Disclosures (Baccalaureate)
Student instructions
1. If you have questions about this activity, please contact your instructor for assistance.
2. You will review the chart of Emily Carey to complete this activity. Your instructor has
provided you with a link to the ROI and Accounting of Disclosures (BS) activity. Click on
2: Launch EHR to review the patient chart and begin this activity.
3. Refer to the patient chart and any suggested resources to complete this activity.
4. Document your answers directly on this activity document as you complete the activity.
When you are finished, you will save this activity document to your device and upload
this activity document with your answers to your Learning Management System (LMS).
The activity
Release of protected health information (PHI)
Release of information (ROI) refers to the divulgence of an individual’s health information by an
entity, such as a hospital or doctor’s office, to a person or organization outside of that entity.
Release of information is covered by the Health Insurance Portability and Accountability Act
(HIPAA). (“HIPAA for Professionals”, n.d.).
The HIPAA Security Rule outlines the safeguards organizations must put in place to secure
consumers’ protected health information (PHI). The Rule aims to be flexible to allow
organizations to adapt to new technologies regardless of their size and structure while still
protecting the privacy of consumers’ health information. (“Summary of the HIPAA Security
Rule”, n.d.).
When the Rule refers to “covered entities”, it’s referring to health plans, health care providers
who conduct transactions electronically and health care clearinghouses. (“HIPAA for
Professionals”, n.d.).
Covered entities must create safeguards to protect patient PHI and ensure they do not
improperly disclose. They must also place reasonable limits on the use and disclosure of PHI so
that only the minimum necessary information to accomplish their purpose is disclosed. In
EHR Go Knowledge Activity: ROI and Accounting of Disclosures (Baccalaureate) HBK1016.2 1
Archetype Innovations LLC ©2021
, addition, covered entities must create policies and procedures that limit who can access patient
PHI, as well as provide training to their employees on safeguarding PHI. (“Summary of the
HIPAA Security Rule”, n.d.).
Authorized Uses and Disclosures of PHI
Authorization: A covered entity may require the patient’s written authorization to release the
patient’s PHI. The authorization must be in plain language and include specific information
about the information to be disclosed, the person(s) or entity receiving and disclosing the
information, and an expiration date. (“Individuals’ Right under HIPAA”, n.d.).
Verification: A covered entity must take reasonable steps to verify the identity of an individual
requesting access to PHI under the Privacy Rule. The Rule does not require any specific form of
verification (e.g. a copy of a driver’s license or state identification card). Rather, the Rule leaves
the type and manner of verification to the covered entity’s discretion and judgment. However,
the verification must not “create barriers to or unreasonably delay the individual from
obtaining access to his or her PHI”. (“Individuals’ Right under HIPAA”, n.d.).
The right to an accounting of disclosures
The HIPAA Privacy Rule provides that an individual has a right to receive an accounting of
disclosures of that individual’s protected health information made by a covered entity, or its
business associate, in the six years prior to the date on which the accounting is requested, with
some exceptions, as outlined below. (“Right to an Accounting of Disclosures”, n.d.).
What PHI disclosures must be included in the accounting?
All PHI disclosures must be included in the accounting, with these exceptions:
Disclosures made prior to April 14, 2003 or prior to the entity’s date of
compliance with the privacy standards.
Disclosures to law enforcement or correctional institutions as provided in state
law.
Disclosures for facility directories.
Disclosures to the individual patient.
Disclosures for national security or intelligence purposes.
Disclosures to people involved in the patient’s care.
EHR Go Knowledge Activity: ROI and Accounting of Disclosures (Baccalaureate) HBK1016.2 2
Archetype Innovations LLC ©2021