlying
communication;
4. Disclosures pursuant to a valid Authorization;
5. Disclosures made for or pursuant to Harris Health’s facility directory. (See
Harris Health Policy and Procedure 3.11.201 Use and Disclosure of
Protected Health Information for Facility Directories);
6. Disclosures to persons involved in the patient’s care;

4 45 C.F.R. § 164.528(b).
Printed versions of this document are uncontrolled. Please go to the Harris Health Document Control Center to retrieve an official controlled version of the
document. https://apps.hchd.local/sites/dcc.
 Policy No: 3.11.304
Page Number: 9 of 13

Effective Date: 04/2003

Board Motion No N/A

POLICY AND REGULATIONS MANUAL Last Review Date: 09/08/2020

Due For Review: 09/08/2023
7. Disclosures for notification purposes, such as identifying or locating a
family member or Personal Representative to inform that person of the
patient’s location, general condition, or death. (See Harris Health Policy and
Procedure 3.11.203 Use and Disclosure of Protected Health Information
to Persons Involved in Patient’s Care and for Notification and Disaster
Relief);
8. Disclosures for national security or intelligence;
9. Disclosures to correctional facilities or law enforcement facilities; and
10. Disclosures that are part of a limited data set. (See Harris Health Policy
and Procedure 3.11.308 Use and Disclosure of a Limited Data Set).5

III. RESEARCH:

A. If Harris Health has made disclosures of PHI for a particular research purpose
without the patient’s authorization for fifty (50) or more individuals during the
period covered by the request for an accounting of disclosures, Harris Health’s
response may, with respect to such disclosures for which the patient’s PHI may
have been included, provide the following:

1. The name of the protocol or other research activity;

2. A description, in plain language, of the research protocol or other research
activity, including the purpose of the research and the criteria used for
selecting particular records;
3. A brief description of the type of the PHI that was disclosed;
4. The date or period of time during which such disclosures occurred, or may
have occurred, including the date of the last disclosure during the
accounting period;
5. The name, address, and telephone number of the entity that sponsored the
research and of the researcher to whom the PHI was disclosed; and
6. A statement that the PHI of the patient may or may not have been disclosed
for a particular protocol or other research activity.6

B. If Harris Health provides an accounting to a patient of research disclosures, and

5 45 C.F.R. § 164.528(a)(1).
6 45 C.F.R. § 164.528(b)(4)(i).
Printed versions of this document are uncontrolled. Please go to the Harris Health Document Control Center to retrieve an official controlled version of the
document. https://apps.hchd.local/sites/dcc.
 Policy No: 3.11.304
Page Number: 10 of 13

Effective Date: 04/2003

Board Motion No N/A

POLICY AND REGULATIONS MANUAL Last Review Date: 09/08/2020

Due For Review: 09/08/2023
if it reasonably likely that the PHI of the patient was disclosed for such research
protocol or activity, Harris Health shall, at the request of the patient, assist the
patient in contacting the entity that sponsored the research and the researcher.7

IV. TIMEFRAME FOR PROVIDING A RESPONSE TO A REQUEST FOR AN

ACCOUNTING OF DISCLOSURES AND ALLOWABLE FEES:

A. Harris Health will provide the patient or the patient’s Personal Representative an
accounting of disclosures within sixty (60) calendar days of the date of the request
for an accounting of disclosures.8

B. If Harris Health is unable to provide an accounting of disclosures within sixty (60)

calendar days of the date of the request, the Privacy Officer may extend the time
that Harris Health has to provide the accounting of disclosures by no more than
thirty (30) calendar days, provided that:

1. Harris Health gives the patient or the patient’s Personal Representative,

within the initial sixty (60) days, a written statement explaining the reasons
for the delay and the date the accounting will be provided; and
2. Harris Health may have only one extension of time.9

C. A patient’s first accounting of disclosures during any twelve (12) month period
will be free of charge.10

D. Harris Health may charge a reasonable, cost-based fee for each additional request
a patient or the patient’s Personal Representative makes for an accounting of
disclosures within a single twelve (12) month period, provided that Harris Health
informs the patient or the Personal Representative in advance of the fee of the fee
and provides the patient or the patient’s Personal Representative an opportunity
to withdraw or modify the request for a subsequent accounting to avoid or reduce
the fee.11

7 45 C.F.R. § 164.528(b)(4)(ii).
8 45 C.F.R. § 164.528(c).
9 45 C.F.R. § 164.528(c)(1)(ii).
10 45 C.F.R. § 164.528(c)(2).
11 45 C.F.R. § 164.528(c)(2).
Printed versions of this document are uncontrolled. Please go to the Harris Health Document Control Center to retrieve an official controlled version of the
document. https://apps.hchd.local/sites/dcc.
 Policy No: 3.11.304
Page Number: 11 of 13

Effective Date: 04/2003

Board Motion No N/A

POLICY AND REGULATIONS MANUAL Last Review Date: 09/08/2020

Due For Review: 09/08/2023
V. RETENTION AND TRACKING OF ACCOUNTING OF DISCLOSURES:

A. Copies of a patient’s or a patient’s Personal Representative request for an

accounting of disclosures, and the accounting of disclosures provided to the
patient or the patient’s Personal Representative will be maintained for six (6) years.

