HIPAA Privacy Regulations: Accounting of Disclosures of Protected Health Information: Content of the Accounting - § 164.528(b)

As Contained in the HHS HIPAA Privacy Rules

 

HHS Regulations as Amended August 2002 Accounting of Disclosures of Protected Health Information: Content of the Accounting - § 164.528(b)

 

(b) Implementation specifications: Content of the accounting. The covered entity must provide the individual with a written accounting that meets the following requirements.

(1) Except as otherwise provided by paragraph (a) of this section, the accounting must include disclosures of protected health information that occurred during the six years (or such shorter time period at the request of the individual as provided in paragraph (a)(3) of this section) prior to the date of the request for an accounting, including disclosures to or by business associates of the covered entity.

(2) Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure:

(i) The date of the disclosure;

(ii) The name of the entity or person who received the protected health information and, if known, the address of such entity or person;

(iii) A brief description of the protected health information disclosed; and

(iv) A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure under §164.502(a)(2)(ii) or §164.512, if any.

(3) If, during the period covered by the accounting, the covered entity has made multiple disclosures of protected health information to the same person or entity for a single purpose under §164.502(a)(2)(ii) or §164.512, the accounting may, with respect to such multiple disclosures, provide:

(i) The information required by paragraph (b)(2) of this section for the first disclosure during the accounting period;

(ii) The frequency, periodicity, or number of the disclosures made during the accounting period; and

(iii) The date of the last such disclosure during the accounting period.

(4)(i) If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide:

(A) The name of the protocol or other research activity;

(B) A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records;

(C) A brief description of the type of protected health information that was disclosed;

(D) The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period;

(E) The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and

(F) A statement that the protected health information of the individual may or may not have been disclosed for a particular protocol or other research activity.

(ii) If the covered entity provides an accounting for research disclosures, in accordance with paragraph (b)(4) of this section, and if it is reasonably likely that the protected health information of the individual was disclosed for such research protocol or activity, the covered entity shall, at the request of the individual, assist in contacting the entity that sponsored the research and the researcher.

 

HHS Description of and Commentary on August 2002 Revisions Accounting of Disclosures of Protected Health Information: Content of the Accounting

 

Note: The HHS Description and Commentary is the same as for § 164.528(a).

December 2000 Privacy Rule. Under the Privacy Rule at § 164.528, individuals have the right to receive an accounting of disclosures of protected health information made by the covered entity, with certain exceptions. These exceptions, or instances where a covered entity is not required to account for disclosures, include disclosures made by the covered entity to carry out treatment, payment, or health care operations, as well as disclosures to individuals of protected health information about them. The individual must request an accounting of disclosures.

The accounting is required to include the following: (1) disclosures of protected health information that occurred during the six years prior to the date of the request for an accounting; and (2) for each disclosure: the date of the disclosure; the name of the entity or person who received the protected health information, and, if known, the address of such entity or person; a brief description of the protected health information disclosed; and a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or in lieu of such a statement, a copy of the individual’s written authorization pursuant to § 164.508 or a copy of a written request for a disclosure under '§ 164.502(a)(2)(ii) or 164.512. For multiple disclosures of protected health information to the same person, the Privacy Rule allows covered entities to provide individuals with an accounting that contains only the following information: (1) for the first disclosure, a full accounting, with the elements described above; (2) the frequency, periodicity, or number of disclosures made during the accounting period; and (3) the date of the last such disclosure made during the accounting period.

March 2002 NPRM. In response to concerns about the high costs and administrative burdens associated with the requirement to account to individuals for the covered entity’s disclosure of protected health information, the Department proposed to expand the exceptions to the standard at § 164.528(a)(1) to include disclosures made pursuant to an authorization as provided in § 164.508. Covered entities would no longer be required to account for any disclosures authorized by the individual in accordance with § 164.508. The Department proposed to alleviate burden in this way because, like disclosures of protected health information made directly to the individual B which are already excluded from the accounting provisions in § 164.528(a)(1) B disclosures made pursuant to an authorization are also known by the individual, in as much as the individual was required to sign the forms authorizing the disclosures.

In addition to the exception language at § 164.528(a)(1), the Department proposed two conforming amendments at '§ 164.528(b)(2)(iv) and (b)(3) to delete references in the accounting content requirements to disclosures made pursuant to an authorization.

Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal. Additional comments received on this issue are discussed below in the section entitled, “Response to Other Public Comments.”

The majority of comments on the accounting proposal supported the elimination of the accounting for authorized disclosures. The commenters agreed that, on balance, since the individual had elected to authorize the disclosure in the first instance, and that election was fully informed and voluntary, subsequently accounting for the disclosure made pursuant to that authorization was not necessary.

Many of the commenters went on to suggest other ways in which the accounting requirement could be made less burdensome. For example, several commenters wanted some or all of the disclosures which are permitted at § 164.512 without individual consent or authorization to also be exempt from the accounting requirements. Others proposed alternative means of accounting for disclosures for research, particularly when such disclosures involve large numbers of records. These commenters argued that accounting for each individual record disclosed for a large research project would be burdensome and may deter covered entities from participating in such research. Rather than an individual accounting, the commenters suggested that the covered entity be required only to disclose a listing of all relevant protocols under which an individual’s information may have been released during the accounting period, the timeframes during which disclosures were made under a protocol, and the name of the institution and researcher or investigator responsible for the protocol, together with contact information for the researcher. The National Committee on Vital Health Statistics, while not endorsing a protocol listing directly, recommended the Department consider alternatives to minimize the burden of the accounting requirements on research.

Finally, several commenters objected to the elimination of the accounting requirement for authorized disclosures. Some of these commenters expressed concern that the proposal would eliminate the requirement to account for the authorized disclosure of psychotherapy notes. Others were primarily concerned that the proposal would weaken the accounting rights of individuals. According to these commenters, informing the individual of disclosures was only part of the purpose of an accounting. Even with regard to authorized disclosures, an accounting could be important to verify that disclosures were in accord with the scope and purpose as stated in the authorization and to detect potentially fraudulent, altered, or otherwise improperly accepted authorizations. Since authorizations had to be maintained in any event, accounting for these disclosures represented minimal work for the covered entity.

