Privacy Officer's Roundtable

Inappropriate Access and the AOD

  • 1.  Inappropriate Access and the AOD

    Posted 12-06-2019 10:02 AM
    Hi all, I know this has been discussed before but I wanted to bring it up again for additional thoughts. I searched through old posts and had some good conversations with folks but would love additional thoughts.


    "When there is an inappropriate access to the EHR and the information is not disclosed outside the organization do you log into your AOD? why or why not?"

    Erin Jack
    Privacy & Data Ethics Official
    Highmark Health

    2020 SCCE Membership

  • 2.  RE: Inappropriate Access and the AOD

    Posted 12-06-2019 10:36 AM

    Although not in Privacy, I'll give this one a shot as I seem to remember some of the posts I've read here.


    Since the information wasn't disclosed outside of  the organization, I wouldn't think it would need to go on the Accounting of Disclosures.  I believe this list is for information that is disclosed outside of the organization.


    Curious to see other responses.





    Brenda Tuohey, CHC

    Sr. Compliance Specialist

    Health Services Compliance



    ##################################### For more than 80 years, Health First has been committed to improving the wellness and health of Brevard County. To learn how Health First gives back to our community, visit This message is for the named person's use only. It may contain private, proprietary, or legally privileged information. No privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Health First reserves the right to monitor all e-mail communications through its networks. Any views or opinions expressed in this message are solely those of the individual sender, except (1) where the message states such views or opinions are on behalf of a particular entity; and (2) the sender is authorized by the entity to give such views or opinions. #####################################

    2020 SCCE Membership

  • 3.  RE: Inappropriate Access and the AOD

    Posted 12-06-2019 10:39 AM
    ​Hi Erin, An Accounting of "Disclosures" is exactly that. Disclosure, as you rightly say, is when the information goes outside of your program, facility etc.. internal acquisition or use is not the same as disclosure, under HIPAA. We know this because of the definitions in HIPAA and the fact that HSS have been reluctant to include an "Accounting of Access', in recent amendments to the regulations. look forward to hearing other opinions as always

    David Rothery, CHC
    Compliance Officer
    Marin County, CA

    These are my personal opinions and not those of the County of Marin

    2020 SCCE Membership

  • 4.  RE: Inappropriate Access and the AOD

    Posted 12-06-2019 10:51 AM


    I agree with David!



    ******************************************* This message and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

    2020 SCCE Membership

  • 5.  RE: Inappropriate Access and the AOD

    Posted 12-06-2019 12:19 PM
    I'd say the Accounting of Disclosures is only for disclosures and other impermissibles would not need to go on the AoD.

    David Garrison
    Compliance/Privacy Officer

    2020 SCCE Membership

  • 6.  RE: Inappropriate Access and the AOD

    Posted 12-07-2019 08:19 AM
    The Privacy Rule uses the terms "use" and "disclosure." I would characterize that as an impermissible use. If the information wasn't disclosed then, no, it doesn't need to be addressed in your AOD's.

    Brenda Manning J.D., C.H.C., C.H.P.C.
    Compliance Director, Privacy
    Carilion Administrative Services Building, Ste. 1201
    213 S. Jefferson Street
    Roanoke, VA 24011
    (540) 224-5757
    Fax: (540) 510-224-5787
    Integrity Help Line Compliance: (844) 732-6232

    Our Mission: Improve the health of the communities we serve.

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.

    2020 SCCE Membership

  • 7.  RE: Inappropriate Access and the AOD

    Posted 12-09-2019 07:08 AM
    I concur with the others​. AoD is for disclosures OUTSIDE the organization.

    Good Question and a nice refresher!

    Dr. Randy Lewis, LMFT, CHPC
    HIPAA Privacy Officer
    Orange County Government
    Orlando, FL

    2020 SCCE Membership

  • 8.  RE: Inappropriate Access and the AOD

    Posted 12-10-2019 11:00 AM
    For me this is one of those it depends answers. If the employee that accessed the information did so in more of an "oops" way--clicked on the wrong record, same name different DOB, etc. Then I would not add to the AoD.
    If; however, the employee accessed the record out of curiosity or malice, I would consider adding to the AoD. It would depend on the employee interview and my impression of the employee's honesty. I have had employees sign that they have not shared the information outside the company, only to find out they did.
    Also, I have found employees have shared the information with a co-worker that is related to the patient but not involved in the care. The information did not leave the organization but was shared with someone that either the patient did not wish for the information to be shared with or that should not have known.

    Deborah Dabbs MBA, CHC, CHPC, CHRC, MT(ASCP)SM
    Compliance and Privacy Officer
    Seminole Hospital District

    2020 SCCE Membership

  • 9.  RE: Inappropriate Access and the AOD

    Posted 12-09-2019 05:40 PM
    45 CFR @ 160.103 Definitions.
    Disclosure means the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.

    It's got to go outside to be a disclosure.

    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho

    Anything I say is my sole opinion and not of my company.

    2020 SCCE Membership

  • 10.  RE: Inappropriate Access and the AOD

    Posted 12-09-2019 09:12 PM
    My understanding has always been disclosure = outside the organization.  Thus, no accounting needed.

    Marie Wagner, CHC, CHRC
    Operations Manager, Corporate Compliance
    The Queen's Health Systems
    Honolulu, HI

    2020 SCCE Membership