
Delaware Health and Social Services
Division of Developmental Disabilities Services
Dover, Delaware

Signed Copy in Office of PARC Chair 

Title: HIPAA - PHI Accounting and Disclosure Procedures 	Approved By:_________________
         Division Director 

Written/Revised By: HIPAA Privacy Committee 			Date of Origin: April 14, 2003 

Reviewed by: DDDS Policy & Records Committee 			Revision Date: May 09, 2006


I. PURPOSE 

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Regulation 164.528 (a), (b) states that individuals have a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting was requested except for disclosures listed in 45 CFR, 164.528. This policy shall establish procedures to meet this regulation. 

II. POLICY 

The Division of Developmental Disabilities Services (DDDS) shall establish a system for the 
accounting of released Protected Health Information (PHI). 
 
III. APPLICATION 

DDDS Health Information Management Department (H.I.M.) 
All DDDS Employees 
DDDS Business Associates 
 
IV. DEFINITIONS 


A. Authorized Disclosures - Disclosures that are part of a limited data set and disclosures 
   that are incidental to another permissible use or disclosure (i.e., for public health 
   purposes including the Food and Drug Administration health mission). Refer to 45 CFR, 
   Section 164.512 and the DDDS Notice of health Information Practices document.

B. Business Associate - A person or organization that performs a function or activity on 
   behalf of a covered entity (DDDS), but is not part of the covered entity’s workforce.


C. Individuals - The person(s) who is the subject of the individually 
   identifiable health information.


D. Protected Health Information - All individually identifiable health 
   information (communicated electronically, on paper, or orally) that is 
   created or received by covered health entities that transmit or maintain 
   information in any form.
 




V. STANDARDS 
A. DDDS shall honor individuals’ approved authorizations to report an accounting 
   of disclosed PHI, in the six (6) years prior to the date on which the 
   accounting is requested, except as specified in 45 CFR, 164.528.


B. Requests for an accounting of the disclosure of PHI shall be made in the form 
   of writing, on the DDDS approved Request for Accounting of Release of PHI 
   form and forwarded directly to the DDDS Medical Records Administrator, Health 
   Information Management Department. 

C. The DDDS Health Information Management Department shall provide the 
   accounting in writing and shall include disclosures made to or by business        
   associates of DDDS.

D.  Each accounting of a disclosure shall include the following elements: 
(a) the date of disclosure 
(b) the name of the entity or person who received the PHI and the address of 
    such entity or person, if known;
(c) a brief description of the PHI disclosed; 
(d) a brief statement of the purpose of the disclosure that reasonably informs 
    the individual of the basis for the disclosure OR A copy of the individual’s 
    written authorization to use or disclose the PHI OR A copy of a written 
    request for a disclosure required by the HHS Secretary to investigate or 
    determine DDDS’ compliance with applicable laws and regulations.

E.  DDDS is not required to provide an accounting of disclosures that were made    
incidental to another use or disclosure that is allowable under 45 CFR Part     164. To minimize incidental uses, DDDS shall;
(a) take precautions to reasonably safeguard PHI as required by 45 CFR, 
    Section 164.530( c)(1);
(b) disclose only the minimum amount of PHI necessary to achieve the intended 
    purpose of the disclosure. 
 
F. The DDDS Health Information Management Department shall provide, to 
   authorized individuals, the requested information within 60 days of receipt 
   of the Request for Accounting of Release of PHI.

G. The individual requesting the accounting shall be notified in writing if the 
   information is not expected to be provided within 60 days. The written notice 
   shall explain the reason for delay and include an anticipated date of receipt     
   (not to exceed 30 days beyond the initial 60 days). 


 

 


V. STANDARDS (continued) 


H. DDDS shall not extend time to provide the accounting more than once. 


I. The first accounting of release of PHI in any 12 month period of time shall 
   be without charge. The fee for any subsequent request for accounting by the 
   same individual shall be cost-based.


