HIPAA Compliance: Required Notices, Access, and Disclosure Accounting for Patients

Maintaining Privacy Rule Compliance means giving patients clear notices, timely access to their records, and accurate Disclosure Accounting. This guide explains what you must provide, how quickly you must respond, and where Business Associate Cooperation fits when handling Protected Health Information (PHI).

Notice of Privacy Practices

The Notice of Privacy Practices (NPP) explains how you use and disclose Protected Health Information and how patients can exercise their rights. You must write it in plain language and make it easy to find and keep.

What the NPP must cover

• Permitted uses and disclosures of PHI, including examples patients can understand.
• Patient rights: access, amendments, Disclosure Accounting, restrictions, confidential communications, and complaint options.
• Your duties: safeguard PHI, follow the NPP, and notify affected individuals of breaches when required.
• How to exercise rights, including where to send requests and how to reach your privacy contact.
• Effective date and how patients will learn about material changes.

Providing and posting the NPP

• Providers with a direct treatment relationship must give the NPP at first service and make it available thereafter; post it prominently and on any public website.
• Health plans must give the NPP at enrollment and notify members of material revisions; periodically remind members that the NPP is available.
• Document good‑faith efforts to obtain patient acknowledgment of receipt when required.

Right to Access Protected Health Information

Patients have the right to inspect or obtain a copy of PHI in the designated record set (for example, medical and billing records used to make decisions about them). You must act on requests within 30 days; if you need more time, one 30‑day extension is allowed with written notice explaining the delay and the new date.

Form, format, and delivery

• Provide records in the form and format requested if readily producible (including electronic formats for ePHI); otherwise, agree on a workable alternative.
• At the individual’s written direction, send a copy to a designated third party.
• Use reasonable identity verification but avoid burdens that impede access.

Fees and denials

• Any fee must be reasonable and cost‑based (limited to certain labor, supplies, and postage as allowed).
• If you deny access in limited circumstances, give a written denial explaining the basis and, when applicable, how to seek review. Offer a summary or a subset if the individual agrees.

Right to Request Amendments

Individuals may ask you to amend PHI in the designated record set if they believe it is inaccurate or incomplete. You must act within 60 days; a single 30‑day written extension is permitted when necessary.

Approving or denying an amendment

• If you approve, make the amendment and inform the individual. On request and when relevant, notify others who rely on the information so they can correct their records.
• You may deny if the information was not created by you (and the creator is available), is not part of the designated record set, is not available for inspection, or is accurate and complete.
• After a denial, let the individual submit a statement of disagreement; you may write a rebuttal. Attach the materials to future disclosures of the affected PHI.

Right to an Accounting of Disclosures

Patients can request a record of certain disclosures of their PHI made in the previous six years (excluding uses within your organization). The Accounting Request Response Time is 60 days, with one 30‑day written extension if needed.

What the accounting must include

• Date of each disclosure.
• Recipient’s name (and address when known).
• Brief description of the PHI disclosed.
• Brief statement of the purpose or a copy of the request that prompted the disclosure.

For repetitive disclosures to the same recipient for a single purpose, you may summarize the frequency, period, and type of PHI. Provide one accounting free in any 12‑month period; a reasonable, cost‑based fee may apply to additional requests after advance notice.

Exceptions to Accounting Requirement

Some disclosures do not appear in the accounting. Understanding these Exceptions to Disclosure Accounting keeps your log focused and compliant.

• Treatment, payment, and health care operations.
• Disclosures to the individual about themselves.
• Disclosures made pursuant to a valid authorization.
• Facility directories and disclosures to persons involved in the individual’s care or for notification purposes.
• Incidental disclosures that occur despite reasonable safeguards.
• National security or intelligence purposes.
• Disclosures to correctional institutions or law enforcement about inmates in specified circumstances.
• Disclosures of a limited data set under a data use agreement.
• Disclosures that occurred before the compliance date of the Privacy Rule.

By contrast, public health reporting, health oversight, judicial and administrative proceedings, and most law enforcement disclosures are generally included in an accounting unless a temporary suspension applies.

Temporary Suspension of Accounting

You must temporarily suspend providing an accounting of disclosures to a health oversight agency or law enforcement official if they state that an accounting would be reasonably likely to impede their activities.

• Written statement: follow the suspension for the period specified.
• Oral statement: you may rely for up to 30 days if you document the official’s identity and the request; continue the suspension if a written statement arrives within that period.
• Track disclosures during the suspension so you can include them once it ends, if they are otherwise subject to accounting.

Business Associates' Role in Disclosure Accounting

Business Associates that handle PHI for you must support Disclosure Accounting. Business Associate Cooperation is essential to meet the Accounting Request Response Time and overall Privacy Rule Compliance.

• BA agreements should require the BA to record and retain accounting data for any disclosures it makes on your behalf and to supply that information promptly upon request.
• BA agreements may authorize the BA to provide the accounting directly to the individual or to you for fulfillment—either way, ensure timelines flow down so you can meet the 60‑day deadline.
• Require secure transmission of logs, consistent data fields (date, recipient, PHI description, purpose), and retention for at least six years.

Summary

• Give a complete, clear NPP and keep it current and accessible.
• Provide timely access (30 days, with one 30‑day extension) in the requested format when feasible.
• Act on amendment requests within 60 days and propagate approved changes appropriately.
• Deliver accurate accountings within 60 days (one free per year) and apply exceptions correctly.
• Coordinate closely with Business Associates to maintain complete disclosure logs and meet deadlines.

FAQs.

What information must be included in the Notice of Privacy Practices?

The NPP must state permitted uses and disclosures of PHI; list patient rights (access, amendments, accounting, restrictions, confidential communications, and complaints); describe your legal duties to protect privacy and notify of breaches; explain how to exercise rights and contact your privacy office; and display the effective date and how changes will be communicated.

How long must covered entities keep documentation of disclosures?

Keep required documentation—policies, procedures, NPP versions, authorizations, and disclosure accounting records—for at least six years from the date of creation or the date last in effect, whichever is later. Maintaining a uniform retention period simplifies audits and supports accurate accountings.

When can a covered entity temporarily suspend accounting disclosures?

When a health oversight agency or law enforcement official states that providing an accounting would impede their activities. A written statement triggers suspension for the specified period; an oral statement allows a documented suspension for up to 30 days while awaiting written confirmation.

What rights do patients have regarding access to their health information?

Patients may inspect or obtain copies of PHI in the designated record set, receive it in the requested form and format when readily producible (including electronic copies), direct a copy to a third party, and expect a response within 30 days (with one 30‑day extension). Reasonable, cost‑based fees may apply, and denials must be explained with review rights when available.