Final Modifications. Based on the general support in the public comment, the Department adopts the modification to eliminate the accounting requirement for authorized disclosures. The authorization process itself adequately protects individual privacy by assuring that the individual’s permission is given both knowingly and voluntarily. The Department agrees with the majority of commenters that felt accounting for authorized disclosures did not serve to add to the individual’s knowledge about disclosures of protected health information. The Department does recognize the role of accounting requirements in the detection of altered or fraudulent authorizations. However, the Department considers the incidence of these types of abuses, and the likelihood of their detection through a request for an accounting, to be too remote to warrant the burden on all covered entities of including authorized disclosures in an accounting. As noted by some commenters, the covered entity must retain a copy of the authorization to document their disclosure of protected health information and that documentation would be available to help resolve an individual’s complaint to either the covered entity or the Secretary.

Specific concern about the elimination of the accounting requirement for authorized disclosures was expressed by mental health professionals, who believed their patients should always have the right to monitor access to their personal information. The Department appreciates theses commenters’ concern about the need for heightened protections and accountability with regard to psychotherapy notes. It is because of these concerns that the Rule requires, with limited exceptions, individual authorization for even routine uses and disclosures of psychotherapy notes by anyone other than the originator of the notes. The Department clarifies that nothing in modifications adopted in this rulemaking prevents a mental health professional from including authorized disclosures of psychotherapy notes in an accounting requested by their patients. Indeed, any covered entity may account to the individual for disclosures based on the individual’s authorization. The modification adopted by the Department simply no longer requires such an accounting.

In response to comment on this proposal, as well as on the proposals to permit incidental disclosures and disclosures of protected health information, other than direct identifiers, as part of a limited data set, the Department has added two additional exclusions to the accounting requirements. Disclosures that are part of a limited data set and disclosures that are merely incidental to another permissible use or disclosure will not require an accounting. The limited data set does not contain any protected health information that directly identifies the individual and the individual is further protected from identification by the required data use agreement. The Department believes that accounting for these disclosures would be too burdensome. Similarly, the Department believes that it is impracticable to account for incidental disclosures, which by their very nature, may be uncertain or unknown to the covered entity at the time they occur. Incidental disclosures are permitted as long as reasonable safeguards and minimum necessary standards have been observed for the underlying communication. Moreover, incidental disclosures may most often happen in the context of a communication that relates to treatment or health care operations. In that case, the underlying disclosure is not subject to an accounting and it would be arbitrary to require an accounting for a disclosure that was merely incidental to such a communication.

The Department however disagrees with commenters who requested that other public purpose disclosures not be subject to the accounting requirement. Although the Rule permits disclosure for a variety of public purposes, they are not routine disclosures of the individual’s information. The accounting requirement was designed as a means for the individual to find out the non-routine purposes for which his or her protected health information was disclosed by the covered entity, so as to increase the individual’s awareness of persons or entities other than the individual’s health care provider or health plan in possession of this information. To eliminate some or all of these public purposes would defeat the core purpose of the accounting requirement.

The Department disagrees with commenters’ proposal to exempt all research disclosures made pursuant to a waiver of authorization from the accounting requirement. Individuals have a right to know what information about them has been disclosed without their authorization, and for what purpose(s). However, the Department agrees that the Rule’s accounting requirements could have the undesired effect of causing covered entities to halt disclosures of protected health information for research. Therefore, the Department adopts commenters’ proposal to revise the accounting requirement at § 164.528 to permit covered entities to meet the requirement for research disclosures if they provide individuals with a list of all protocols for which the patient’s protected health information may have been disclosed for research pursuant to a waiver of authorization under § 164.512(i), as well as the researcher’s name and contact information. The Department agrees with commenters that this option struck the appropriate balance between affirming individuals’ right to know how information about them is disclosed, and ensuring that important research is not halted.

The Department considered and rejected a similar proposal by commenters when it adopted the Privacy Rule in December 2000. While recognizing the potential burden for research, the Department determined that the individual was entitled to the same level of specificity in an accounting for research disclosures as any other disclosure. At that time, however, the Department added the summary accounting procedures at § 164.528(b)(3) to address the burden issues of researchers and others in accounting for multiple disclosures to the same entity. In response to the Department’s most recent request for comments, researchers and others explained that the summary accounting procedures do not address the burden of having to account for disclosures for research permitted by § 164.512(i). These research projects usually involve many records. It is the volume of records for each disclosure, not the repeated nature of the disclosures, that presents an administrative obstacle for research if each record must be individually tracked for the accounting. Similarly, the summary accounting procedures do not relieve the burden for covered entities that participate in many different studies on a routine basis. The Department, therefore, reconsidered the proposal to account for large research projects by providing a listing of protocols in light of these comments.

Specifically, the Department adds a paragraph (4) to § 164.528(b) to provide for simplified accounting for research disclosures as follows:

1. The research disclosure must be pursuant to § 164.512(i) and involve at least 50 records. Thus, the simplified accounting procedures may be used for research disclosures based on an IRB or Privacy Board waiver of individual authorization, the provision of access to the researcher to protected health information for purposes preparatory to research, or for research using only records of deceased individuals. The large number of records likely to be disclosed for these research purposes justifies the need for the simplified accounting procedures. The Department has determined that a research request for 50 or more records warrants use of these special procedures.

2. For research protocols for which the individual’s protected health information may have been disclosed during the accounting period, the accounting must include the name of the study or protocol, a description of the purpose of the study and the type of protected health information sought, and the timeframe of disclosures in response to the request.

3. When requested by the individual, the covered entity must provide assistance in contacting those researchers to whom it is likely that the individual’s protected health information was actually disclosed.

Support for streamlining accounting for research disclosures came in comments and from NCVHS. The Department wants to encourage research and believes protections afforded information in hands of researcher, particularly research overseen by IRB or Privacy Board, provides assurance of continued confidentiality of information. The Department does not agree that the individual has no need to know that his or her information has been disclosed for a research purpose. Covered entities, of course, may account for research disclosures in the same manner as all other disclosures. Even when the covered entity elects to use the alternative of a protocol listing, the Department encourages covered entities to provide individuals with disclosure of the specific research study or protocol for which their protected health information was disclosed, and other specific information relating to such actual disclosures if they so choose. If the covered entity lists all protocols for which the individual’s information may have been disclosed, the Department would further encourage that the covered entity list under separate headings, or on separate lists, all protocols relating to particular health issues or conditions, so that individuals may more readily identify the specific studies for which their protected health information is more likely to have been disclosed.

