Should covered entities keep records of disclosures of PHI?

Covered entities are mandated by the HIPAA Privacy Rule to maintain a record of certain disclosures of Protected Health Information (PHI) for a period of six years. This requirement is in place to ensure accountability and transparency regarding PHI access and use beyond treatment, payment, and healthcare operations.

The disclosures that must be documented include those made outside of the regular course of treatment and payment, such as disclosures made for public health purposes, law enforcement, or regulatory requirements. Keeping these records allows individuals to be informed about how their PHI is being shared and enables oversight by the covered entities to ensure compliance with HIPAA regulations.

This six-year retention period is critical as it aligns with the rights of individuals to access information about their health data and how it has been utilized or revealed, fostering trust in healthcare operations and privacy protections.