J. DDDS shall inform the individual in advance of the fee and provide him/her 
   with an opportunity to withdraw or modify the request for a subsequent 
   accounting of PHI.


K. DDDS shall notify the individual in writing if the request for an accounting 
   of the release of PHI is denied. The reason for the denial shall be      
   explained.


L. DDDS shall document and retain the following information for a period of at 
   least 6 years, or from the date of its creation or the date when it was last 
   in effect, whichever is later:

(a) the information required to be included in an accounting; 
(b) the written accounting that is provided to the individual; 
(c) the title of the persons or officer responsible for receiving and processing 
    requests for PHI accounting 

M. The DDDS Health Information Management Department shall maintain an accounting of when an individual’s PHI is disclosed for purposes other than treatment, payment or health care operations. This information shall be protected. 

VI. PROCEDURES 

Individual or other authorized Representative 

1. Submits a completed Request for Accounting of Release of PHI to the H.I.M. 
   Department.

H.I.M. Department 

2. Provides the individual with the requested accounting within 60 days of    
   receipt of a valid Request for Accounting of Release of PHI.

3. If the requested accounting cannot be provided within 60 days, provides the 
   individual with a written statement of the reasons for delay and the date by 
   which the information will be provided (not to exceed 30 days beyond the 
   initial 60 days). Time to provide the requested accounting shall not be 
   extended more than one time.

4. If the requested accounting cannot be provided, the individual shall be 
   notified in writing, via the Denial of Request for 



VI. PROCEDURES (continued) 



   Accounting of PHI memo, within 60 days of receipt of the request. A HIPAA Privacy    
   Complaint Form shall also accompany the denial memo.

5. Retains for a period of at least six (6) years the following documentation: 
   The applicable Request for Accounting of Release of PHI form signed by an 
   authorized person, the information required to be included in an accounting, 
   the written accounting that is provided to the individual and the title of     
   the person(s) responsible for processing each individual request for        
   accounting.

6. Notifies the DDDS Privacy Officer before information is disclosed or the 
   request for disclosure is denied 


Individual or Authorized Representative: 

7. May file a HIPAA Privacy Complaint Form if 
   dissatisfied with the DDDS decision/practice relative to the accounting of 
   disclosure of PHI. 


VII. SYNOPSIS 
The DDDS Health Information Management Department is responsible for maintaining an accounting of disclosures of Protected Health Information (PHI) regarding individuals served by the DDDS, in accordance with CFR 45, section 164.528. This policy identifies the process by which the information is requested and provided. 


VIII. REFERENCES 
Federal Register, Parts 160 and 164, Standards for Privacy of Individually Identifiable Health Information 
DDDS Privacy Complaints Form 


IX. EXHIBITS 
A. HIPAA Request for Accounting of Release of PHI 
B. Notice of Health Information Practices 
C. Denial of Request for PHI Accounting Memo 




 

 


													EXHIBIT A 

 


DELAWARE OF HEALTH AND SOCIAL SERVICES

DIVISION OF DEVELOPMENTAL DISABILITIES SERVICES


HIPAA Request for Accounting of Release of Protected Health Information

 

 

Individual’s Name __________________________		Date ____________________

Address _____________________________________		City ____________________

State ___ ZIP Code ________					DOB# ____________ 
Time Period for Accounting of Release of Protected Health Information (PHI) __________ 


HIPAA Regulations state that you have the right to request an accounting of the uses and disclosures of your protected health information (PHI), for non-authorized disclosures, outside of the State of Delaware Health and Social Services. By signing this document you are requesting an accounting of all disclosures, as required by CFR 45, section 164.528, during the identified time period. 

