5.5 Disclosure Documentation and Audit Trails

Make Every Disclosure Reconstructable

Access and disclosure decisions matter most after the fact: a patient asks who received records, a payer disputes a packet, a regulator audits the process, the Privacy Officer investigates a wrong-recipient fax. In each case the organization needs evidence to reconstruct exactly what happened. The RHIA-level answer is not 'tell staff to be careful' — it is to design a record of the decision that can be audited.

Disclosure documentation must connect the request, authority, scope, release-package inventory, recipient, delivery method, staff action, and final status. Miss any piece and the organization may be unable to prove the disclosure matched the request.

Accounting of Disclosures

The HIPAA accounting of disclosures right at 45 CFR 164.528 lets an individual request a list of certain disclosures made in the prior six years. The accounting must include the date, recipient, description of PHI, and purpose. Crucially, it excludes disclosures for treatment, payment, and operations (TPO), disclosures the individual authorized, and disclosures to the individual. So a disclosure to a public health authority (mandatory reporting) is accountable, while a TPO disclosure to a payer is not. The first accounting in any 12-month period must be free.

Audit Trails for Internal and External Access

The electronic health record (EHR) should log who opened a chart, what section was viewed, when, whether a break-glass override was used, and whether data was exported. HIE systems log queries, responses, organizations, users, and patient-matching events. Logs are worthless if no one reviews exceptions. A strong program defines what normal access looks like and what triggers review:

• Employee access to a family member, VIP, or co-worker's record.
• Repeated failed access attempts or access outside assigned work queues.
• High-volume printing or mass export.
• Unusual after-hours activity.
• HIE queries with weak patient-match evidence.
• Packages repeatedly returned as undeliverable.

Audit Review Questions

• Is the access or disclosure tied to an assigned work purpose?
• Was the patient correctly identified before information moved?
• Did the released scope match the valid request?
• Was the recipient verified and the route approved?
• Were exceptions escalated and resolved before closure?
• Do repeated errors point to training, configuration, vendor performance, or policy ambiguity?

Documentation Drives Breach Response

If the organization cannot identify what was sent, to whom, and whether it was accessed, the Breach Notification Rule risk assessment becomes harder and less precise. The rule presumes an impermissible use or disclosure is a breach unless the entity demonstrates a low probability of compromise using a four-factor assessment: (1) the nature and extent of the PHI involved, including identifiers and likelihood of re-identification; (2) the unauthorized person who used it or received it; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which risk has been mitigated.

Breach Notification Timelines

Memorize the thresholds. Affected individuals must be notified without unreasonable delay and no later than 60 days after discovery. If a breach affects 500 or more individuals, the entity must notify HHS OCR concurrently (within 60 days) and notify prominent media in the affected area. Breaches affecting fewer than 500 individuals are logged and reported to HHS annually, within 60 days after the end of the calendar year. Strong disclosure documentation directly supports a defensible, accurate four-factor analysis and the required notices.

Reading the Evidence Like a Manager

Retain release logs, transmission status, returned-mail handling, portal activity, and HIE transaction logs per policy and keep them available to compliance. Think like a manager reading the evidence: a single missing field needs correction; a pattern needs retraining or redesign; a vendor that misroutes needs contract oversight; a system that cannot capture required audit data needs configuration change or documented leadership risk acceptance.

A break-glass override that is never justified afterward, an export that no work queue explains, or a fax repeatedly returned to the wrong number are each documented signals that should trigger investigation, not silent filing. The goal is accountability that supports patient trust and gives leadership a factual basis for improvement and for accurate breach decisions.

Retention and Sanction Linkage

Documentation only helps if it survives long enough to be reviewed. HIPAA requires covered entities to retain required policy, authorization, and disclosure-accounting documentation for six years from creation or last effective date (164.530(j)); medical-record retention itself is set by state law and condition-of-participation rules and is often longer (commonly 7-10 years for adults, longer for minors).

When an audit confirms inappropriate access, the trail must feed the sanction policy (164.530(e)): consistent, documented discipline up to termination demonstrates the entity takes safeguards seriously and is itself evidence OCR looks for. An audit program with no consequences is, on the exam, an incomplete program.