Accounting of Disclosures for Protected Health Information (PHI) Under HIPAA: Requirements and How to Build Your Log

HIPAA gives individuals clear rights to understand how their PHI leaves a covered entity. To meet Privacy Rule compliance, you must maintain accurate disclosure accounting and deliver it on request. This guide explains what must be tracked, what is exempt, and how to build a practical log that stands up to audits.

Accounting of Disclosures Requirement

Covered entities must provide individuals, upon request, an accounting of certain disclosures of PHI made by the entity and its business associates. This accounting focuses on disclosures to external parties; internal uses are not included. Your duty includes PHI held in any record system, whether paper or electronic.

How to build your disclosure log

• Map your disclosure pathways: releases to public health, law enforcement, health oversight, registries, researchers, and others.
• Standardize required fields (see “Required Information in Accounting”) across all systems and forms.
• Centralize capture: configure EHR/ROI tools and require business associates to report disclosures promptly.
• Define workflow triggers: legal requests, subpoenas, public health reporting, and research disclosures start a logging task.
• Assign ownership: designate privacy staff to review entries daily and reconcile against release-of-information queues.
• Audit routinely: sample entries, validate purpose statements, and confirm that exempt events are not logged unnecessarily.

Use vs. disclosure

A “use” occurs within your organization; a “disclosure” releases PHI outside the covered entity. Only disclosures (with limited exceptions) are subject to disclosure accounting.

Exempt Disclosures Under HIPAA

Certain disclosures are exempt from disclosure accounting. Do not log these solely for HIPAA accounting purposes, though you may track them for operational needs.

• Treatment, payment, and health care operations activities.
• Disclosures to the individual who is the subject of the PHI.
• Disclosures made pursuant to a valid written authorization.
• Facility directory and disclosures to persons involved in the individual’s care or for notification purposes.
• National security or intelligence purposes.
• Disclosures to correctional institutions or law enforcement about an inmate or individual in lawful custody, as permitted by HIPAA.
• Incidental disclosures that occur as a byproduct of a permitted use or disclosure, with safeguards in place.
• Limited data set disclosures under a data use agreement.

Required Information in Accounting

Each non‑exempt disclosure entry should be complete and specific. Your log should capture:

• Date of the disclosure.
• Name of the recipient (individual or organization) and, if known, their address.
• Brief description of the PHI disclosed (e.g., “lab results 1/1/2025–3/31/2025”).
• Brief statement of the purpose of the disclosure, or a copy/reference to the written request that prompted it.

Repeat disclosures to the same recipient

If multiple disclosures were made to the same recipient for the same purpose, you may list the first disclosure date, the frequency or number of disclosures, and the date of the last disclosure for the period.

Practical fields to add for privacy rule compliance

• Requester type (public health, law enforcement, health oversight, research, court order).
• Minimum necessary determination and authorization requirements assessment.
• Business associate involved (if any) and reference to the BAA.
• Workforce member who released the PHI and verification method used.

Exceptions to Accounting Requirement

HIPAA provides limited exceptions that alter or temporarily suspend disclosure accounting obligations.

Temporary suspension for investigations

If a health oversight agency or law enforcement official states that an accounting would impede their activity, you must suspend the accounting for the period specified. The request should be in writing; an oral request allows a short suspension while you await written confirmation. Document the suspension and its end date.

Grouping flexibility

For repeated disclosures to the same recipient for the same purpose, you can provide a grouped accounting as noted above instead of itemizing each event.

Research protocols involving many individuals

For certain research disclosures made under a waiver of authorization that involve 50 or more individuals, you may provide a simplified, protocol-level accounting (see next section) instead of listing each individual disclosure.

Timeframe for Providing Accounting

You must act on an individual’s request for an accounting within 60 days of receipt. If you cannot meet the deadline, you may take one 30‑day extension by notifying the individual in writing, explaining the delay and the expected completion date.

The accounting covers up to six years preceding the request date (you are not required to include disclosures older than six years). Provide the first accounting to an individual in any 12‑month period at no charge; you may assess a reasonable, cost‑based fee for additional requests in the same 12‑month period, after notifying the individual and offering the chance to withdraw or narrow the request.

Tracking Disclosures for Research Purposes

Research disclosures require careful triage to determine whether disclosure accounting applies.

When to account

• Account when PHI is disclosed for research under an IRB/Privacy Board waiver of authorization.
• Do not account when the disclosure is made under a valid individual authorization.
• No accounting is required for disclosures of a limited data set under a data use agreement.

Simplified accounting for 50+ subjects

When a research disclosure under a waiver involves 50 or more individuals, you may list the research protocol rather than each disclosure. Include: protocol or study name; purpose and selection criteria; a brief description of PHI disclosed; the date or period during which disclosures occurred (or may occur); and the sponsor’s and principal investigator’s contact information. Be prepared to assist the individual in contacting the researcher to learn whether their PHI was included.

Operational tips

• Create a research disclosures register keyed to protocol numbers and waiver documentation.
• Require researchers and business associates to report research disclosures promptly.
• At study closeout, reconcile all research disclosures against IRB approvals and your disclosure accounting log.

Documentation Retention Policies

Maintain disclosure accounting records, privacy policies and procedures, workforce training records, sanctions, authorizations, and complaints for at least six years from the date of creation or the date last in effect—whichever is later. This retention applies to disclosure accounting logs and any suspension notices from oversight or law enforcement.

Store records securely with reliable backups and audit trails. If a state law or organizational policy requires a longer retention period for documentation retention, follow the longer period. Ensure business associates keep and supply needed information so you can meet individual rights and disclosure accounting obligations.

Conclusion

Build a reliable disclosure accounting program by standardizing required fields, automating capture, and validating exemptions up front. Clear workflows, timely responses, and disciplined retention practices allow covered entities to honor individual rights while meeting HIPAA’s authorization requirements and research disclosures rules.

FAQs

What disclosures must be included in a HIPAA accounting?

Include non‑exempt disclosures of PHI to external parties, such as public health authorities, health oversight, law enforcement (unless a suspension applies), judicial or administrative proceedings, and research disclosures made under a waiver of authorization. Exclude treatment, payment, and health care operations, disclosures to the individual, disclosures made under a valid authorization, incidental disclosures, limited data set disclosures, national security, correctional institution disclosures, and facility directory or involvement-in-care disclosures.

How long must covered entities retain disclosure documentation?

Keep disclosure accounting records and related privacy documentation for at least six years from the date of creation or the date last in effect, whichever is later. Retain suspension notices, research protocol accounting details, and any communications supporting the purpose of each logged disclosure.

Are disclosures for treatment exempt from accounting?

Yes. Disclosures for treatment—as well as those for payment and health care operations—are exempt from disclosure accounting under HIPAA. Do not include them in an individual’s accounting.

What is the timeframe for providing an accounting upon request?

Provide the accounting within 60 days of receiving the request. If needed, you may take one 30‑day extension by notifying the individual in writing with the reason for the delay and a new completion date. The accounting may cover up to six years prior to the request, and the first accounting in a 12‑month period must be provided at no charge.