The Department intends to monitor the simplified accounting procedures for certain research disclosures to determine if they are effective in providing meaningful information to individuals about how their protected health information is disclosed for research purposes, while still reducing the administrative burden on covered entities participating in such research efforts. The Department may make adjustments to the accounting procedures for research in the future as necessary to ensure both goals are fully met.

Response to Other Public Comments.

Comment: A few commenters opposed the proposal to eliminate the accounting requirement for all authorized disclosures arguing that, absent a full accounting, the individual cannot meaningfully exercise the right to amend or to revoke the authorization. Others also felt that a comprehensive right to an accounting, with no exceptions, was better from an oversight and enforcement standpoint as it encouraged consistent documentation of disclosures. One commenter also pointed to an example of the potential for fraudulent authorizations by citing press accounts of a chain drug store that allegedly took customers signatures from a log that waived their right to consult with the pharmacist and attached those signatures to a form authorizing the receipt of marketing materials. Under the proposal, the commenter asserted, the chain drug store would not have to include such fraudulent authorizations as part of an accounting to the individual.

Response: The Department does not agree that the individual’s right to amendment is materially affected by the accounting requirements for authorized disclosures. The covered entity that created the protected health information contained in a designated record set has the primary obligation to the individual to amend any erroneous or incomplete information. The individual does not necessarily have a right to amend information that is maintained by other entities that the individual has authorized to have his or her protected health information. Furthermore, the covered entity that has amended its own designated record set at the request of the individual is obligated to make reasonable efforts to notify other persons, including business associates, that are known to have the protected health information that was the subject of the amendment and that may rely on such information to the detriment of the individual. This obligation would arise with regard to persons to whom protected health information was disclosed with the individual’s authorization. Therefore, the individual’s amendment rights are not adversely affected by the modifications to the accounting requirements. Furthermore, nothing in the modification adversely affects the individual’s right to revoke the authorization. The Department agrees that oversight is facilitated by consistent documentation of disclosures. However, the Department must balance its oversight functions with the burden on entities to track all disclosures regardless of purpose. Based on this balancing, the Department has exempted routine disclosures, such as those for treatment, payment, and health care operations, and others for security reasons. The addition of authorized disclosures to the exemption from the accounting does not materially affect the Department’s oversight function. Compliance with the Rule’s authorization requirements can still be effectively monitored because covered entities are required to maintain signed authorizations as documentation of disclosures. Therefore, the Department believes that effective oversight, not the happenstance of discovery by an individual through the accounting requirement, is the best means to detect and prevent serious misdeeds such as those alleged in fraudulent authorizations.

Comment: A number of commenters recommended other types of disclosures for exemption from the accounting requirement. Many recommended elimination of the accounting requirement for public health disclosures arguing that the burden of the requirement may deter entities from making such disclosures and that because many are made directly to public health authorities by doctors and nurses, rather than from a central records component of the entity, public health disclosures are particularly difficult to track and document. Others suggested exempting from an accounting requirement any disclosure required by another law on the grounds that neither the individual nor the entity has any choice about such required disclosures. Still others wanted all disclosures to a governmental entity exempted as many such disclosures are required and often reports are routine or require lots of data. Some wanted disclosures to law enforcement or to insurers for claims investigations exempted from the accounting requirement to prevent interference with such investigatory efforts. Finally, a few commenters suggested that all of the disclosures permitted or required by the Privacy Rule should be excluded from the accounting requirement.

Response: Elimination of an accounting requirement for authorized disclosures is justified in large part by the individual’s knowledge of and voluntary agreement to such disclosures. None of the above suggestions for exemption of other permitted disclosures can be similarly justified. The right to an accounting of disclosures serves an important function in informing the individual as to which information was sent to which recipients. While it is possible that informing individuals about the disclosures of their health information may on occasion discourage some worthwhile activity, the Department believes that the individual’s right to know who is using their information and for what purposes takes precedence.

Comment: One commenter sought an exemption from the accounting requirement for disclosures to adult protective services when referrals are made for abuse, neglect, or domestic violence victims. For the same reasons that the Rule permits waiver of notification to the victim at the time of the referral based on considerations of the victim’s safety, the regulation should not make such disclosures known after the fact through the accounting requirement.

Response: The Department appreciates the concerns expressed by the commenter for the safety and welfare of the victims of abuse, neglect, or domestic violence. In recognition of these concerns, the Department does give the covered entity discretion in notifying the victim and/or the individual’s personal representative at the time of the disclosure. These concerns become more attenuated in the context of an accounting for disclosures, which must be requested by the individual and for which the covered entity has a longer timeframe to respond. Concern for the safety of victims of abuse or domestic violence should not result in stripping these individuals of the rights granted to others. If the individual is requesting the accounting, even after being warned of the potential dangers, the covered entity should honor that request. However, if the request is by the individual’s personal representative and the covered entity has a reasonable belief that such person is the abuser or that providing the accounting to such person could endanger the individual, the covered entity continues to have the discretion in § 164.502(g)(5) to decline such a request.

Comment: One commenter suggested elimination of the accounting requirement in its entirety. The commenter argued that HIPAA does not require an accounting as the individual’s right and the accounting does not provide any additional privacy protections to the individual’s information.

Response: The Department disagrees with the commenter. HIPAA authorized the Secretary to identify rights of the individual with respect to protected health information and how those rights should be exercised. In absence of regulation, HIPAA also authorized the Secretary to effectuate these rights by regulation. As stated in the preamble to the December 2000 Privacy Rule, the standard adopted by the Secretary that provides individuals with a right to an accounting of disclosures, is consistent with well-established privacy principles in other law and with industry standards and ethical guidelines, such as the Federal Privacy Act (5 U.S.C. 552a), the July 1977 Report of the Privacy Protection Study Commission, and NAIC Health Information Privacy Model Act. (See 65 FR 82739.)

Comment: A few commenters requested that the accounting period be shortened from six years to two years or three years.

Response: The Department selected six years as the time period for an accounting to be consistent with documentation retention requirements in the Rule. We note that the Rule exempts from the accounting disclosures made prior to the compliance date for Rule, or April 14, 2003. Therefore, it will not be until April 2009 that a full six year accounting period will occur. Also, the Rule permits individuals to request and the covered entity to provide for an accounting for less than full six year period. For example, an individual may be interested only in disclosures that occurred in the prior year or in a particular month. The Department will monitor the use of the accounting requirements after the compliance date and will evaluate the need for changes in the future if the six year period for the accounting proves to be unduly burdensome.