 
________________________________________				_______________
Individual/Guardian/Authorized Signature 				Date of Request 

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 

For DDDS-H.I.M. use only 

List of Disclosures Made as of ___________________ 

Disclosure 				Name/Address 			Purpose of Release 
Date 					of Recipient 

____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ 
 
Prepared by staff _______________________			________________

 				Signature 					Date 
PARC Reviewed: 01/10/06 
Form # 35/Admin 



													EXHIBIT B 

 

DELAWARE HEALTH AND SOCIAL SERVICES
DIVISION OF DEVELOPMENTAL DISABILITIES SERVICES

Notice of Health Information Practices

 

THIS NOTICE DESCRIBES HOW INFORMATION ABOUT YOU MAY BE USED AND 
DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW 
IT CAREFULLY. 


Understanding Your Health Record/Information 

The Division of Developmental Disabilities Services provides services and supports to individuals with mental retardation and other related developmental disabilities. Once you become eligible for services and supports, a record of the service provided to you is made. Typically, this record contains examination and test results, evaluations, diagnoses, and the level of your disability, treatment, and a plan for future care or treatment. This information, often referred to as your health or medical record, 
serves as a: 

• basis for planning your care and treatment 
• means of communication among the many health professionals who contribute to your care 
• legal document describing the care and service you received 
• means by which you or a third party payer can verify that services billed were actually 
  provided 
• a tool in educating heath professionals; 
• a source of data for medical research; 
• a source of information for public health officials charged with improving the health of 
  the nation;
• a source of data for facility planning and 
• a tool with which we can assess and continually work to improve the care we render and the 
  outcomes we achieve.


Understanding what is in your record and how your health information is used helps you to: 

• ensure its accuracy 
• better understand who, what, when, where and why others may access your health information 
• make more informed decisions when authorizing disclosure to others. 




Your Health Information Rights: 

Although your health record is the physical property of the Division of Developmental Disabilities 
Services, the information belongs to you. You have the right to: 

• request a restriction on certain uses and disclosures of your information as provided by     
  45 CFR §164.522 
• obtain a paper copy of the notice of information practices upon request 
• inspect and copy your health record as provided for in 45 CFR 164.524 
• amend your health record as provided in 45 CFR 164.528 
• obtain an accounting of disclosures of your health information as provided in 45 CFR§ 
  164.528 
• request communications of your health information by alternative means or at alternative 
  locations 
• revoke your authorization to use or disclose health information except to the extent that    
  action has already been taken. 


Our Responsibilities: 

The Division of Developmental Disabilities Services is required to: 

• maintain the privacy of your health information 
• provide you with a notice as to our legal duties and privacy practices with respect to 
  information we collect and maintain about you 
• abide by the terms of this notice 
• notify you if we are unable to agree to a requested restriction 
• accommodate reasonable requests you may have to communicate health information by 
  alternative means or at alternative locations.


We reserve the right to change our practices and to make the new provisions effective for all protected health information we maintain. Should our information practices change, we will mail a revised notice to the address you've supplied us. 

We will not use or disclose your health information without your authorization, except as described in this notice. 

For More Information or to Report a Problem 

If you have questions and would like additional information, you may contact Adele Mears 
Wemlinger, Privacy Officer at 302.934.8031 x 203. If you believe your privacy rights have been violated, you can file a complaint with the Adele Mears Wemlinger, Privacy Officer or with the Secretary of Health and Human Services. There will be no retaliation for filing a complaint. 

Examples of Disclosures for Treatment, Payment and Health Operations 
We will use your health information for treatment. For example: Information obtained by a nurse, physician, case manager, behavior analyst, social worker or other member of your healthcare team will 



be recorded in your record and used to determine the course of treatment and service that should work best for you. Your TEAM will document in your record the expectations and plans of your care as well as actions they took and their observations. In that way the TEAM will know how you are responding to service and treatment. 

We will also provide your physician, contractual or subsequent healthcare provider with copies of various reports that should assist him/her in treating you or providing services. 

We will use your health information for payment. For example: In order to receive reimbursement, billing information will be sent to a third party payer. The information on or accompanying the bill may include information that identifies you, as well as your diagnosis, type of services you receive, care rendered, personal financial information, procedures and supplies used. 

