Accounting of Disclosures Under HIPAA: PHI Disclosure Log Template and Tips

Purpose of Disclosure Logs

Under HIPAA §164.528, individuals have the right to receive an accounting of disclosures of their Protected Health Information (PHI). A disclosure log is the practical record that lets you produce that accounting quickly and accurately while showing regulators that you follow the Privacy Rule.

For Covered Entities and their business partners, a well-maintained log improves transparency, enables timely responses to requests, and demonstrates compliance during audits. It also reduces risk by proving that non-routine and Authorized Disclosures were evaluated and recorded consistently.

Operationally, disclosure logging helps you separate routine treatment, payment, and health care operations from reportable events, coordinate with business associates, and maintain a defensible Compliance posture.

Required Information in Logs

Your PHI disclosure log should capture the core data elements needed to generate an accounting that “reasonably informs” the individual about each disclosure.

• Date of disclosure.
• Recipient: name of the person or entity and, if known, address.
• Description of PHI disclosed (brief but specific).
• Purpose or legal authority for the disclosure (for example, “required by law,” “court order,” or “authorization dated MM/DD/YYYY”).
• Whether a Business Associate made the disclosure on your behalf.

Helpful, but not required

• Method of disclosure (mail, fax, secure portal) and reference number.
• Workforce member responsible and internal case ID.
• Regulatory category (e.g., public health, law enforcement, oversight) to support reporting and audits.

Recurring disclosures

When disclosing to the same recipient for the same purpose on a recurring basis, you may summarize by listing the first disclosure and then the frequency and date range for subsequent disclosures, rather than itemizing each one.

Retention Period Requirements

Maintain disclosure logs and related policies for at least six years. This aligns with HIPAA’s documentation rule and the look-back period for an individual’s Accounting of Disclosures request, which covers the six years preceding the request date.

Maintain the log for six years from each entry’s creation (or from the date it was last in effect) and ensure backups are secure and recoverable. If state record-retention rules are longer, use the stricter standard to avoid gaps.

Exemptions from Accounting

Not every release of PHI must appear in the accounting. The following are exempt under the Privacy Rule:

• Disclosures for treatment, payment, and health care operations.
• Disclosures to the individual who is the subject of the PHI.
• Disclosures made pursuant to a valid authorization.
• Incidental disclosures that cannot reasonably be prevented.
• Facility directory disclosures and disclosures to persons involved in the individual’s care (when permitted).
• Disclosures for national security or intelligence purposes.
• Disclosures to correctional institutions or law enforcement about an inmate or individual in lawful custody.
• Disclosures of a limited data set under a data use agreement.

Commonly misunderstood: not exempt

The following typically require logging because they are not exempt: required-by-law disclosures; public health reporting; health oversight activities; judicial or administrative proceedings; certain law enforcement requests; workers’ compensation programs; and disclosures to HHS for compliance investigations.

Business Associates' Responsibilities

Business Associates Compliance obligations include tracking any disclosures of PHI they make on behalf of a Covered Entity and supplying that information so the Covered Entity can fulfill HIPAA §164.528. BA contracts should require timely cooperation to meet the Covered Entity’s deadlines.

• Maintain records of non-exempt disclosures made for, or on behalf of, the Covered Entity.
• Provide the Covered Entity with complete accounting details upon request, promptly enough to meet response timelines.
• Retain disclosure records and relevant documentation for at least six years.
• Flow down logging duties to subcontractors that handle PHI.

Disclosure Log Template Availability

Use a standardized PHI Disclosure Log template to ensure every required element is consistently captured. You can adapt the following structure to paper or electronic formats:

Disclosure Date Recipient (Name and, if known, Address) Purpose/Authority Description of PHI Method Business Associate (Y/N) Workforce Member/Ref ID Notes

Pair the template with quick-pick reasons (e.g., required by law, court order, public health, oversight) and clear guidance on what is exempt to reduce errors and speed up documentation.

Compliance Best Practices

• Define a written policy that maps HIPAA §164.528 to your workflows and clarifies what is and is not logged.
• Embed logging into points of release (health information management, legal, research, customer service) so entries are captured in real time.
• Use standardized fields and picklists to improve data quality and reporting consistency.
• Train workforce members and Business Associates on exemptions, documentation standards, and escalation paths.
• Audit the log periodically; reconcile against subpoenas, public health reports, and other outbound channels.
• Secure the log as PHI-adjacent data: restrict access, minimize detail, and retain only what is necessary.
• Plan for requests: respond within 60 days, document any permitted 30-day extension, and provide the first accounting in a 12‑month period at no charge.
• Honor lawful temporary suspensions of the right to receive an accounting when requested by law enforcement or oversight, and document those suspensions.

Conclusion

Accurate Accounting of Disclosures protects patients and your organization. By logging required elements, applying exemptions correctly, retaining records for six years, and coordinating with Business Associates, you can meet HIPAA §164.528 with confidence and efficiency.

FAQs

What information must be included in a PHI disclosure log?

Record the disclosure date; recipient’s name and, if known, address; a brief description of the PHI; the purpose or legal authority (or the related authorization/date); and whether a Business Associate made the disclosure. Add internal references and method of disclosure to streamline audits.

How long must HIPAA disclosure logs be retained?

Keep disclosure logs and related documentation for at least six years. This supports HIPAA’s documentation requirements and the six‑year look‑back for an individual’s Accounting of Disclosures request.

Are business associates required to provide accounting of disclosures?

Yes. Business Associates must track non‑exempt disclosures they make on behalf of a Covered Entity and provide complete details so the Covered Entity can fulfill HIPAA §164.528 within required timelines. BA records should also be retained for six years.

What disclosures are exempt from accounting under HIPAA?

Exemptions include disclosures for treatment, payment, and health care operations; disclosures to the individual; those made under a valid authorization; incidental disclosures; facility directory and involved‑in‑care disclosures; national security or intelligence; correctional custody disclosures; and limited data set disclosures under a data use agreement.