Comment: Commenters requested clarification of the need to account for disclosures to business associates, noting that while the regulation states that disclosures to and by a business associate are subject to an accounting, most such disclosures are for health care operations for which no accounting is required.

Response: The Department clarifies that the implementation specification in § 164.528(b)(1), that expressly includes in the content of an accounting disclosures to or by a business associate, must be read in conjunction with the basic standard for an accounting for disclosures in § 164.528(a). Indeed, the implementation specification expressly references the standard. Read together, the Rule does not require an accounting of any disclosure to or by a business associate that is for any exempt purpose, including disclosures for treatment, payment, and health care operations.

Comment: One commenter wanted health care providers to be able to charge reasonable fees to cover the retrieval and preparation costs of an accounting for disclosures.

Response: In granting individuals the right to an accounting, the Department had to balance the individual’s right to know how and to whom protected health information is being disclosed and the financial and administrative burden on covered entities in responding to such requests. The balance struck by the Department with regard to cost was to grant the individual a right to an accounting once a year without charge. The covered entity may impose reasonable, cost-based fees for any subsequent requests during the one year period. The Department clarifies that the covered entity may recoup its reasonable retrieval and report preparation costs, as well as any mailing costs, incurred in responding to subsequent requests. The Rule requires that individuals be notified in advance of these fees and provided an opportunity to withdraw or amend its request for a subsequent accounting to avoid incurring excessive fees.

Comment: One commenter wanted clarification of the covered entity’s responsibility to account for the disclosures of others. For example, the commenter wanted to know if the covered entity was responsible only for its own disclosures or did it also need to account for disclosures by every person that may subsequently handle the information.

Response: The Department clarifies in response to this comment that a covered entity is responsible to account to the individual for certain disclosures that it makes and for disclosures by its business associates. The covered entity is not responsible to account to the individual for any subsequent disclosures of the information by others that receive the information from the covered entity or its business associate.

 

HHS Description from Original Rulemaking Accounting of Disclosures of Protected Health Information: Content of the Accounting

 

We proposed in the NPRM to require the accounting to include all disclosures as described above, including disclosures authorized by the individual. The accounting would have been required to contain the date of each disclosure; the name and address of the organization or person who received the protected health information; a brief description of the information disclosed; and copies of all requests for disclosures. For disclosures other than those made at the request of the individual, the accounting would have also included the purpose for which the information was disclosed.

We generally retain the proposed approach in the final rule, but do not require covered entities to make copies of authorizations or other requests for disclosures available with the accounting. Instead, we require the accounting to contain a brief statement of the purpose of the disclosure. The statement must reasonably inform the individual of the basis for the disclosure. In lieu of the statement of purpose, a covered entity may include a copy of the individual’s authorization under § 164.508 or a copy of a written request for disclosure, if any, under § 164.502(a)(2)(ii) or § 164.512. We also clarify that covered entities are only required to include the address of the recipient of the disclosed protected health information if the covered entity knows the address.

We add a provision allowing for a summary accounting of recurrent disclosures. For multiple disclosures to the same recipient pursuant to a single authorization under § 164.508 or for a single purpose under §§ 164.502(a)(2)(ii) or 164.512, the covered entity may provide a summary accounting addressing the series of disclosures rather than a detailed accounting of each disclosure in the series. In this circumstance, a covered entity may limit the accounting of the series of disclosures to the following information: the information otherwise required above for the first disclosure in the series during the accounting period; the frequency, periodicity, or number of disclosures made during the accounting period; and the date of the most recent disclosure in the series. For example, if under § 164.512(b), a covered entity discloses the same protected health information to a public health authority for the same purpose every month, it can account for those disclosures by including in the accounting the date of the first disclosure, the public health authority to whom the disclosures were made and the public health authority’s address, a brief description of the information disclosed, a brief description of the purpose of the disclosures, the fact that the disclosures were made every month during the accounting period, and the date of the most recent disclosure.

 

HHS Response to Comments Received from Original Rulemaking Accounting of Disclosures of Protected Health Information: Content of the Accounting

 

Note: The HHS Response to Comments Received is the same as for § 164.528(a)

Comment: Many commenters expressed support for the concept of the right to receive an accounting of disclosures. Others opposed even the concept. One commenter said that it is likely that some individuals will request an accounting of disclosures from each of his or her health care providers and payors merely to challenge the disclosures that the covered entity made.

Some commenters also questioned the value to the individual of providing the right to an accounting. One commenter stated that such a provision would be meaningless because those who deliberately perpetrate an abuse are unlikely to note their breach in a log.

Response: The final rule retains the right of an individual to receive an accounting of disclosures of protected health information. The provision serves multiple purposes. It provides a means of informing the individual as to which information has been sent to which recipients. This information, in turn, enables individuals to exercise certain other rights under the rule, such as the rights to inspection and amendment, with greater precision and ease. The accounting also allows individuals to monitor how covered entities are complying with the rule. Though covered entities who deliberately make disclosures in violation of the rule may be unlikely to note such a breach in the accounting, other covered entities may document inappropriate disclosures that they make out of ignorance and not malfeasance. The accounting will enable the individual to address such concerns with the covered entity.

We believe this approach is consistent with well-established privacy principles, with other law, and with industry standards and ethical guidelines. The July 1977 Report of the Privacy Protection Study Commission recommended that a health care provider should not disclose individually-identifiable information for certain purposes without the individual’s authorization unless “an accounting of such disclosures is kept and the individual who is the subject of the information being disclosed can find out that the disclosure has been made and to whom.” With certain exceptions, the Privacy Act (5 U.S.C. 552a) requires government agencies to “keep an accurate accounting of... the date, nature, and purpose of each disclosure of a record to any person or to another agency... and... the name and address of the person or agency to whom the disclosure is made.” The National Association of Insurance Commissioners’ Health Information Privacy Model Act requires carriers to provide to individuals on request “information regarding disclosure of that individual’s protected health information that is sufficient to exercise the right to amend the information.” We build on these standards in this final rule.

