Resources

Protected Health Information

Accounting of disclosures

OHSU is required to keep a history of when and to whom protected health information (PHI) is disclosed if the disclosure occurs outside the scope of treatment, payment and health care operations, and is not made as a result of a signed authorization from the patient. Examples of disclosures that may be included in the accounting requirement are public health activities (reporting immunizations, birth and death certificates, cancer/tumor registries, pregnancy terminations), reports about victims of abuse, neglect, or domestic violence, information used for organ or tissue donation and transplantation, disclosures about decedents to coroners, medical examiners, or funeral directors, and other disclosures required by law. For each disclosure the following shall be recorded: the date of the disclosure; the name and, if known, the address of the recipient of the health information; the type of health information disclosed; and the purpose of the disclosure.

An individual has a right to receive an accounting of disclosures of PHI made by OHSU beginning April 14, 2003. Patients are entitled to one free accounting within a 12-month period.

OHSU disclosures that are subject to the accounting requirement shall be recorded in the Accounting of Disclosures System (ADS).

Resources

PHI repository

All non-Epic systems for storing protected health information (PHI) need to be entered into this registry;  you'll also want to use the repository to note if you've deleted or modified an already-entered system. Your department's data steward is responsible for entering your system.

Privacy glossary

PHI is de-identified when 18 types of info that can be used to identify someone are removed, i.e. name, date of birth, address, social security number, phone number, date of service.

See full list of Patient Identifiers.

Download the privacy glossary