Individuals have a right to receive, upon request, an accounting of disclosures of protected health information made by a covered entity (or its business associate), with certain exceptions. These exceptions, or instances where a covered entity is not required to account for disclosures, include disclosures for treatment, payment, or health care operations and disclosures authorized by the individual. See 45 CFR 164.528 (GPO). Disclosures that are subject to the accounting for disclosures requirement include disclosures made by a covered entity that is not a party to the litigation or proceeding and that are made:
- as required by law (under §§ 164.512(a) and (e)(1)(i));
- for a proceeding before a health oversight agency (under § 164.512(d)); or
- in response to a subpoena, discovery request, or other lawful process (under § 164.512(e)).
Conversely, covered entities need not account for disclosures of protected health information for litigation that are made with the individual’s authorization or, in cases where the covered entity is a party to the litigation, when such disclosures are part of the covered entity’s health care operations.
In many cases, covered entities share protected health information for litigation purposes with a lawyer who is a business associate of the covered entity. These disclosures by a covered entity to its lawyer-business associate are not themselves subject to the accounting. However, if (as described above) the lawyer makes disclosures that are subject to the accounting requirement, the business associate agreement required by the Privacy Rule must provide that the lawyer-business associate must make information about these disclosures available to the covered entity, so that the covered entity can fulfill its obligation to provide an accounting to the individual. Alternatively, the covered entity and the lawyer can agree through the business associate contract that the lawyer will provide the accounting to individuals who request one.