Comment: Many commenters disagreed with the NPRM’s exception for treatment, payment, and health care operations. Some commenters wanted treatment, payment, and health care operations disclosures to be included in an accounting because they believed that improper disclosures of protected health information were likely to be committed by parties within the entity who have access to protected health information for treatment, payment, and health care operations related purposes. They suggested that requiring covered entities to record treatment, payment, and health care operations disclosures would either prevent improper disclosures or enable transgressions to be tracked.

One commenter reasoned that disclosures for treatment, payment, and health care operations purposes should be tracked since these disclosures would be made without the individual’s consent. Others argued that if an individual’s authorization is not required for a disclosure, then the disclosure should not have to be tracked for a future accounting to the individual.

One commenter requested that the provision be restated so that no accounting is required for disclosures “compatible with or directly related to” treatment, payment or health care operations. This comment indicated that the change would make § 164.515(a)(l) of the NPRM consistent with § 164.508(a)(2)(i)(A) of the NPRM.

Response: We do not accept the comments suggesting removing the exception for disclosures for treatment, payment, and health care operations. While including all disclosures within the accounting would provide more information to individuals about to whom their information has been disclosed, we believe that documenting all disclosures made for treatment, payment, and health care operations purposes would be unduly burdensome on entities and would result in accountings so voluminous as to be of questionable value. Individuals who seek treatment and payment expect that their information will be used and disclosed for these purposes. In many cases, under this final rule, the individual will have consented to these uses and disclosures. Thus, the additional information that would be gained from including these disclosures would not outweigh the added burdens on covered entities. We believe that retaining the exclusion of disclosures to carry out treatment, payment, and health care operations makes for a manageable accounting both from the point of view of entities and of individuals. We have conformed the language in this section with language in other sections of the rule regarding uses and disclosures to carry out treatment, payment, and health care operations. See § 164.508 and the corresponding preamble discussion regarding our to decision to use this language.

Comments: A few commenters called for a record of all disclosures, including a right of access to a full audit trail where one exists. Some commenters stated while audit trails for paper records are too expensive to require, the privacy rule should not discourage audit trails, at least for computer-based records. They speculated that an important reason for maintaining a full audit trail is that most abuses are the result of activity by insiders. On the other hand, other commenters pointed out that an enormous volume of records would be created if the rule requires recording all accesses in the manner of a full audit trail.

One commenter supported the NPRM’s reference to the proposed HIPAA Security Rule, agreeing that access control and disclosure requirements under this rule should be coordinated with the final HIPAA Security Rule. The commenter recommended that HHS add a reference to the final HIPAA Security Rule in this section and keep specific audit log and reporting requirements generic in the privacy rule.

Response: Audit trails and the accounting of disclosures serve different functions. In the security field, an audit trail is typically a record of each time a sensitive record is altered, how it was altered and by whom, but does not usually record each time a record is used or viewed. The accounting required by this rule provides individuals with information about to whom a disclosure is made. An accounting, as described in the this rule, would not capture uses. To the extent that an audit trail would capture uses, consumers reviewing an audit trail may not be able to distinguish between accesses of the protected health information for use and accesses for disclosure. Further, it is not clear the degree to which the field is technologically poised to provide audit trails. Some entities could provide audit trails to individuals upon their request, but we are concerned that many could not.

We agree that it is important to coordinate this provision of the privacy rule with the Security Rule when it is issued as a final rule.

Comments: We received many comments from researchers expressing concerns about the potential impact of requiring an accounting of disclosures related to research. The majority feared that the accounting provision would prove so burdensome that many entities would decline to participate in research. Many commenters believed that disclosure of protected health information for research presents little risk to individual privacy and feared that the accounting requirement could shut down research.

Some commenters pointed out that often only a few data elements or a single element is extracted from the patient record and disclosed to a researcher, and that having to account for so singular a disclosure from what could potentially be an enormous number of records imposes a significant burden. Some said that the impact would be particularly harmful to longitudinal studies, where the disclosures of protected health information occur over an extended period of time. A number of commenters suggested that we not require accounting of disclosures for research, registries, and surveillance systems or other databases unless the disclosure results in the actual physical release of the patient’s entire medical record, rather than the disclosure of discrete elements of information contained within the record.

We also were asked by commenters to provide an exclusion for research subject to IRB oversight or research that has been granted a waiver of authorization pursuant to proposed § 164.510, to exempt “in-house” research from the accounting provision, and to allow covered entities to describe the type of disclosures they have made to research projects, without specifically listing each disclosure. Commenters suggested that covered entities could include in an accounting a listing of the various research projects in which they participated during the time period at issue, without regard to whether a particular individual’s protected health information was disclosed to the project.

Response: We disagree with suggestions from commenters that an accounting of disclosures is not necessary for research. While it is possible that informing individuals about the disclosures made of their health information may on occasion discourage worthwhile activities, we believe that individuals have a right to know who is using their health information and for what purposes. This information gives individuals more control over their health information and a better base of knowledge from which to make informed decisions.

For the same reasons, we also do not believe that IRB or privacy board review substitutes for providing individuals the right to know how their information has been disclosed. We permit IRBs or privacy boards to determine that a research project would not be feasible if authorization were required because we understand that it could be virtually impossible to get authorization for archival research involving large numbers of individuals or where the location of the individuals is not easy to ascertain. While providing an accounting of disclosures for research may entail some burden, it is feasible, and we do not believe that IRBs or privacy boards would have a basis for waiving such a requirement. We also note that the majority of comments that we received from individuals supported including more information in the accounting, not less.

We understand that requiring covered entities to include disclosures for research in the accounting of disclosures entails some burden, but we believe that the benefits described above outweigh the burden.

We do not agree with commenters that we should exempt disclosures where only a few data elements are released or in the case of data released without individuals’ names. We recognize that information other than names can identify an individual. We also recognize that even a few data elements could be clues to an individual’s identity. The actual volume of information released is not an appropriate indicator of whether an individual could have a concern about privacy.

We disagree with comments that suggested that it would be sufficient to provide individuals with a general list of research projects to which information has been disclosed by the covered entity. We believe that individuals are entitled to a level of specificity about disclosures of protected health information about them and should know to which research projects their protected health information has been disclosed, rather than to which projects protected health information may have been disclosed. However, we have added a provision allowing for a summary accounting of recurrent disclosures. For multiple disclosures to the same recipient pursuant to a single authorization or for a single purpose permitted under the rule without authorization, the covered entity may provide a summary accounting addressing the series of disclosures rather than a detailed accounting of each disclosure in the series. This change is designed to ease the burden on covered entities involved in longitudinal projects.