B. The Privacy Officer or designee will keep a log of the accountings provided to
patients’ or to patients’ Personal Representatives for the purposes of auditing or
monitoring the right of the patient or the patient’s Personal Representative to
obtain an accounting of disclosures.

VI. PROCEDURE:

See Appendix A for receiving and responding to requests for accountings of disclosures
procedures.

REFERENCES/BIBLIOGRAPHY:

45 CFR §§ 164.528, 164.524

OFFICE OF PRIMARY RESPONSIBILITY:

Harris Health System Office of Corporate Compliance

REVIEW/REVISION HISTORY:

Review/ Revision Date

Version #
Effective Date (Indicate Reviewed or Approved by:
(If Applicable)
Revised)
04/14/2003 1.0 Approved 04/14/2003
2.0 Approved 02/08/2011 Operations Policy Committee
3.0 Approved 07/11/2017 Structure and Organizational
Standards Committee
4.0 Approved 09/08/2020 Structure and Organizational
Standards Committee

Printed versions of this document are uncontrolled. Please go to the Harris Health Document Control Center to retrieve an official controlled version of the
document. https://apps.hchd.local/sites/dcc.
 Policy No: 3.11.304
Page Number: 12 of 13

Effective Date: 04/2003

Board Motion No N/A

POLICY AND REGULATIONS MANUAL Last Review Date: 09/08/2020

Due For Review: 09/08/2023
APPENDIX A
PROCEDURE FOR RECEIVING AND RESPONDING TO REQUESTS FOR
ACCOUNTING OF DISCLOSURES:

A. The Privacy Officer or his or her designee will:

1. Receive and log all requests for accountings of disclosures received by Harris
Health.
2. Verify that no health oversight agency or law enforcement official has submitted
a written or oral statement preventing Harris Health from providing the
accounting to the requestor.

a. A written statement from one of these agencies should include the reasons
why the Disclosure would impede the activities of the agency and indicate
the time frame that the suspension is required.
b. If Harris Health receives an oral statement from one of these agencies, the
Privacy Officer or his or her designee must:

i. Document the statement, including the identity of the agency or

official making the statement;
ii. Temporarily suspend the individual’s right to an accounting of
disclosures subject to the statement; and
iii. Limit the temporary suspension to no longer than thirty (30) days
from the date of the oral statement, unless a written statement is
submitted during the thirty (30) day suspension by the agency or
official.12

3. The Privacy Officer or his or her designee will identify if any other reason exists
to deny the patient’s or the Patient’s Personal Representative’s request for an
accounting of disclosures;
4. If no temporary suspension of the patient’s right to an accounting of disclosures
is in place, the Privacy Officer or his or her designee will route the request for an
accounting of disclosures to Harris Health’s HIM department;

12 45 C.F.R. § 164.528(a)(2).
Printed versions of this document are uncontrolled. Please go to the Harris Health Document Control Center to retrieve an official controlled version of the
document. https://apps.hchd.local/sites/dcc.
 Policy No: 3.11.304
Page Number: 13 of 13

Effective Date: 04/2003

Board Motion No N/A

POLICY AND REGULATIONS MANUAL Last Review Date: 09/08/2020

Due For Review: 09/08/2023
5. If Harris Health’s HIM department determines that Harris Health disclosed the
patient’s PHI to a Business Associate, the Privacy Officer or his or her designee
will route the request to the Business Associate to determine whether the Business
Associate Disclosed the patient’s PHI to another third party and the Privacy
Officer or his or her designee must include any Disclosures made by the Business
Associate in the accounting.13

B. The HIM department will:

Compile an accounting of Disclosures of the records and submit the documentation to

the Privacy Officer or designee.

C. Director of Research and Sponsored Programs:

The Director of Research and Sponsored Programs, or his or her designee, is responsible
for providing an accounting of Disclosures for those Disclosures associated with
research activities described above in section III of this policy.

13 45 C.F.R. § 164.528(b)(1) (providing that the covered entity must account for Disclosures to or by Business Associates).
Printed versions of this document are uncontrolled. Please go to the Harris Health Document Control Center to retrieve an official controlled version of the
document. https://apps.hchd.local/sites/dcc.