Standards for the Disclosure of Protected Health Information

PHI may only be disclosed without written authorization in circumstances explicitly permitted by HIPAA (e.g., public health, law enforcement, legal requirements). Any disclosure not explicitly permitted requires a valid, written patient authorization, which must: 

1. Be signed and dated by the individual or their legal representative
2. Identify the recipient and purpose of disclosure
3. Specify expiration date or event
4. Include a statement of revocation rights

All disclosures of PHI must be logged in the Accounting of Disclosures (AoD) system within one business day of the disclosure.

1. Date of disclosure
2. Name and address of the recipient
3. Description of the PHI disclosed
4. Purpose of the disclosure
5. Name of the disclosing workforce member 

1. All disclosures must be limited to the minimum amount of PHI necessary to achieve the intended purpose.
2. Supervisors must review and approve disclosure practices to ensure compliance.
3. Workforce members must only access or disclose the minimum relevant PHI necessary for their job functions.

1. All workforce members must complete HIPAA privacy training, that includes disclosure protocols and logging procedures, annually, when substantive regulatory changes occur, and when the workforce member’s responsibilities change.
2. New employees must complete training within 30 days of hire before being granted access to PHI.

1. All AoD logs must be securely maintained for a minimum of six (6) years from the date of disclosure.
2. Logs may be maintained in electronic format, provided they are backed up regularly and access-controlled.

1. Patients are entitled to one free Accounting of Disclosures per 12-month period.
2. Requests must be fulfilled within 60 days of receipt, with one optional 30-day extension (with written notice).