We will use your health information for regular health operations. For example, but not limited to: Members of the medical and nursing staff, quality assurance department, social service, psychology or therapy staff or contractors, Human Rights Committee, PEER Review of Behavior Management, financial unit, budget office, day programming, case management, direct care staff, or members of your TEAM may use information in your health record to assess the care and outcomes in your case and others like it. This information will then be used in an effort to continually improve the quality and effectiveness of the healthcare and service we provide. 

Other Uses or Disclosures 

Business Associates: There are some services provided in our organization through contacts with business associates. Examples include physician services, family support specialists, contractual provider agencies, therapy services and day programs. When these services are contracted, we may disclose your health information to our business associate so that they can perform the job we've asked them to do and bill you or your third party payer for services rendered. So that your health information is protected, however, we require the business associate to appropriately safeguard your information. 

Clergy: Unless you notify us that you object, we will use your name, location within the Division, general condition, and religious affiliation for clergy purposes. This information may be provided to members of the clergy. 

Notification: We may use or disclose information to notify or assist in notifying a family member, personal representative, or another person responsible for your care, your location, and general condition. 

Communication with Family: Health professionals, using their best judgment, may disclose to a family member, other relative, substitute decision maker or any other person you identify, health information relevant to that person's involvement in your care or payment related to your care. 

Research: We may disclose information to researchers when their research has been approved by DHSS Human Subjects Review Board that has reviewed the research proposal and established 
protocols to ensure the privacy of your health information. 

Funeral Directors: We may disclose health information to funeral directors consistent with applicable 
law to carry out their duties. 

Social Security Administration (SSA): We may disclose to the SSA health information relative to any disability or diagnosis that may determine you eligible for services. 
Workers Compensation: We may disclose health information to the extent authorized by and to the extent necessary to comply with laws relating to workers compensation or other similar programs established by law. 

Public Health: As required by law, we may disclose your health information to public health or legal authorities charged with preventing or controlling disease, injury or disability. 

Correctional Institution: Should you be an inmate of a correctional institution, we may disclose to the institution or agents thereof, health information necessary for your health, and the health and safety of other individuals. 

Law Enforcement: We may disclose health information for law enforcement purposes as required by law, or in response to a valid subpoena. 

Federal law makes provision for your health information to be released to an appropriate health oversight agency, public health authority or attorney, provided that a workforce member or business associate believes in good faith that we have engaged in unlawful conduct or have otherwise violated professional or clinical standards and are potentially endangering one or more patients, workers or the public. 

My signature below indicates that I have been provided with a copy of the notice of privacy practices. 

 

________________________________________________ 		___________________

Signature of Consumer or Substitute Decision Maker 		Date 



 

If signed by legal representative, relationship to 

client________________________________ 

Effective Date: April 14, 2003 

Distribution: Original to Health Information Management Dept; copy to consumer 

_________________________________________________ 



 

 

 

 

 

Form Created: April 14, 2003 



													EXHIBIT C 

 

 

 
TO: 

FROM: 

DATE: 

SUBJECT: Denial of Request for Protected Health Information (PHI) Accounting 

 

The request to account for the disclosure of PHI information for ___________________ will not be honored. The denial is based on the following reason(s): 


____ DDDS is not authorized to release the requested information according to 45 CFR ,
     Section 164.528 (a) (1) (i-ix).

____ Your right to receive an accounting of disclosures to a health oversight agency or law 
     enforcement official is temporarily suspended in accordance to 45 CFR, Section      
     164.512(d) or (f) respectively. 

____ Other (please specify): _____________________________________________________ 

__________________________________________________________________________________ 

__________________________________________________________________________________ 

 

If you disagree with this decision, you have the right to file a complaint with Adele Wemlinger, the DDDS Privacy/Complaints Officer. Her address is on the enclosed complaint form. 

 

 

 

 

 

 

 
PARC Reviewed: 01/10/06 

Form #: 36/Admin