HIPAA Privacy Rule Accounting of Disclosures: Your Quick Guide with Real‑World Scenarios

Overview of HIPAA Privacy Rule Accounting

Accounting of disclosures is your obligation to give individuals a list of certain Protected Health Information disclosures made outside your organization. It shows when, to whom, and why you disclosed PHI, making your privacy program transparent and auditable.

This right applies to disclosures, not internal “uses,” and excludes many routine activities like treatment, payment, and health care operations. The accounting of disclosures requirements apply for a look‑back period of up to six years, subject to compliance date exemptions for disclosures that occurred before your HIPAA compliance date.

Covered entities must produce the accounting and include relevant disclosures by their business associates. Individuals can request the report in paper or electronic form if readily producible.

Required Information in Accounting Disclosures

Each accounting must clearly identify the disclosure and explain its purpose. At a minimum, include:

• Date of the disclosure (or the date range for recurring disclosures).
• Name of the recipient and, if known, their address.
• Brief description of the PHI disclosed.
• Brief statement of the purpose that reasonably informs the individual, or a copy of the written authorization or written request that prompted the disclosure.

For multiple disclosures to the same recipient for a single purpose, you may summarize by listing the first disclosure date, the frequency or number of disclosures, and the date of the last disclosure.

Exceptions to Accounting Requirements

You do not include the following in an accounting (these are disclosure exceptions under HIPAA):

• Disclosures for treatment, payment, and health care operations.
• Disclosures to the individual about their own PHI.
• Disclosures made pursuant to a valid authorization.
• Disclosures for facility directory or to persons involved in the individual’s care or notification, when permitted.
• Incidental disclosures that occur as a by‑product of an otherwise permitted disclosure.
• Disclosures for national security or intelligence purposes.
• Disclosures to correctional institutions or law enforcement officials having lawful custody of an inmate.
• Disclosures of a limited data set under a data use agreement.
• Disclosures that occurred before your HIPAA compliance date (compliance date exemptions).

If a health oversight agency or law enforcement official requests a temporary suspension of accounting to avoid impeding an investigation, you must honor that suspension for the specified period.

Role of Business Associates

Business associates that disclose PHI on your behalf must support the accounting. Your business associate agreement should require business associate cooperation by obligating the BA to record its disclosures and provide the details you need to fulfill an individual’s request.

Practical expectations for BAs include: maintaining disclosure logs with required elements, cascading the duty to subcontractors, and furnishing accounting information promptly to you—or directly to the individual if you direct them to do so. Coordination with BAs ensures your accounting is complete and timely.

Timing and Frequency of Disclosures Accounting

• Look‑back period: Provide disclosures made in the six years prior to the request date, excluding any before your HIPAA compliance date (compliance date exemptions).
• Response time: Act within 60 days of receiving a request; you may take one 30‑day extension if you provide written notice explaining the delay and the expected completion date.
• Cost and frequency: Offer one accounting free in any 12‑month period. For additional requests, you may charge a reasonable, cost‑based fee after notifying the individual, who can withdraw or modify the request to reduce fees.
• Format: Provide in paper or electronic form if readily producible in the requested format; otherwise, offer a readable alternative the individual agrees to.

Documentation and Record-Keeping Practices

Adopt a record retention policy that keeps required accounting data and privacy documentation for at least six years from the date of creation or last effective date. Your documentation should cover policies, procedures, and the data elements needed to produce accurate accountings.

Implement disclosure tracking protocols that capture the date, recipient, purpose, and PHI description for each reportable disclosure. Centralize logs across departments, integrate EHR audit tools where feasible, and reconcile BA reports to ensure completeness.

Periodically audit logs for quality, confirm exception handling is correct, and train staff on when to record disclosures versus when an exception applies. Build BA oversight into your vendor management lifecycle so third‑party disclosures are consistently tracked.

Illustrative Real-World Scenarios

Scenario 1: Public health reporting (included)

Your clinic reports a communicable disease to a state health department as required by law. This is a reportable disclosure and must appear in the accounting with the date, recipient agency, brief PHI description, and purpose.

Scenario 2: Specialist referral (not included)

You share relevant records with a cardiologist to coordinate care. Because this is treatment, it falls under TPO and is excluded from the accounting.

Scenario 3: Patient receives their own records (not included)

You provide the individual a copy of their chart upon request. Disclosures to the individual are not included in the accounting.

Scenario 4: Research with IRB waiver (included)

Your hospital discloses PHI to a researcher under a documented IRB waiver of authorization. This disclosure must be accounted for. If disclosures recur to the same researcher for the same study, you may use a summarized entry.

Scenario 5: Research with patient authorization (not included)

Participants sign a valid authorization for a study, and you disclose PHI under that authorization. Disclosures pursuant to authorization are excluded from the accounting.

Scenario 6: Law enforcement request (included)

You disclose PHI in response to a valid law enforcement request permitted by HIPAA (e.g., court order). Unless a temporary suspension applies, this belongs in the accounting.

Scenario 7: Limited data set for analytics (not included)

You disclose a limited data set to a university under a data use agreement for analytics. Limited data set disclosures are exempt from accounting.

Scenario 8: Business associate disclosure (included)

Your cloud document service (a business associate) discloses PHI to a third party to comply with a subpoena. The BA must log the event and provide the details so you can include it in the individual’s accounting.

In short, focus on non‑routine, external disclosures and verify whether an exception applies. Strong logs, consistent BA cooperation, and disciplined workflows make producing a complete, on‑time accounting straightforward.

FAQs.

What is included in an accounting of disclosures under HIPAA?

An accounting lists certain external disclosures of PHI over the applicable look‑back period and includes the date, recipient (and address if known), a brief PHI description, and the reason for the disclosure—or a copy of the relevant authorization or written request. For repeated disclosures to the same recipient for one purpose, you may summarize with first/last dates and frequency.

How long must covered entities keep disclosure records?

Maintain the documentation needed to produce an accounting, along with related privacy policies and procedures, for at least six years. Your record retention policy may set a longer period if state law, contracts, or risk considerations warrant it.

Are business associates required to provide disclosure accounting?

Yes. Business associates must record their reportable disclosures of PHI and, upon request, supply the information to the covered entity—or to the individual at the covered entity’s direction—consistent with the business associate agreement. This business associate cooperation ensures the accounting you provide is complete.

What disclosures are exempt from the accounting requirement?

Exempt disclosures include those for treatment, payment, and health care operations; to the individual; pursuant to authorization; facility directory and involvement in care/notification; incidental disclosures; national security or intelligence purposes; to correctional institutions or law enforcement with lawful custody; limited data sets under a data use agreement; and disclosures made before your HIPAA compliance date.