HIPAA Accounting of Disclosures: Requirements, Exceptions, and How to Comply

Right to Accounting of Disclosures

Under the HIPAA Privacy Rule, you have the right to receive an accounting of disclosures of your Protected Health Information made by Covered Entities and their Business Associates in the six years prior to your request, except for specific exclusions. You may ask for a full six-year lookback or limit the timeframe to a shorter period.

You can request the accounting in paper or electronic form. If your preferred format is readily producible, the organization must honor it; otherwise, you and the entity should agree on an alternative readable format. One accounting in any 12‑month period is provided at no charge.

Covered Entities' Obligations

Maintain accurate disclosure tracking

Covered Entities must record qualifying disclosures so they can produce a complete accounting on request. Records should be detailed enough to identify what was disclosed, to whom, when, and why, and must be retained for at least six years.

Coordinate with Business Associates

When Business Associates make disclosures on a covered entity’s behalf, the associate must supply the details needed for the entity’s accounting. Your Business Associate Agreement should require timely, accurate reporting of such disclosures.

Provide the accounting promptly and in plain language

Designate a contact to receive requests, verify the requester’s identity, and deliver the accounting in clear, easy-to-understand terms. If the individual requests a particular format that’s readily producible, provide it; otherwise, agree on an alternative that is readable and accessible.

Exceptions to Accounting Requirement

The following disclosures are excluded and should not appear in the HIPAA Accounting of Disclosures:

• For treatment, payment, and health care operations.
• To the individual who is the subject of the information.
• For facility directories or to persons involved in the individual’s care or notification.
• Pursuant to a valid authorization signed by the individual.
• For national security or intelligence purposes.
• To correctional institutions or Law Enforcement Officials when the individual is in custody.
• As part of a Limited Data Set disclosed under a Data Use Agreement.

Content of the Accounting

Each entry in the accounting must include enough detail for transparency without revealing more Protected Health Information than necessary. Provide:

• Date of the disclosure.
• Name of the recipient and, if known, their address or other contact information (for example, a Health Oversight Agency unit or court clerk).
• A brief description of the PHI disclosed.
• A brief statement of the purpose of the disclosure or a copy of the written request or authorization that prompted it.

Repeated disclosures to the same recipient

If multiple disclosures were made to the same recipient for a single purpose, list either each date or the period covered, the frequency (or number) of disclosures, and the date of the last disclosure.

Research disclosures without authorization

When disclosures are for research approved with a waiver of authorization, you may summarize by research protocol and include an investigator or study contact so the individual can obtain more details, while still meeting the accounting requirement.

Temporary Suspension of Accounting Rights

A Covered Entity must temporarily suspend an individual’s right to receive an accounting for disclosures made to a Health Oversight Agency or to Law Enforcement Officials if that agency or official states that providing the accounting would be reasonably likely to impede the agency’s activities.

• Written statements must specify the duration of the suspension.
• Oral statements require the entity to document the request and may justify a suspension for up to 30 days unless a written statement is received within that period.

Response Time for Accounting Requests

You must act on an accounting request no later than 60 days after receipt. If more time is needed, one 30‑day extension is allowed, but you must send the requester a written explanation for the delay and a firm date by which you will complete the request.

Fees for Accounting Requests

The first accounting provided to an individual in any 12‑month period is free. For additional requests in the same 12‑month window, you may charge a reasonable, cost‑based fee that reflects labor, supplies, and postage. Before charging, inform the requester of the estimated fee and allow them to withdraw or modify the request to reduce or avoid the cost.

In practice, building a reliable HIPAA Accounting of Disclosures process means logging qualifying disclosures, training staff, coordinating with Business Associates, and honoring response timelines. By understanding the exceptions and content requirements—and by preparing for temporary suspensions—you can comply consistently while providing individuals with clear insight into how their information is used.

FAQs.

What disclosures must be included in a HIPAA accounting?

Include any disclosure of Protected Health Information made for purposes other than treatment, payment, or health care operations and not otherwise excluded. Common examples are disclosures required by law; to public health authorities; to a Health Oversight Agency; for judicial or administrative proceedings; for law enforcement purposes (other than custodial situations); to medical examiners, coroners, and funeral directors; for organ or tissue procurement; for workers’ compensation programs; to avert a serious threat to health or safety; and for research conducted under an IRB or privacy board waiver of authorization.

How long must covered entities retain disclosure documentation?

Maintain accounting records and related documentation for at least six years from the date of each disclosure or from when the record was last in effect, whichever is later. This aligns with HIPAA’s general documentation retention period.

When can the right to accounting be temporarily suspended?

When a Health Oversight Agency or Law Enforcement Official states that providing the accounting would be reasonably likely to impede their activities. A written statement must specify the suspension’s duration; an oral statement can support a suspension for up to 30 days while awaiting the written follow‑up.

Are there fees for requesting multiple accountings?

Yes. One accounting in a 12‑month period is free. Additional accountings in the same 12‑month period may incur a reasonable, cost‑based fee, but you must notify the individual of the estimated cost first and give them a chance to modify or withdraw the request.