0130.005.10.30 Accounting for Disclosures of Protected Health Information

IM-55 June 2, 2023

Accounting for Disclosures: Staff must account for all disclosures of Protected Health Information (PHI) upon the participant’s request unless exempted below. The participant may request an accounting of disclosures made by Family Support Division (FSD) six years before the date the participant requests the accounting. Staff are not required to account for disclosures that occurred before April 14, 2003. This includes paper copies, faxes, electronic transmissions, and verbal releases. However, no tracking or accounting is required for the following exceptions:
1. Disclosures made for treatment, payment, and healthcare operation purposes. This covers our use and disclosure of PHI for MO HealthNet (MHN) purposes. For example, staff disclose the individual’s MHN number to a health care provider, staff sends the vendor nursing facility a copy of the approval notice, or is working with the MO HealthNet Division to coordinate MHN eligibility. These disclosures are part of the MHN eligibility process.
2. Disclosures made to the participant.
3. Disclosures made for national security.
4. Disclosures made prior to April 14, 2003.
5. Disclosures authorized by the participant.
6. Disclosures to correctional institutions and other law enforcement custodial situations. These would involve cases in which the organization has lawful custody of the person, and the information is needed for health, safety or security.
7. Incidental disclosures e.g., another participant overhears a confidential conversation between staff and the participant, or the other participant might have glimpsed a computer screen.
8. Disclosures for protective services for the President.
9. Disclosures made to individuals involved in the participant’s care. Refer to 0130.005.10.40 Who May Exercise Privacy Rights and Personal Representatives, number 4, Other Individuals.
Disclosure Tracking Examples: These are some examples of disclosures that must be accounted for and documented on the Department of Social Services (DSS) Disclosure Tracking Log:
- To public health authorities
- About a decedent to medical examiners and funeral directors
- In response to a court order
- To health oversight agencies for audits, civil or criminal investigations, or inspections e.g., state auditor reviews a client’s file that includes PHI
- Unlawful and unauthorized disclosures staff know about
- In response to a subpoena or discovery request
- Staff share PHI with an agency to arrange for training or services for a Temporary Assistance participant. In this example, no tracking would be required if the participant gives their written authorization for the disclosure.
Recording Disclosures: Use the DSS tracking disclosure screen to record all disclosures unless excluded under “Accounting for Disclosures” above (number 1, a through i). Access this screen by going to the DSS Intranet. Staff MUST update this screen upon the disclosure. The screen captures information about what was disclosed, who received the PHI, the authority of the person to receive the PHI, the purpose of request, a brief description of the PHI released and other information. Print a copy of the updated screen, and file it next to the Change of Status Summary form. Keep the printout and disclosed information for six years from the date of the disclosure.
Participant Requests Accounting: Participants use the DSS Request for an Accounting of Protected Health Information Disclosures (MO 886-4453) or MO 866-4453S (Spanish Version) to request an accounting. Upon receipt of this form, immediately send it to the DSS Privacy officer. If staff have other information that may be helpful to the Privacy Officer, include it with the disclosed PHI.
Privacy Officer Decision: The privacy officer must provide an accounting no later than 60 days after the request. The deadline can be extended up to 30 days. The first accounting is without charge to the individual in any 12-month period.