HIPAA’s Privacy Rule: Your Quick Guide to Accounting for Disclosures (Best Practices and Compliance Tips)

Overview of HIPAA Privacy Rule

The HIPAA Privacy Rule sets national standards for how covered entities and their business associates use and disclose Protected Health Information (PHI). It gives individuals rights over their PHI, including the right to receive an accounting of disclosures made by a provider, health plan, or clearinghouse.

“Use” generally means handling PHI inside your organization; a “disclosure” means releasing PHI outside your organization. Accounting of Disclosures is the formal record you provide to a patient describing certain disclosures of their PHI over a defined period.

As a covered entity, you must understand which disclosures are reportable, what details the accounting must include, and how Electronic Health Records (EHRs) and related processes affect your obligations in the United States.

Requirements for Accounting for Disclosures

Core elements to include

• Date of each disclosure.
• Name of the recipient and, if known, their address.
• Brief description of the PHI disclosed.
• Brief statement of the purpose (or a copy of the written request) that explains why the disclosure occurred.
• For recurring disclosures to the same recipient for the same purpose, a summary with the frequency, period, and total number of disclosures.

Timeframes, scope, and fees

You must provide the accounting within 60 days of a request; a single 30‑day extension is allowed with written notice explaining the delay. The standard look‑back period is six years preceding the request date. Patients are entitled to one free accounting in any 12‑month period; you may charge a reasonable, cost‑based fee for additional requests after informing the individual of the cost and allowing them to withdraw or modify the request.

Documentation and business associates

Maintain disclosure logs and related policies for at least six years. Your business associates must support you by supplying disclosure details they make on your behalf so your Accounting of Disclosures is complete. Ensure contracts and operating procedures clearly describe these obligations.

Impact of HITECH Act Enhancements

The HITECH Act sought to enhance transparency by directing regulators to expand accounting to include certain treatment, payment, and health care operations (TPO) disclosures when made through EHRs. It emphasized leveraging EHR audit capabilities to give individuals better visibility into who accessed or disclosed their PHI.

As of December 2, 2025, proposed updates tied to HITECH’s accounting enhancements have not been finalized. The baseline HIPAA accounting standard remains in effect, but you should anticipate more granular expectations around EHR activity and ensure your systems can produce meaningful, patient‑level reports on disclosures.

Practical takeaways for EHR environments

• Enable robust audit logging that captures user, event type, patient, data elements, and timestamp.
• Differentiate internal “uses” from external “disclosures,” and map each to your Accounting of Disclosures policy.
• Design reports that can convert audit events into patient‑readable accounting entries if requirements expand.

Identifying Excluded Disclosures

Not every disclosure belongs in the accounting. Common exclusions include the following; when in doubt, consult your policy before logging:

• Disclosures for treatment, payment, and health care operations (TPO).
• Disclosures to the individual about themselves.
• Disclosures made pursuant to a valid Patient Authorization.
• Incidental disclosures that occur as a byproduct of an otherwise permitted use or disclosure.
• Disclosures for facility directories and to persons involved in the patient’s care or payment, and for notification purposes.
• Disclosures for national security or intelligence purposes, and to correctional institutions or law enforcement custodial situations.
• Disclosures of a limited data set under a data use agreement.

Note: Many public health, health oversight, judicial, law‑enforcement, and research disclosures made without Patient Authorization (for example, under an IRB/Privacy Board waiver) are not excluded and must be accounted for. For large‑scale research under a waiver, you may use protocol‑level accounting as permitted by the rule.

Implementing Automated Tracking Systems

Manual logs rarely scale. Purpose‑built disclosure tracking systems integrated with your EHRs reduce errors, accelerate responses to patient requests, and strengthen compliance. Automating event capture and reconciliation helps you produce accurate, on‑demand accountings.