With regard to the suggestion that we exempt “in-house” research from the accounting provision, we note that only disclosures of protected health information must appear in an accounting.

Comments: Several commenters noted that disclosures for public health activities may be of interest to individuals, but add to the burden imposed on entities. Furthermore, some expressed fear that priority public health activities would be compromised by the accounting provision. One commenter from a health department said that covered entities should not be required to provide an accounting to certain index cases, where such disclosures create other hazards, such as potential harm to the reporting provider. This commenter also speculated that knowing protected health information had been disclosed for these public health purposes might cause people to avoid treatment in order to avoid being reported to the public health department.

A provider association expressed concern about the effect that the accounting provision might have on a non-governmental, centralized disease registry that it operates. The provider organization feared that individuals might request that their protected health information be eliminated in the databank, which would make the data less useful.

Response: As in the discussion of research above, we reject the contention that we should withhold information from individuals about where their information has been disclosed because informing them could occasionally discourage some worthwhile activities. We also believe that, on balance, individuals’ interest in having broad access to this information outweighs concerns about the rare instances in which providing this information might raise concerns about harm to the person who made the disclosure. As we stated above, we believe that individuals have a right to know who is using their health information and for what purposes. This information gives individuals more control over their health information and a better base of knowledge from which to make informed decisions.

Comment: We received many comments about the proposed time-limited exclusion for law enforcement and health oversight. Several commenters noted that it is nearly impossible to accurately project the length of an investigation, especially during its early stages. Some recommended we permit a deadline based on the end of an event, such as conclusion of an investigation. One commenter recommended amending the standard such that covered entities would never be required to give an accounting of disclosures to health oversight or law enforcement agencies. The commenter noted that there are public policy reasons for limiting the extent to which a criminal investigation is made known publicly, including the possibility that suspects may destroy or falsify evidence, hide assets, or flee. The commenter also pointed out that disclosure of an investigation may unfairly stigmatize a person or entity who is eventually found to be innocent of any wrongdoing.

On the other hand, many commenters disagreed with the exemption for recording disclosures related to oversight activities and law enforcement. Many of these commenters stated that the exclusion would permit broad exceptions for government purposes while holding disclosures for private purposes to a more burdensome standard.

Some commenters felt that the NPRM made it too easy for law enforcement to obtain an exception. They suggested that law enforcement should not be excepted from the accounting provision unless there is a court order. One commenter recommended that a written request for exclusion be dated, signed by a supervisory official, and contain a certification that the official is personally familiar with the purpose of the request and the justification for exclusion from accounting.

Response: We do not agree with comments suggesting that we permanently exclude disclosures for oversight or law enforcement from the accounting. We believe generally that individuals have a right to know who is obtaining their health information and for what purposes.

At the same time, we agree with commenters that were concerned that an accounting could tip off subjects of investigations. We have retained a time-limed exclusion period similar to that proposed in the NPRM. To protect the integrity of investigations, in the final rule we require covered entities to exclude disclosures to a health oversight agency or law enforcement official for the time specified by that agency or official, if the agency or official states that including the disclosure in an accounting to the individual would be reasonably likely to impede the agency or official’s activities. We require the statement from the agency or official to provide a specific time frame for the exclusion. For example, pursuant to a law enforcement official’s statement, a covered entity could exclude a law enforcement disclosure from the accounting for a period of three months from the date of the official’s statement or until a date specified in the statement.

In the final rule, we permit the covered entity to exclude the disclosure from an accounting to an individual if the agency or official makes the statement orally and the covered entity documents the statement and the identify of the agency or official that made the statement. We recognize that in urgent situations, agencies and officials may not be able to provide statements in writing. If the agency or official’s statement is made orally, however, the disclosure can be excluded from an accounting to the individual for no longer than 30 days from the oral statement. For exclusions longer than 30 days, a covered entity must receive a written statement.

We believe these requirements appropriately balance individuals’ rights to be informed of the disclosures of protected health information while recognizing the public’s interest in maintaining the integrity of health oversight and law enforcement activities.

Comment: One commenter stated that under Minnesota law, providers who are mandated reporters of abuse are limited as to whom they may reveal the report of abuse (generally law enforcement authorities and other providers only). This is because certain abusers, such as parents, by law may have access to a victim’s (child’s) records. The commenter requested clarification as to whether these disclosures are exempt from the accounting requirement or whether preemption would apply.

Response: While we do not except mandatory disclosures of abuse from the accounting for disclosure requirement, we believe the commenter’s concerns are addressed in several ways. First, nothing in this regulation invalidates or limits the authority or procedures established under state law providing for the reporting of child abuse. Thus, with respect to child abuse the Minnesota law’s procedures are not preempted even though they are less stringent with respect to privacy. Second, with respect to abuse of persons other than children, we allow covered entities to refuse to treat a person as an individual’s personal representative if the covered entity believes that the individual has been subjected to domestic violence, abuse, or neglect from the person. Thus, the abuser would not have access to the accounting. We also note that a covered entity must exclude a disclosure, including disclosures to report abuse, from the accounting for specified period of time if the law enforcement official to whom the report is made requests such exclusion.

Comment: A few comments noted the lack of exception for disclosures made to intelligence agencies.

Response: We agree with the comments and have added an exemption for disclosures made for national security or intelligence purposes under § 164.512(k)(2). Individuals do not have a right to an accounting of disclosures for these purposes.

Comment: Commenters noted that the burden associated with this provision would, in part, be determined by other provisions of the rule, including the definitions of “individually identifiable,” “treatment,” and “health care operations.” They expressed concern that the covered entity would have to be able to organize on a patient by patient basis thousands of disclosures of information, which they described as “routine.” These commenters point to disclosures for patient directory information, routine banking and payment processes, uses and disclosures in emergency circumstances, disclosures to next of kin, and release of admissions statistics to a health oversight agency.

Response: We disagree with the commenters that ambiguity in other areas of the rule increase the burden associated with maintaining an accounting. The definitions of treatment, payment, and health operations are necessarily broad and there is no accounting required for disclosures for these purposes. These terms cover the vast majority of routine disclosures for health care purposes. (See § 164.501 and the associated preamble for a discussion of changes made to these definitions.)

