HIPAA Policy Section 4.14: Documentation of Disclosures

Document Information

The HIPAA Privacy Standards require documentation to enable System to respond adequately to an Individual’s request for an accounting of disclosures. Any Disclosure of PHI by System that requires documentation shall be documented in the individual’s designated record set by use of the form Disclosure Log in the Appendix to this Manual. The Documentation must include: (i) the date of the Disclosure; (ii) the name and, if known, address of the person who receives the PHI; (iii) a brief description of the PHI Disclosed; (iv) a brief statement of the basis of the Disclosure; (v) if the Disclosure is done pursuant to a written request, that written request; and (vi) a copy of, or a reference to, any other documents considered by the Privacy Officer in approving the request; all of which shall be maintained as required by Section 9.2 of this Manual. The following chart lists the documentation requirements for the categories of disclosures contained in this Policy:

Category of Disclosure Documentation
Disclosure to the Individual No
Disclosure to a Personal Representative Yes
Secretary Inspection Yes
Under an Authorization No
Payment No
Health Care Operations No
Another Covered Entity No
Required by Law Yes
Judicial or Administrative Proceedings Yes
Public Health Activities Yes
Limited Data Set No
Notification Disclosures No
Imminent Threat to Health or Safety Yes
Health Oversight Activities Yes
Workers’ Compensation Yes
Law Enforcement Purposes Yes
Coroners and Medical Examiners Yes
Funeral Directors Yes
Required by Military Authority Yes
National Security Activities No
Incidental Disclosures No

Any other Disclosure, whether intentional
or unintentional, including a Breach



45 CFR §§ 164.502(b), 164.514(d)(3)(i) and 164.530(j)