Under the Health Insurance Portability and Accountability Act (HIPAA), a health provider or other covered entity may be required or allowed to disclose protected health information to third parties without the authorization or agreement of the patient. HIPAA (45 C.F.R. § 164.512
) lists the various circumstances under which a covered entity may be required to disclose health information to other agencies, such as to law enforcement in the case of a victim of abuse, neglect, or domestic violence; or to a public health agency in the case of certain communicable diseases.
Under HIPAA (45 CFR § 164.528
) an individual has the right to receive an accounting of disclosures of their protected health information made by a covered entity in the six years prior to the date on which the accounting is requested.
A county public health officer recently contacted the Network to ask whether each of the disclosures listed in 45 C.F.R. § 164.512 must be logged in order to provide the patient with that information should they request it.
HIPAA states all disclosures under 45 CFR § 164.512 must be logged for an accounting of disclosures of protected health information, with the exception of disclosures for national security or intelligence purposes (45 C.F.R. § 164.512(k)(2)) and disclosures to correctional facilities or law enforcement officers (45 C.F.R. § 164.512(k)(5)).