Disclosure Tracking Policy

Protected Health Information Phi Is Shown On The Conceptual Business Photo

This policy applies to all DOEA employees, volunteers, agents and Business Associates that perform duties in conjunction with the access, distribution, dissemination, modification, and management of Protected Health Information (PHI).

It is DOEA’s policy to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by establishing a means for tracking and accounting for disclosures of PHI for purposes other than treatment, payment and health care operations. Authorizations from a client or representative to DOEA are included in the information that is to be tracked and accounted for. A disclosure of PHI, which does not require an authorization, may, in some cases, have a tracking and accounting requirement.

Violation of this or any other DOEA Privacy Policy is to be communicated to the Privacy Officer, Office of the General Counsel.


DOEA is required to keep a history of when and to whom disclosures of PHI are made for purposes other than treatment, payment and health care operations. DOEA must be able to give an accounting of those disclosures to a client, if requested. Authorizations from a client to DOEA are included in the information that is to be tracked and accounted for. A disclosure of PHI, which does not require an authorization, may, in some cases, have a tracking and accounting requirement.


Clients can request an accounting of disclosures for a period of up to six (6) years prior to the date of the request, but not earlier than April 14, 2003. Disclosures made prior to the compliance date of the Privacy Rule are excluded from this requirement.

DOEA must provide the accounting of disclosures within 30 days of the request. If DOEA cannot provide an accounting of disclosures within the 30-day period, it must provide information to the requestor as to the reason for the delay and the expected completion date. Only one 30-day extension is allowed per request.

Disclosures for purposes of treatment, payment or health care operations are excluded from the tracking and accounting requirements. Other excluded disclosures are those made:

  1. Prior to the effective date of the rule.
  2. To law enforcement or correctional institutions in accordance with 45 CFR §164.512(k)(5).
  3. For facility directories.
  4. To the individual.
  5. For national security or intelligence purposes.
  6. To persons involved in the client’s care.
  7. For notification purposes in accordance with 45 CFR §164.510.

DOEA may temporarily suspend the right to an accounting of disclosures for health oversight agencies or law enforcement officials, contingent upon submission to DOEA of a statement that indicates an accounting of disclosures will impede an investigation of the client in question. The statement should include a time frame for the exclusion period. The statement may be oral, but the exclusion period is then limited to 30 days unless appropriate written documentation is received within that time. Although the accounting of disclosure is not being released during this time, DOEA should continue tracking and storing the information for future release.

A client is allowed to request free of charge one accounting in a 12 month period. A reasonable fee can be charged for more frequent accounting requests.

DOEA is required to document and retain the accounting of disclosures process. This documentation should contain the following information:

  1. Date of disclosure.
  2. Name of covered entity or individual who received the information and their address, if known.
  3. Description of the information disclosed.
  4. Purpose of the disclosure (or a copy of the client’s authorization or a copy of a written request for a disclosure for which authorization is not required.)
  5. The written accounting provided to an individual requestor.
  6. Titles of persons or offices responsible for receiving and processing requests for accountings of disclosures.

DOEA must retain all documentation for six (6) years.


A tracking form has been established on WEB DB, on DOEA intranet for the purpose of reporting and recording disclosures statewide. This form will be accessible by authorized users for the purpose of tracking disclosures of clients PHI that are reportable under HIPAA (see definition above of reportable disclosures).

Each Area Agency on Aging, (AAA’s) and their Business Associates, and Covered Entities that contract with them, will be authorized to designate one account (a single user) that will be responsible for reporting disclosures. Agencies will submit the disclosure account request to the AAA where a complete list of requested accounts will be identified and approved. The user list will be forwarded to DOEA Help Desk for the establishment of an account and password.

Each user must be reviewed semi annually by DOEA or AAA to assure continued access is necessary and the user identification is valid.

Disclosures must be retained for a period of six (6) years.

The actual form is located on DOEA intranet site at the WEB DB applications page.

Requests for disclosure will be given to the DOEA contact or in absence of a contact, the HIPAA Security Officer. Disclosure requests for agencies and AAA’s shall be sent to the HIPAA Security Officer from the designated disclosure account user.

Disclosure reports will be generated by the authorized user and returned to the authorized requestor in the case of AAA’s and agencies. The DOEA contact, in the case of CARES, and the Program Administrator, in the case of CDC shall be the designated authority for DOEA.

It is the responsibility of the authorized user to ensure the report is given to the requestor in a timeframe consistent with this policy.

A copy of the report shall be placed in the client file.

Violations must be reported to DOEA Privacy Officer, Office of the General Counsel.


45 CFR §164.528