Beginner’s Guide to HIPAA’s Privacy Rule: Your Quick Guide to Accounting of Disclosures

Overview of HIPAA Privacy Rule

The HIPAA Privacy Rule sets national standards for how Covered Entities and their Business Associates handle Protected Health Information (PHI). It permits necessary sharing for treatment, payment, and Healthcare Operations while giving you rights over your information, including the right to receive an accounting of certain disclosures made without Patient Authorization.

This accounting right is a transparency tool: it shows when your PHI left the organization for reasons other than routine care, billing, or internal operations. It complements, but is different from, your right to access your medical records.

Understanding Accounting of Disclosures

An accounting of disclosures is a written list of specific disclosures of your PHI made by a Covered Entity and, when applicable, by its Business Associates on its behalf. The accounting typically spans up to the six years before the date of your request, though you may ask for a shorter period. ([privacyruleandresearch.nih.gov](https://privacyruleandresearch.nih.gov/pr_12.asp?utm_source=openai))

Only disclosures—PHI shared outside the entity—are listed; internal uses are not. The report focuses on legally permitted disclosures that did not require your Patient Authorization, such as certain public health or legal disclosures, unless an exception applies.

Exceptions to Accounting Requirements

Not every disclosure appears in the accounting. HIPAA excludes several categories, including:

• Treatment, payment, and Healthcare Operations activities.
• Disclosures made to you about your own PHI.
• Incidental disclosures permitted by the Rule.
• Disclosures made pursuant to your written Patient Authorization.
• Facility directory entries and notifications to persons involved in your care.
• National security or intelligence purposes.
• Disclosures to correctional institutions or law enforcement when you are in custody.
• Disclosures as part of a Limited Data Set made under a valid Data Use Agreement.
• Disclosures that occurred before the entity’s HIPAA compliance date.

In addition, a law enforcement or health oversight agency may request a temporary suspension of your right to receive an accounting if providing it would impede their activities (oral requests allow up to a 30-day suspension unless followed by a written request specifying the duration). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol-edited/index.html?utm_source=openai))

Required Information in Accounting

Each entry in the accounting must give you enough detail to understand what was shared and why. For each disclosure, the report must include: the date; the recipient’s name (and, if known, address); a brief description of the PHI disclosed; and a brief statement of the purpose—or a copy of the written request, when applicable. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.528?utm_source=openai))

If multiple disclosures were made to the same recipient for the same purpose, the entity may provide a summarized entry showing the frequency or number of disclosures and the date of the last disclosure. For certain research disclosures involving 50 or more individuals, HIPAA permits a simplified listing that identifies the protocol and time frame, along with sponsor and researcher contact details. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.528?utm_source=openai))

Role of Business Associates

Business Associates—vendors and service providers who handle PHI for a Covered Entity—must keep records of relevant disclosures so the Covered Entity can fulfill your request for an accounting. The Business Associate Agreement must require the associate to make this information available, and the parties may agree that the associate will provide the accounting to you directly when appropriate. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/246/do-business-associates-have-obligations/index.html?utm_source=openai))

When a Limited Data Set is disclosed, HIPAA requires a Data Use Agreement between the discloser and recipient. Limited Data Set disclosures are excluded from accounting requirements, but the DUA remains mandatory. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/467/must-a-covered-entity-provide-an-accounting-for-disclosures/index.html?utm_source=openai))

Response Time for Accounting Requests

A Covered Entity must act on your request within 60 days. If it cannot provide the accounting within that period, it may take one 30-day extension, but only if it sends you a written explanation and a date by which it will complete the request. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.528?utm_source=openai))

Fees for Accounting Disclosures

Your first accounting in any 12-month period must be provided free of charge. For additional accountings in the same 12 months, a Covered Entity may charge a reasonable, cost-based fee, but it must tell you the cost in advance and allow you to withdraw or narrow your request to reduce the fee. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html?utm_source=openai))

Bottom line: know the scope (six years), what’s excluded (like TPO and Limited Data Sets under a Data Use Agreement), what details you should receive, and the timing and cost rules. With this, you can confidently request and review an accounting of disclosures of your PHI.

FAQs

What disclosures must be included in the accounting?

The accounting generally includes disclosures not covered by HIPAA’s exclusions—such as many disclosures required by law, for health oversight, or for judicial and administrative proceedings—along with those made by Business Associates on the Covered Entity’s behalf. Disclosures for treatment, payment, Healthcare Operations, or made with Patient Authorization are not included. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/710/when-must-a-covered-entity-account-for-disclosures-of-protected-health-information-in-litigation/index.html?utm_source=openai))

How long do covered entities have to respond to an accounting request?

They must act within 60 days, with one permissible 30-day extension if they send you a written explanation and a completion date within the initial 60 days. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.528?utm_source=openai))

Are business associates required to provide accounting of disclosures?

Covered Entities are responsible for providing the accounting to you. Business Associates must supply the Covered Entity with the information needed and may, by contract, be designated to provide the accounting directly. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/246/do-business-associates-have-obligations/index.html?utm_source=openai))

Can fees be charged for accounting requests?

Your first accounting in a 12-month period is free. Reasonable, cost-based fees may apply to additional requests in the same period, but the entity must notify you beforehand and let you withdraw or narrow the request to avoid or reduce the fee. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.528?utm_source=openai))