Should business associates provide an accounting of disclosures?

The HIPAA Privacy Rule does not require business associates to provide individuals with an accounting of disclosures. This responsibility falls solely on the covered entity (e.g., healthcare providers, health plans, and healthcare clearinghouses), which is directly responsible for maintaining and providing such an accounting if an individual requests it.

What is an accounting of disclosures?

An accounting of disclosures is a record of the times and reasons a patient’s PHI has been shared outside of routine healthcare operations, treatment, or payment purposes. Patients have the right to request an accounting of these disclosures from the covered entity to understand how their health information has been used or shared outside the standard scope of care. Such disclosures can include when PHI was shared for public health reporting, legal proceedings, or law enforcement requests.

Covered entities are responsible for providing patients with this accounting upon request. However, this responsibility does not extend in the same way to business associates.

See also: HIPAA Compliant Email: The Definitive Guide

Are business associates required to provide an accounting of disclosures?

“Covered entities are responsible for fulfilling Privacy Rule requirements with respect to individual rights, including the rights of access, amendment, and accounting,” says the HHS. Therefore, business associates are not required to directly provide patients with an accounting of disclosures. The obligation to maintain and provide an accounting of disclosures resides solely with the covered entity. However, business associates do play a role in helping covered entities meet this requirement.

While business associates are not responsible for directly providing an accounting of disclosures to patients, they must cooperate with the covered entity to ensure proper record-keeping. When the covered entity needs to respond to a patient’s request for an accounting of disclosures, the business associate must provide them with the necessary information on those disclosures.

How business associates can ensure compliance

To remain HIPAA compliant and support covered entities with an accounting of disclosures, business associates should implement systems and policies to accurately record relevant disclosures. Here are a few best practices for business associates:

• Implement comprehensive tracking systems: Business associates should maintain logs or automated tracking systems for disclosures involving PHI to ensure that required information is readily available when needed.
• Establish clear policies and procedures: Business associates should establish policies outlining when and how they will track disclosures and how they will share this information with the covered entity.
• Sign business associate agreements (BAAs): A business associate agreement (BAA) outlines the responsibilities and obligations of both the covered entity and the business associate, including requirements for maintaining records of disclosures.
• Provide staff training: Educate employees on HIPAA disclosure requirements, record-keeping policies, and procedures to ensure everyone is aware of the importance of tracking disclosures accurately.

Related: The 12 steps to HIPAA compliance

FAQs

Can patients request an accounting of disclosures directly from a business associate?

No, patients cannot request an accounting of disclosures directly from a business associate. All requests must be directed to the covered entity, which can then gather the necessary information from its business associates if needed.

Why is tracking disclosures important for business associates?

Tracking disclosures demonstrates a business associate’s commitment to data privacy and patient trust. It minimizes the risk of regulatory violations and helps avoid the operational delays that could occur if disclosures were not properly recorded.

How should business associates track disclosures?

Business associates can maintain a tracking system or log to document these disclosures. The system should capture details such as the date, purpose, recipient, and nature of the PHI disclosed to ensure easy access to information when the covered entity requests it.