Does the HIPAA Privacy Rule Require an Accounting of Disclosures?

Overview of Accounting of Disclosures

Yes. Under the HIPAA Privacy Rule, individuals have Patient Rights to receive an accounting of certain disclosures of their Protected Health Information (PHI). An accounting is a record that shows when, why, and to whom your organization disclosed PHI for reasons other than routine care and operations.

“Disclosure” means releasing PHI outside your organization. Internal “uses” of PHI are different and are not listed in the accounting. Covered Entities—health plans, most health care providers, and health care clearinghouses—must be prepared to produce an Accounting of Disclosures on request.

What an accounting includes

• Date of each disclosure.
• Name (and, if known, address) of the recipient.
• A brief description of the PHI disclosed.
• A brief statement of the purpose or a copy of the written request that prompted the disclosure.

When multiple disclosures are made to the same recipient for a single purpose, you may list a range (first and last dates) and a description of the frequency instead of itemizing each event.

Who must comply

Covered Entities are responsible for furnishing the accounting to the individual. Business Associates may perform functions for Covered Entities, but the duty to provide the final accounting remains with the Covered Entity.

Exemptions from Accounting

Not every disclosure belongs in the accounting. The most notable carve‑out is the Treatment Payment Healthcare Operations Exemption, which excludes routine disclosures for treatment, payment, and health care operations (often called “TPO”).

Common exclusions

• Disclosures for treatment, payment, and health care operations (TPO).
• Disclosures made to the individual about their own PHI.
• Disclosures made pursuant to a valid HIPAA authorization.
• Incidental disclosures that occur as a by‑product of an otherwise permitted use or disclosure.
• Disclosures for facility directories or to persons involved in the individual’s care or notification.
• Disclosures for national security or intelligence purposes.
• Disclosures to correctional institutions or law enforcement about inmates or individuals in lawful custody.
• Disclosures of a limited data set under a data use agreement.
• Disclosures that occurred before your organization’s HIPAA Privacy Rule compliance date.

Disclosures required by law, for public health reporting, health oversight, certain law enforcement activities, and many research disclosures are generally not exempt and must be included unless another specific rule applies.

Recordkeeping Requirements

You must maintain Disclosure Documentation sufficient to produce a complete Accounting of Disclosures for the required period. In general, retain the documentation for at least six years from the date created or last in effect, whichever is later.

What to record

• The accounting elements listed above (date, recipient, PHI description, and purpose/request).
• For recurring disclosures to the same recipient for a single purpose, the period covered and frequency.
• Any written statements from health oversight agencies or law enforcement requesting a temporary suspension of accounting and the duration of that suspension.

Research considerations

When you disclose PHI for research without individual authorization under an IRB/Privacy Board waiver, you must account for those disclosures. If a research protocol involves the PHI of 50 or more individuals, you may provide a summary-style accounting that identifies the protocol and its purpose, rather than listing each person separately.

Request and Response Procedures

Individuals can request an Accounting of Disclosures for a defined lookback period. You may ask that requests be in writing and specify the period of interest. If no format is specified, provide the accounting in a readable written form; if readily producible, honor a requested electronic format.

Timing and fees

• Respond within 60 days of receipt. If you need more time, you may take one 30‑day extension by informing the individual in writing of the delay and the expected completion date.
• Provide one accounting free in any 12‑month period. For additional requests in the same 12 months, you may charge a reasonable, cost‑based fee after informing the individual and giving them a chance to withdraw or narrow the request.

Handling special cases

• If a health oversight agency or law enforcement official states that an accounting would impede their activities, you must temporarily suspend the accounting for the specified time.
• If no disclosures subject to accounting were made during the requested timeframe, inform the individual that there is nothing to report.

Responsibilities of Covered Entities

Covered Entities must implement policies and procedures to track disclosures, train workforce members, and respond to requests accurately and on time. You must also ensure Business Associates are contractually obligated to support accounting requests and promptly supply you with the details of any disclosures they make on your behalf.

Operational expectations

• Designate a privacy contact to receive and process requests.
• Maintain and periodically audit your disclosure log for completeness and accuracy.
• Coordinate across departments (e.g., health information management, legal, research) to gather required details.
• Document fee calculations and communications related to any cost‑based charges.

Role of Business Associates

Business Associates must keep records of their disclosures of PHI made on behalf of the Covered Entity and provide that information to the Covered Entity upon request. They support, but do not replace, the Covered Entity’s duty to deliver the Accounting of Disclosures to the individual.

Your business associate agreements should explicitly require timely cooperation with accounting requests, define formats for transmitting Disclosure Documentation, and address how to handle any temporary suspensions or law enforcement directives received by the Business Associate.

Timeframe and Scope of Disclosures

An accounting covers up to six years prior to the date of the individual’s request and doesnot include disclosures made before your HIPAA compliance date. The scope is limited to disclosures of PHI to external parties; internal uses are not included, and the Treatment Payment Healthcare Operations Exemption removes most routine TPO disclosures from the accounting.

Be consistent. Apply the same lookback rules across all systems and maintain the underlying records long enough to substantiate your accounting. When systems change, migrate or retain sufficient detail to preserve continuity for the full retention period.

Conclusion

In short, the HIPAA Privacy Rule does require an Accounting of Disclosures for specified, non‑exempt disclosures of PHI. If you maintain accurate Disclosure Documentation, honor timelines, and coordinate with Business Associates, you will meet the rule’s requirements while upholding Patient Rights and trust.

FAQs

What disclosures are excluded from the accounting requirement?

Common exclusions include the Treatment Payment Healthcare Operations Exemption (routine TPO), disclosures to the individual, disclosures made under a valid authorization, incidental disclosures, facility directory and care‑involvement notifications, national security or intelligence disclosures, correctional/custodial disclosures, limited data set disclosures, and disclosures made before your HIPAA compliance date.

How long must covered entities keep disclosure records?

Maintain the documentation necessary to produce an Accounting of Disclosures for at least six years from the date the record was created or last in effect, whichever is later. This aligns record retention with the maximum accounting lookback period.

Who is responsible for providing accounting of disclosures?

The Covered Entity is responsible for providing the Accounting of Disclosures to the individual. Business Associates must track and supply their disclosure information to the Covered Entity to support an accurate, complete response.

Can individuals request an accounting of disclosures directly from business associates?

Generally, no. Individuals should submit requests to the Covered Entity. Business Associates cooperate by furnishing the Covered Entity with the details of disclosures they made on the entity’s behalf, as required by their business associate agreements.