9 Dec 2009

Data Retention and Accounting of Disclosures

Posted by trishvoss

by Trish Voss

How long do I need to retain data?  This is one of the questions we hear most often so we thought  folks would benefit from a discussion about it.  The HIPAA Privacy Rule stated healthcare providers must retain health records (electronic, written and oral) for a minimum of  six years.  However, covered entities were not required to account for disclosures related to treatment, payment or health care operations.

The HITECH Act expanded the requirements under HIPAA, for covered entities that maintain Protected Health Information (PHI) in electronic form to include disclosures of PHI made for purposes of treatment, payment or health care operations (TPO). As I understand it, accounting of disclosures for TPO are limited to releases of PHI outside of the covered entity. So what does all of this mean and what exactly are you required to do?

Well, the regulations state the accounting must show ALL disclosures made for three years prior to the request. When deciding on data retention, you have a couple of options:

  1. Produce an accounting of disclosures for your site (all systems), as well as an accounting of disclosures made by your business associates.
  2. Produce an accounting of disclosures for your site (all systems) and provide a list of all business associates that received electronic PHI.  In this case the business associates will be required to provide an accounting to the requestor.
    Note:     It has been suggested you revise your business associate agreements to clearly state who will be responsible for providing the information if you use this option.

This change is significant and will require evaluation, not only in regards to data retention, but in process definition as well.  The compliance date for covered entities and business associates currently utilizing electronic health records is January 1, 2014.  For those who acquire an electronic health record system after January 1, 2009, the effective date is January 1, 2011 or the date an electronic health record system is acquired.

These are just a couple more things to consider when reviewing your policies and procedures. How long is your facility planning on retaining data?

Tags: , , , , , , , , , , , , ,

Subscribe to Comments

3 Responses to “Data Retention and Accounting of Disclosures”

  1. [...] The rest is here: Data Retention and Accounting of Disclosures « Patient Privacy Matters [...]

     

    Data Retention and Accounting of Disclosures « Patient Privacy Matters « Internet Cafe Solution

    December 9th, 2009 at 4:43 pmpermalink

  2. [...] Read the rest here: Data Retention and Accounting of Disclosures « Patient Privacy Matters [...]

     

    Data Retention and Accounting of Disclosures « Patient Privacy Matters

    December 9th, 2009 at 8:31 pmpermalink

  3. [...] R­ead­ th­e r­est h­er­e:  Dat­a Ret­en­­t­ion­­ an­­d Ac­c­oun­&#1… [...]

     

    Data Retention and Accounting of Disclosures « Patient Privacy Matters

    December 10th, 2009 at 12:12 ampermalink

Leave a Reply

Message:

CommentLuv Enabled