The disclosures permitted under § 164.512 are for national priority purposes, and determining whether a disclosure fits within the section is necessary before the disclosure can be made. There is no additional burden, once such a determination is made, in determining whether it must be included in the accounting.

We agree with the commenters that there are areas where we can reduce burden by removing additional disclosures from the accounting requirement, without compromising individuals’ rights to know how their information is being disclosed. In the final rule, covered entities are not required to include the following disclosures in the accounting: disclosures to the individual, disclosures for facility directories under § 164.510(a), or disclosures to persons assisting in the individual’s care or for other notification purposes under § 164.510(b). For each of these types of disclosures, the individual is likely to already know about the disclosure or to have agreed to the disclosure, making the inclusion of such disclosures in the accounting less important to the individual and unnecessarily burdensome to the covered entity.

Comment: Many commenters objected to requiring business partners to provide an accounting to covered entities upon their request. They cited the encumbrance associated with re-contracting with the various business partners, as well as the burden associated with establishing this type of record keeping.

Response: Individuals have a right to know to whom and for what purpose their protected health information has been disclosed by a covered entity. The fact that a covered entity uses a business associate to carry out a function does not diminish an individual’s right to know.

Comments: One commenter requested clarification as to how far a covered entity’s responsibility would extend, asking whether an entity had to track only their direct disclosures or subsequent re-disclosures.

Response: Covered entities are required to account for their disclosures, as well as the disclosures of their business associates, of protected health information. Because business associates act on behalf of covered entities, it is essential that their disclosures be included in any accounting that an individual requests from a covered entity. Covered entities are not responsible, however, for the actions of persons who are not their business associates. Once a covered entity has accounted for a disclosure to any person other than a business associate, it is not responsible for accounting for any further uses or disclosures of the information by that other person.

Comments: Some commenters said that the accounting provision described in the NPRM was ambiguous and created uncertainty as to whether it addresses disclosures only, as the title would indicate, or whether it includes accounting of uses. They urged that the standard address disclosures only, and not uses, which would make implementation far more practicable and less burdensome.

Response: The final rule requires disclosures, not uses, to be included in an accounting. See § 164.501 for definitions of “use” and “disclosure.”

Comments: We received many comments from providers and other representatives of various segments of the health care industry, expressing the view that a centralized system of recording disclosures was not possible given the complexity of the health care system, in which disclosures are made by numerous departments within entities. For example, commenters stated that a hospital medical records department generally makes notations regarding information it releases, but that these notations do not include disclosures that the emergency department may make. Several commenters proposed that the rule provide for patients to receive only an accounting of disclosures made by medical records departments or some other central location, which would relieve the burden of centralizing accounting for those entities who depend on paper records and tracking systems.

Response: We disagree with commenters’ arguments that covered entities should not be held accountable for the actions of their subdivisions or workforce members. Covered entities are responsible for accounting for the disclosures of protected health information made by the covered entity, in accordance with this rule. The particular person or department within the entity that made the disclosure is immaterial to the covered entity’s obligation. In the final rule, we require covered entities to document each disclosure that is required to be included in an accounting. We do not, however, require this documentation to be maintained in a central registry. A covered hospital, for example, could maintain separate documentation of disclosures that are made from the medical records department and the emergency department. At the time an individual requests an accounting, this documentation could be integrated to provide a single accounting of disclosures made by the covered hospital. Alternatively, the covered hospital could centralize its processes for making and documenting disclosures. We believe this provision provides covered entities with sufficient flexibility to meet their business needs without compromising individuals’ rights to know how information about them is disclosed.

Comments: Commenters stated that the accounting requirements placed undue burden on covered entities that use paper, rather than electronic, records.

Response: We do not agree that the current reliance on paper records makes the accounting provision unduly burdensome. Covered entities must use the paper records in order to make a disclosure, and have the opportunity when they do so to make a notation in the record or in a separate log. We require an accounting only for disclosures for purposes other than treatment, payment, and health care operations. Such disclosures are not so numerous that they cannot be accounted for, even if paper records are involved.

Comments: The exception to the accounting provision for disclosures of protected health information for treatment, payment, and health care operations purposes was viewed favorably by many respondents. However, at least one commenter stated that since covered entities must differentiate between disclosures that require documentation and those that do not, they will have to document each instance when a patient’s medical record is disclosed to determine the reason for the disclosure. This commenter also argued that the administrative burden of requiring customer services representatives to ask in which category the information falls and then to keep a record that they asked the question and record the answer would be overwhelming for plans. The commenter concluded that the burden of documentation on a covered entity would not be relieved by the stipulation that documentation is not required for treatment, payment, and health care operations.

Response: We disagree. Covered entities are not required to document every disclosure in order to differentiate those for treatment, payment, and health care operations from those for purposes for which an accounting is required. We require that, when a disclosure is made for which an accounting is required, the covered entity be able to produce an accounting of those disclosures upon request. We do not require a covered entity to be able to account for every disclosure. In addition, we believe that we have addressed many of the commenters’ concerns by clarifying in the final rule that disclosures to the individual, regardless of the purpose for the disclosure, are not subject to the accounting requirement.

Comments: An insurer explained that in the context of underwriting, it may have frequent and multiple disclosures of protected health information to an agent, third party medical provider, or other entity or individual. It requested we reduce the burden of accounting for such disclosures.

Response: We add a provision allowing for a summary accounting of recurrent disclosures. For multiple disclosures to the same recipient pursuant to a single authorization or for a single purpose permitted under the rule without authorization, the covered entity may provide a summary accounting addressing the series of disclosures rather than a detailed accounting of each disclosure in the series.

Comment: Several commenters said that it was unreasonable to expect covered entities to track disclosures that are requested by the individual. They believed that consumers should be responsible for keeping track of their own requests.

Other commenters asked that we specify that entities need not retain and provide copies of the individual’s authorization to disclose protected health information. Some commenters were particularly concerned that if they maintain all patient information on a computer system, it would be impossible to link the paper authorization with the patient’s electronic records.

Another commenter suggested we allow entities to submit copies of authorizations after the 30-day deadline for responding to the individual, as long as the accounting itself is furnished within the 30-day window.

Response: In the final rule we do not require disclosures to the individual to be included in the accounting. Other disclosures requested by the individual must be included in the accounting, unless they are otherwise excepted from the requirement. We do not agree that individuals should be required to track these disclosures themselves. In many cases, an authorization may authorize a disclosure by more than one entity, or by a class of entities, such as all physicians who have provided medical treatment to the individual. Absent the accounting, the individual cannot know whether a particular covered entity has acted on the authorization.

