I'm relatively new in post as a corporate compliance and privacy manager for a managed care organization so I hope that qualifies what may sound like an easy question for those who are more experienced!
When you're audited, for example by CMS, and your organization provides the auditor with member / client / patient records (containing PHI, of course), do you log these disclosures on you organization's accounting of disclosures log?
Looking at 164.528 suggests, I'm assuming a CMS type auditor would fall squarely within 'health oversight agency'....and any patient / member records shared with them would need to be documented in the accounting of disclosures log. So if I had to answer my own question, I'd say 'yes.' Anyone else have a different answer?
What if there are hundreds or thousands of names involved? How you ensure all names are included on the log??
Any thoughts, especially from colleagues in managed care, would be gratefully received!