Accounting of Disclosures Meaning: HIPAA Definition and Examples

Definition of Accounting of Disclosures

An accounting of disclosures is a written record a Covered Entity maintains and provides to you showing certain times your Protected Health Information (PHI) left the organization. Under HIPAA’s Disclosure Accounting Requirement, the list covers specific disclosures made by the covered entity or its business associates during the six years preceding your request, excluding categories that the Privacy Rule exempts from accounting.

The accounting is not a copy of your medical record. Instead, it documents when PHI was disclosed, to whom it went, what information left, and why. The goal is to give you visibility into non-routine disclosures—those other than treatment, payment, and health care operations—so you can understand how your information has been used while the organization maintains HIPAA Compliance.

Purpose of Accounting of Disclosures

The accounting advances patient transparency and trust. It helps you verify that PHI was shared only for valid reasons, and it equips you to ask informed questions or exercise other privacy rights if something seems incorrect.

For organizations, accounting supports HIPAA Compliance by documenting disclosures that fall outside routine care and billing. It demonstrates due diligence to regulators, helps respond to audits, and strengthens privacy governance across Public Health Disclosures, Health Oversight Activities, and other permitted purposes.

Disclosures Requiring Accounting

Unless specifically exempted by HIPAA, the following disclosures of PHI generally must appear in an accounting, along with brief, plain-language descriptions and dates. Examples show how these arise in practice.

• Required by law: When a statute or court order compels disclosure. Example: producing limited records under a court order.
• Public Health Disclosures: Reports to public health authorities or the FDA. Examples: communicable disease reporting or medical device adverse event submissions.
• Health Oversight Activities: Disclosures to agencies conducting audits, inspections, or investigations. Example: responding to a state licensing board audit.
• Judicial and administrative proceedings: Disclosures made in litigation or hearings under the Privacy Rule’s conditions. Example: responding to a qualifying subpoena with required safeguards.
• Law enforcement purposes: Disclosures permitted for warrants, locating a suspect or missing person, or reporting certain crimes.
• Averting a serious threat: Disclosures to prevent or lessen a serious and imminent threat to health or safety.
• Decedents: Disclosures to coroners, medical examiners, or funeral directors for their duties.
• Organ and tissue donation: Disclosures to organ procurement organizations to facilitate transplantation.
• Research without patient authorization: Disclosures approved by an Institutional Review Board or Privacy Board under a waiver. If a study involves 50+ individuals, the accounting may use a protocol-level summary rather than listing each individual disclosure.
• Workers’ compensation: Disclosures authorized by workers’ compensation laws.

Disclosures Exempt from Accounting

HIPAA excludes several categories from the accounting requirement. When a disclosure fits one of these, it is not listed in the accounting you receive.

• Treatment, payment, and health care operations (TPO): Routine sharing for care coordination, billing, or quality improvement.
• To the individual: Disclosures of your own PHI to you (for access or copies).
• Patient Authorization Exceptions: Disclosures made pursuant to your valid, written authorization.
• Facility directory and persons involved in care: Disclosures allowed when you agree or are given an opportunity to agree or object (for example, directory listings or notifying a family member).
• Incidental disclosures: Secondary disclosures that occur as a byproduct of an otherwise permitted use and are limited by safeguards.
• National security or intelligence activities: Disclosures to authorized federal officials for these purposes.
• Correctional institutions or law enforcement custodians: Disclosures about inmates to those custodians under the rule’s conditions.
• Limited data set: Disclosures made as part of a limited data set under a data use agreement.

Information Included in an Accounting

Each entry in an accounting must include core details so you can understand what left the organization and why. Specifically, the covered entity must provide:

• The date of the disclosure.
• The name (and, if known, address) of the recipient.
• A brief description of the PHI disclosed.
• A brief statement of the purpose of the disclosure, or a copy of the written request that prompted it.

For multiple disclosures to the same recipient for the same purpose within the accounting period, the entity may provide the first disclosure date, the frequency or number of disclosures, and the date of the last disclosure rather than listing each one individually.

For research involving 50 or more individuals under an IRB/Privacy Board waiver, the accounting may list protocol-level information (such as the research protocol or activity, type of PHI disclosed, date range, and recipient information) in place of individual-by-individual entries.

Covered Entities must keep policies, procedures, and logs needed to produce an accounting for six years, and business associates must furnish information to the covered entity as necessary to complete the accounting.

Patient's Right to Request Accounting

You may request an accounting of disclosures from a Covered Entity for the six years prior to your request date. The request is typically required in writing, and the entity must verify your identity or that of your personal representative.

The organization must act on your request within 60 days. If more time is needed, it may take one extension of up to 30 additional days with written notice stating the reason and new due date. The accounting must be provided in the form you request (paper or electronic) if readily producible.

You are entitled to one free accounting in any 12-month period. Reasonable, cost-based fees may be charged for additional accountings after giving you advance notice and a chance to withdraw or narrow your request to avoid or reduce the fee.

A temporary suspension of your right to receive an accounting may apply if a health oversight agency or law enforcement official provides a written statement that issuing the accounting would impede their activities, for the period they specify.

Bottom line: an accounting of disclosures equips you to see when PHI left a Covered Entity for non-routine purposes, reinforces transparency, and helps ensure HIPAA Compliance across your care journey.

FAQs.

What is an accounting of disclosures under HIPAA?

It is a written list a Covered Entity provides that shows certain disclosures of your Protected Health Information made in the prior six years, excluding categories the Privacy Rule exempts (such as TPO and authorized disclosures). Each entry identifies the recipient, date, what was disclosed, and why.

Which disclosures require accounting?

Generally, disclosures required by law; Public Health Disclosures; Health Oversight Activities; judicial or administrative proceedings; certain law enforcement purposes; actions to avert a serious threat; disclosures to coroners, medical examiners, funeral directors; organ procurement organizations; research under an IRB/Privacy Board waiver; and workers’ compensation typically must be included.

Are disclosures for treatment excluded from accounting?

Yes. Disclosures for treatment, payment, and health care operations are exempt from the accounting requirement and will not appear on the list you receive.

How long can a patient request an accounting of disclosures?

You can request an accounting covering up to six years prior to the date of your request. The entity must respond within 60 days (with one allowable 30-day extension if needed) and provide the accounting in a readily producible paper or electronic format.