HIPAA: Your Right to Request an Accounting of Disclosures (What It Is and How to Get One)

Definition of Accounting of Disclosures

Under the HIPAA Privacy Rule, you have the right to receive an “accounting of disclosures” — a record of certain times your Protected Health Information (PHI) was disclosed to someone outside the Covered Entity and its workforce. This disclosure accounting helps you see when, why, and to whom your PHI left the organization.

A Covered Entity is typically your health plan, a healthcare provider that bills electronically, or a healthcare clearinghouse. Disclosures made by a business associate on the Covered Entity’s behalf are also included in the accounting.

The right generally applies to the six years prior to your request and focuses on disclosures, not internal “uses” of PHI within the organization.

Components of an Accounting Record

Required elements you should expect

• Date of each disclosure.
• Name (and, if known, address) of the recipient.
• A brief description of the PHI disclosed.
• A short statement of the purpose of the disclosure, or a copy of the written request that prompted it.

When multiple disclosures occurred

If repeated disclosures were made to the same recipient for the same purpose, the accounting may show a summary that includes the frequency, the period covered, and the date of the last disclosure.

Disclosures made by business associates

The Covered Entity’s accounting must capture qualifying disclosures made by its business associates, so you receive a complete picture of PHI sharing outside the organization.

Procedure to Request an Accounting

Step-by-step process

1. Locate the privacy contact listed in the provider’s or plan’s Notice of Privacy Practices.
2. Submit a written request stating you are asking for an “accounting of disclosures,” the date range (up to six years), and your preferred format (paper or electronic, if readily producible).
3. Include identifying details (full name, date of birth or member ID), delivery instructions, and your signature. You may name a personal representative, but proof of authority may be required.
4. Ask for confirmation of receipt and the expected completion date.

Tips for clarity and scope

• Narrow the timeframe if you are investigating a specific event to speed up processing.
• Note that the first accounting in a 12‑month period is typically free; reasonable, cost‑based fees may apply to additional requests.

Timelines and Response Requirements

The Covered Entity must act on your request within 60 days. If more time is needed, it may take one 30‑day extension, but it must notify you in writing of the delay, the reason, and a new completion date.

The accounting covers up to the six years preceding your request date. It must be provided in the form and format you request if readily producible; otherwise, you will receive a readable alternative.

You are entitled to one free accounting every 12 months. If you request more often, the entity may charge a reasonable, cost‑based fee after telling you the cost and giving you a chance to narrow or withdraw your request.

Exceptions to Accounting Rights

Disclosures that are not included

• Treatment, payment, and healthcare operations (TPO) activities.
• Disclosures to you (the individual) about your own PHI.
• Incidental disclosures that occur as a byproduct of an otherwise permitted use or disclosure.
• Disclosures made pursuant to your valid, written authorization (Authorization Exceptions).
• National security and intelligence activities (National Security Disclosures) and protective services to the President or other officials.
• Certain disclosures to correctional institutions or law enforcement regarding an inmate or individual in lawful custody.
• Facility directory disclosures and those to family, friends, or others involved in your care or for notification/disaster relief, when permitted by the HIPAA Privacy Rule.
• Disclosures of a Limited Data Set (which excludes direct identifiers) for research, public health, or healthcare operations.

Special case: research

Research disclosures made without your authorization under an Institutional Review Board or privacy board waiver must be accounted for; however, for large protocols, the accounting may be summarized rather than listing each disclosure individually.

Importance of Transparency in PHI Sharing

Disclosure accounting strengthens trust between you and your healthcare organizations. It shows how your PHI moves outside the Covered Entity, helping you validate appropriate sharing, spot red flags, and follow up on questions.

For organizations, transparent accounting demonstrates compliance with the HIPAA Privacy Rule, encourages disciplined data‑handling practices, and supports timely breach detection and response.

Monitoring Health Information Use

Proactive steps you can take

• Review your patient portal and health plan documents regularly; some systems display activity details or downloadable records.
• Track Explanation of Benefits (EOBs) from your health plan to confirm services and sharing align with your expectations.
• Keep your own record of when and with whom you share PHI outside of care settings.
• If something looks off, contact the privacy officer to ask for clarification and, if needed, submit an accounting request for the relevant period.
• Use related HIPAA rights strategically, such as requesting restrictions on certain disclosures or asking for confidential communications at alternative addresses.

FAQs

What information is included in an accounting of disclosures?

An accounting lists, for qualifying disclosures: the date; the name (and, if known, address) of the recipient; a brief description of the PHI disclosed; and a short statement of the purpose or a copy of the written request. For repeated disclosures to the same recipient for the same purpose, you may see a summary showing frequency, the period covered, and the date of the last disclosure.

How do I submit a request for an accounting under HIPAA?

Write to the Covered Entity’s privacy officer specified in its Notice of Privacy Practices. State that you are requesting an “accounting of disclosures,” include the date range (up to six years), your preferred format (paper or electronic, if readily producible), your identifying details, delivery instructions, and your signature. Ask for confirmation and the expected completion date.

What disclosures are exempt from accounting requirements?

Common exemptions include disclosures for treatment, payment, and healthcare operations; disclosures to you; incidental disclosures; disclosures made with your written authorization; national security and intelligence activities; certain correctional and law enforcement contexts; facility directories and care‑involvement notifications; and Limited Data Set disclosures. Research with a waiver of authorization is not exempt but may be summarized in the accounting.

How long does a covered entity have to provide the accounting?

The entity must act within 60 days of receiving your request. It may take one 30‑day extension if it sends you written notice explaining the reason for the delay and providing a new date by which it will complete the accounting.