We agree, however, that it is unnecessarily burdensome to require covered entities to provide the individual with a copy of the authorization. We remove the requirement. Instead, we require the accounting to contain a brief statement describing the purpose for which the protected health information was disclosed. The statement must be sufficient to reasonably inform the individual of the basis for the disclosure. Alternatively, the covered entity may provide a copy of the authorization or a copy of the written request for disclosure, if any, under §§ 164.502(a)(2)(ii) or 164.512.

Comments: We received many comments regarding the amount of information required in the accounting. A few commenters requested that we include additional elements in the accounting, such as the method of transmittal and identity of the employee who accessed the information.

Other commenters, however, felt that the proposed requirements went beyond what is necessary to inform the individual of disclosures. Another commenter stated that if the individual’s right to obtain an accounting extends to disclosures that do not require a signed authorization, then the accounting should be limited to a disclosure of the manner and purpose of disclosures, as opposed to an individual accounting of each entity to whom the protected health information was disclosed. An insurer stated that this section of the proposed rule should be revised to provide more general, rather than detailed, guidelines for accounting of disclosures. The commenter believed that its type of business should be allowed to provide general information regarding the disclosure of protected health information to outside entities, particularly with regard to entities with which the insurer maintains an ongoing, standard relationship (such as a reinsurer).

Response: In general, we have retained the proposed approach, which we believe strikes an appropriate balance between the individual’s right to know to whom and for what purposes their protected health information has been disclosed and the burden placed on covered entities. In the final rule, we clarify that the accounting must include the address of the recipient only if the address is known to the covered entity. As noted above, we also add a provision allowing for a summary accounting of recurrent disclosures. We note that some of the activities of concern to commenters may fall under the definition of health care operations (see § 164.501 and the associated preamble).

Comment: A commenter asked that we limit the accounting to information pertaining to the medical record itself, as opposed to protected health information more generally. Similarly, commenters suggested that the accounting be limited to release of the medical record only.

Response: We disagree. Protected health information exists in many forms and resides in many sources. An individual’s right to know to whom and for what purposes his or her protected health information has been disclosed would be severely limited if it pertained only to disclosure of the medical record, or information taken only from the record.

Comment: A commenter asked that we make clear that only disclosures external to the organization are within the accounting requirement.

Response: We agree. The requirement only applies to disclosures of protected health information, as defined in § 164.501.

Comment: Some commenters requested that we establish a limit on the number of times an individual could request an accounting. One comment suggested we permit individuals to request one accounting per year; another suggested two accountings per year, except in “emergency situations.” Others recommended that we enable entities to recoup some of the costs associated with implementation by allowing the entity to charge for an accounting.

Response: We agree that covered entities should be able to defray costs of excessive requests. The final rule provides individuals with the right to receive one accounting without charge in a twelve-month period. For additional requests by an individual within a twelve-month period, the covered entity may charge a reasonable, cost-based fee. If it imposes such a fee, the covered entity must inform the individual of the fee in advance and provide the individual with an opportunity to withdraw or modify the request to avoid or reduce the fee.

Comment: In the NPRM, we solicited comments on the appropriate duration of the individual’s right to an accounting. Some commenters supported the NPRM’s requirement that the right exist for as long as the covered entities maintains the protected health information. One commenter, however, noted that most audit control systems do not retain data on activity for indefinite periods of time.

Other commenters noted that laws governing the length of retention of clinical records vary by state and by provider type and suggested that entities be allowed to adhere to state laws or policies established by professional organizations or accrediting bodies. Some commenters suggested that the language be clarified to state that whatever minimum requirements are in place for the record should also guide covered entities in retaining their capacity to account for disclosures over that same time, but no longer.

Several commenters asked us to consider specific time limits. It was pointed out that proposed § 164.520(f)(6) of the NPRM set a six-year time limit for retaining certain information including authorization forms and contracts with business partners. Included in this list was the accounting of disclosures, but this requirement was inconsistent with the more open-ended language in § 164.515. Commenters suggested that deferring to this six-year limit would make this provision consistent with other record retention provisions of the standard and might relieve some of the burden associated with implementation. Other specific time frames suggested were two years, three years, five years, and seven years.

Another option suggested by commenters was to keep the accounting record for as long as entities have the information maintained and “active” on their systems. Information permanently taken off the covered entity’s system and sent to “dead storage” would not be covered. One commenter further recommended that we not require entities to maintain records or account for prior disclosures for members who have “disenrolled.”

Response: We agree with commenters who suggested we establish a specific period for which an individual may request an accounting. In the final rule, we provide that individuals have a right to an accounting of the applicable disclosures that have been made in the six-year period prior to a request for an accounting. We adopt this time frame to conform with the other documentation retention requirements in the rule. We also note that an individual may request, and a covered entity may then provide, an accounting of disclosures for a period of time less than six years from the date of the request. For example, an individual could request an accounting only of disclosures that occurred during the year prior to the request. In addition, we note that covered entities do not have to account for disclosures that occurred prior to the compliance date of this rule.

Comments: Commenters asked that we provide more time for entities to respond to requests for accounting. Suggestions ranged from 60 days to 90 days. Another writer suggested that entities be able to take up to three 30-day extensions from the original 30-day deadline. Commenters raised concerns about the proposed requirement that a covered health care provider or health plan act as soon as possible.

Response: We agree with concerns raised by commenters and in the final rule, covered entities are required to provide a requested accounting no later than 60 days after receipt of the request. We also provide for one 30 day extension if the covered entity is unable to provide the accounting within the standard time frame. We eliminate the requirement for a covered entity to act as soon as possible.

We recognize that circumstances may arise in which an individual will request an accounting on an expedited basis. We encourage covered entities to implement procedures for handling such requests. The time limitation is intended to be an outside deadline, rather than an expectation. We expect covered entities always to be attentive to the circumstances surrounding each request and to respond in an appropriate time frame.

Comment: A commenter asked that we provide an exemption for disclosures related to computer upgrades, when protected health information is disclosed to another entity solely for the purpose of establishing or checking a computer system.

Response: This activity falls within the definition of health care operations and is, therefore, excluded from the accounting requirement.