45 CFR 164.528 Explained: HIPAA Accounting of Disclosures — Requirements, Exceptions, and Patient Rights
Product Pricing Demo Video Free HIPAA Training
LATEST
video thumbnail
Admin Dashboard Walkthrough Jake guides you step-by-step through the process of achieving HIPAA compliance
Ready to get started? Book a demo with our team
Talk to an expert
Blog HIPAA 45 CFR 164.528 Explained: HIPAA Accounting of Disclosures — Requirements, Exceptions, and Patient Rights

45 CFR 164.528 Explained: HIPAA Accounting of Disclosures — Requirements, Exceptions, and Patient Rights

Kevin Henry

HIPAA

July 23, 2025

6 minutes read
Share this article
45 CFR 164.528 Explained: HIPAA Accounting of Disclosures — Requirements, Exceptions, and Patient Rights

Right to Accounting of Disclosures

Under 45 CFR 164.528, you have the right to receive an accounting of certain disclosures of your Protected Health Information (PHI). This accounting captures releases of PHI made by a Covered Entity to parties outside the organization, including disclosures carried out by its Business Associates on the Covered Entity’s behalf.

The accounting can cover any period you specify up to six years preceding your request. It focuses on “disclosures” (sharing PHI outside the entity) rather than internal “uses.” You or your authorized personal representative may submit the request; the entity may ask that you do so in writing and to narrow the timeframe to speed fulfillment.

Who must provide the accounting

Covered Entities—health care providers that conduct standard transactions electronically, health plans, and health care clearinghouses—must provide the accounting. Business Associates are contractually required to supply the details the Covered Entity needs to complete it.

Exceptions to Accounting Requirement

HIPAA excludes several categories of disclosures from the accounting. These do not need to be listed:

  • Disclosures for treatment, payment, and health care operations.
  • Disclosures made to you (the individual) about your own PHI.
  • Disclosures made pursuant to your valid HIPAA authorization.
  • Facility directory disclosures and disclosures to persons involved in your care or payment for care.
  • National security or intelligence activities.
  • Disclosures to a correctional institution or law enforcement official having lawful custody of an inmate or individual.
  • Disclosures that are part of a Limited Data Set made under a Data Use Agreement.
  • Incidental Disclosures that occur as a byproduct of an otherwise permitted use or disclosure, provided safeguards and the minimum necessary standard are in place.
  • Disclosures that occurred before the entity’s HIPAA compliance date.

Notable inclusions

Most other permitted or required disclosures must appear in the accounting. Common examples include disclosures to public health authorities, Health Oversight Agencies (for audits, inspections, or investigations), certain law enforcement disclosures (outside custodial situations), judicial or administrative proceedings, and research disclosures made without patient authorization under an Institutional Review Board or privacy board waiver.

Content of the Accounting

Each entry in the accounting must clearly explain what was disclosed and why. For each disclosure, the Covered Entity must include:

  • The date of the disclosure.
  • The name of the recipient and, if known, their address.
  • A brief description of the PHI disclosed.
  • A brief statement of the purpose of the disclosure or a copy of a written request that prompted it.

Multiple disclosures to the same recipient

If repeated disclosures were made to the same recipient for a single purpose, the accounting may list the first disclosure with the frequency, periodicity, or number of disclosures and the date of the last disclosure in the period.

Research involving 50 or more individuals

For research disclosures without patient authorization that involve the PHI of 50 or more individuals, the accounting may provide a summary that includes: the research protocol or activity name, a general description of the research, the type of PHI disclosed, the dates or period of disclosures, and the names and contact information of the sponsor and principal investigator. Upon request, the entity must help you contact the researcher or sponsor.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Temporary Suspension of Accounting Rights

A Health Oversight Agency or a law enforcement official may ask the Covered Entity to temporarily suspend your right to receive an accounting if providing it would impede their lawful activity. The request can be:

  • Written, specifying the time for the suspension; or
  • Oral, which the entity must document (including the requester’s identity) and honor for no longer than 30 days unless replaced by a written request within that period.

When the suspension expires or is lifted, your right to receive the accounting resumes.

Response Time for Accounting Requests

The Covered Entity must act on your request within 60 days. If it cannot provide the accounting within that period, it may take one 30‑day extension by sending you a written notice that explains the reason for the delay and states a new completion date.

Covered Entities remain responsible for the deadline even when Business Associates hold relevant logs. They must coordinate with those partners to compile a complete accounting for the period you requested (up to six years).

Fees for Accounting Requests

You are entitled to one accounting at no charge in any 12‑month period. For additional requests in the same 12 months, the entity may charge a reasonable, cost‑based fee for labor and supplies used to compile and deliver the accounting. Before charging, the entity must inform you of the fee and give you the opportunity to withdraw or modify your request to reduce the cost.

Documentation of Disclosures

Covered Entities must maintain documentation sufficient to produce an accurate accounting for six years. At a minimum, they must retain: (1) the information required for each disclosable event, (2) copies of accountings provided to individuals, and (3) the titles of the persons or offices responsible for processing accounting requests.

Business Associates are obligated by their agreements to log and furnish disclosure details to the Covered Entity. For Limited Data Sets, the entity should maintain the underlying Data Use Agreements even though those specific disclosures are excluded from accounting. Incidental Disclosures are not tracked, but policies, safeguards, and minimum necessary practices should be documented to support that such events are truly incidental.

In practice, clear policies, reliable logging, and timely coordination with Business Associates make it straightforward to honor patient rights under 45 CFR 164.528 while demonstrating compliance when regulators or Health Oversight Agencies review your program.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles

Dental Compliance Training for Your Team: OSHA, HIPAA & Infection Control Made Simple
HIPAA Jul 31, 2025

Dental Compliance Training for Your Team: OSHA, HIPAA & Infection Control Made Simple

Strong dental compliance training protects patients, your team, and your practice. This guide tur...

Comparing Popular HIPAA-Compliant Telehealth Tools
HIPAA Oct 01, 2025

Comparing Popular HIPAA-Compliant Telehealth Tools

Choosing among HIPAA-compliant telehealth tools comes down to how well each platform fits your cl...

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations
HIPAA Oct 01, 2025

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations

You rely on cloud storage to keep Protected Health Information (PHI) available and secure, yet a ...