Standard for HIPAA Accounting of Disclosures

Purpose

Upon request, Ohio University will provide an individual with an accounting of disclosures of Protected Health Information (PHI).

Scope

This standard will apply to all Ohio University HIPAA Covered Entities.

Standard

  1. Ohio University will provide an individual with a written accounting of the disclosures of PHI that occurred during the six (6) years prior to the date of the request for accounting, including disclosures to or by OU’s business associates.
  2. Ohio University’s accounting will include the following:
    1. Date of disclosure;
    2. The name of the entity or person who received the PHI
    3. A brief description of the PHI disclosed; and
    4. A brief statement of the purpose of the disclosure.
  3. Ohio University will respond to an individual’s request for accounting within sixty (60) days of the request unless Ohio University requests a thirty (30)-day extension. Such requests for extensions will be done in writing.
  4. Ohio University will provide the first accounting requested by any individual in a twelve (12)-month period without charge. Ohio University will charge a reasonable, cost-based fee for any subsequent request(s) within the twelve (12)-month period.
  5. Ohio University will document the following:
    1. The information required to be included in an accounting for disclosures of PHI;
    2. The written accounting that is provided to any individual; and
    3. The titles of the persons or offices responsible for receiving and processing requests for an accounting.
  6. The individual’s right to an accounting of disclosures does not apply to the following types of disclosures:
    1. To carry out treatment, payment, and health care operations;
    2. To individuals of PHI about them;
    3. Incident to a use or disclosure otherwise permitted or required;
    4. Pursuant to an authorization;
    5. To persons involved in the individual’s care or for notification purposes;
    6. For national security or intelligence purposes;
    7. To correctional institutions or law enforcement officials; or
    8. That occurred prior to 6 years from the date of the request

Governance

This standard will be reviewed and approved by the University HIPAA Steering Committee, and other key stakeholders in the interest of ensuring the privacy and security of individual’s health information, as deemed appropriate based on the current regulatory requirement mandates.

Status: Approved

Effective: September 24, 2019