Core capabilities to prioritize

• Centralized ledger of disclosures across all source systems and locations.
• APIs or interfaces to EHRs, HIEs, release‑of‑information tools, and secure messaging platforms.
• Rules engine to classify events as uses vs. disclosures and apply exclusions consistently.
• Templates that generate patient‑friendly Accounting of Disclosures reports.
• Business associate feeds so BA disclosures flow into your ledger.
• Retention controls to meet six‑year documentation requirements.

Data quality and governance

• Standardize recipient names and purposes to avoid duplicates and ambiguity.
• Use identity management to match events to the correct patient record.
• Implement maker‑checker review for sensitive or unusual disclosures.

Exception handling

• Flag disclosures that may be subject to a temporary law‑enforcement suspension of accounting.
• Escalate questionable entries to your privacy officer for rapid validation.

Staff Training on Disclosure Compliance

Effective training turns policies into daily practice. Give workforce members role‑based guidance on when Patient Authorization is required, what qualifies as a disclosure, and how to log it promptly and accurately.

Training essentials

• Teach staff to recognize a disclosure event and apply the minimum necessary standard.
• Provide step‑by‑step instructions for entering required details in your disclosure tracking system.
• Use real scenarios (public health reporting, subpoenas, research requests, media inquiries) to reinforce decisions.
• Clarify timelines, extensions, and who communicates with patients.

Ongoing reinforcement

• Offer quick‑reference guides and job aids within EHR workflows.
• Conduct targeted refreshers after incidents or audit findings.

Conducting Periodic Compliance Audits

Compliance audits verify that your processes work under real‑world conditions. Regular testing reduces risk, improves data quality, and demonstrates diligence if regulators review your program.

What to test

• Sample disclosures against source records (EHR, ROI system, legal requests) to confirm completeness and accuracy.
• Validate application of exclusions and the presence of required Patient Authorizations when used.
• Check response times, fee practices, and correspondence for patient requests.
• Review business associate reporting and contracts for required cooperation.

Metrics and reporting

• Track disclosure volume by type, late responses, error rates, and root causes.
• Report trends to leadership and the compliance committee with clear remediation plans.

Continuous improvement

• Remediate gaps with policy updates, system rules, or targeted training.
• Re‑audit closed findings to confirm effectiveness.

Key takeaways

Strong accounting for disclosures rests on clear rules, reliable systems, trained people, and disciplined audits. If you align your EHRs, disclosure tracking systems, and compliance audits, you can deliver timely, accurate accountings while protecting patient trust.

FAQs.

What disclosures must be accounted for under HIPAA?

You must account for many disclosures made without Patient Authorization, including most public health reports, health oversight activities, certain law‑enforcement and judicial disclosures, and research under an IRB/Privacy Board waiver. The accounting must list the date, recipient, PHI disclosed, and purpose, covering up to six years before the request. Provide the report within 60 days (with one 30‑day extension, if needed).

How does the HITECH Act affect accounting requirements?

HITECH aimed to enhance transparency for Electronic Health Records by expanding accounting to include certain TPO disclosures made through EHRs and by leveraging audit logs. As of December 2, 2025, those enhancements have not been finalized; the pre‑existing accounting requirements remain in effect. Still, building EHR reporting and audit capabilities now prepares you for potential future changes.

What disclosures are excluded from accounting?

Common exclusions are TPO disclosures, disclosures to the individual, those made under a valid Patient Authorization, incidental disclosures, facility directory and involvement‑in‑care disclosures, national security and correctional institution disclosures, and limited data set disclosures. Many other disclosures—such as public health, oversight, judicial, and research under a waiver—are not excluded and must be accounted for.

How can covered entities ensure compliance with disclosure tracking?

Adopt automated disclosure tracking systems integrated with your EHRs, standardize data entry, and require timely logging. Train staff on recognizing disclosures and exclusions, monitor business associates, and run periodic compliance audits. Use metrics to identify gaps, remediate quickly, and re‑test to confirm the fix.