Q. During a recent webinar, a presenter indicated disclosure of PHI to business associates needed to be included in the disclosure accounting log. Aren’t disclosures of PHI to business associates considered disclosure for healthcare operations purposes?
A. The disclosure of PHI to a business associate does not need to be included in the disclosure accounting log as long as the disclosure is related to treatment, payment, and healthcare operations. Disclosures of PHI to a business associate are not necessarily classified as disclosures only for healthcare operations. As an example, if a health plan discloses PHI to a third-party administrator, the disclosure would likely be for payment purposes. However, a valid business associate contract or other written arrangement (government entities) needs to be executed before any PHI is disclosed to business associates.
Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question, which first appeared in the April Briefings on HIPAA. Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.