How to Maintain a HIPAA-Compliant PHI Disclosure Log: Checklist

Disclosure Log Requirements

A HIPAA-compliant PHI disclosure log records “disclosure accounting” for Protected Health Information that leaves your organization for reasons other than routine treatment, payment, and health care operations. The log enables you to demonstrate compliance and respond to patient requests for an accounting of disclosures.

Covered entities must be able to provide an accounting of qualifying disclosures for the six years preceding a request. Business associates should capture the same details so the covered entity can fulfill its obligation promptly.

Timelines matter: you must supply an accounting within 60 days of a request, with one permissible 30‑day extension when you send the individual a written explanation and a target date. The first accounting in any 12‑month period is free; you may charge a reasonable, cost‑based fee for additional accountings after notifying the individual in advance.

Only non‑routine disclosures belong in the log. Disclosures made with a valid patient authorization and other exempt categories listed below are not included in the accounting, although you should still retain documentation supporting those actions.

Information to Include in Disclosure Log

Core fields required for disclosure accounting

• Date of disclosure.
• Recipient’s name and, if known, address or other contact details.
• Brief description of the PHI disclosed (e.g., “lab results for dates 05/01/2025–05/15/2025”).
• Brief statement of the purpose (or a copy of the written request, subpoena, or other legal authority).

Helpful context fields that improve auditability

• Legal basis for disclosure (e.g., required by law, public health, health oversight, research under waiver).
• Who authorized or performed the disclosure, including any business associate involved.
• Minimum necessary assessment notes and safeguards applied (e.g., redactions, limited data elements).
• Format and transmission method (mail, secure portal, encrypted email) and any Access Control checks performed.

Recurring or multiple disclosures to the same party

For repeated non‑routine disclosures to the same recipient for a single purpose, you may record the first disclosure’s full details, then summarize the frequency, the period covered, and the date of the most recent disclosure instead of logging each event separately.

Exemptions from Disclosure Logging

The following disclosures are exempt from accounting and therefore do not go in the PHI disclosure log:

• Treatment, payment, and health care operations.
• Disclosures to the individual (or personal representative) about their own PHI.
• Disclosures made pursuant to a valid Patient Authorization.
• Facility directory listings and disclosures to persons involved in the patient’s care or notification, as permitted by HIPAA.
• National security and intelligence activities.
• Disclosures to correctional institutions or law enforcement officials with lawful custody, under applicable conditions.
• Disclosures that are part of a limited data set under a data use agreement.
• Incidental disclosures that occur despite reasonable safeguards and minimum necessary practices.

Additionally, a law enforcement or health oversight agency may temporarily suspend an individual’s right to receive an accounting for a specified period. During a valid suspension, you still maintain records internally but you do not include the suspended items in a patient-facing accounting until the suspension ends.

Retention Period for Disclosure Logs

Maintain disclosure accounting capability and related records for at least six years. This supports the six‑year look‑back period and aligns with HIPAA’s general documentation retention requirement. Many organizations set their Disclosure Log Retention policy to six to seven years to provide an operational buffer.

Confirm whether state law, contractual requirements, research protocols, or litigation holds mandate longer retention. Apply the longest applicable period, and ensure business associates follow the same timelines in their agreements.

Compliance Checklist for Disclosure Logs

• Define policy: document which non‑routine disclosures are logged, exemptions, approval paths, and response timelines.
• Standardize fields: implement required log elements and helpful context fields across systems and forms.
• Embed process controls: require pre‑disclosure review for Non‑Routine Disclosures and verify minimum necessary.
• Integrate systems: enable EHR/health information management workflows to capture disclosures at the source.
• Align business associate agreements: require BAs to record and report disclosures needed for accounting.
• Train the workforce: cover Disclosure Accounting, Patient Authorization validation, and Access Control practices.
• Monitor and audit: run periodic spot checks, reconcile against subpoenas/requests, and resolve discrepancies.
• Fulfill requests: track the 60‑day deadline, extension rules, and cost‑based fee procedures for extra requests.
• Secure the log: protect records with role‑based access, audit trails, encryption, and retention/destruction rules.

Role of Privacy Officer in Disclosure Logs

The Privacy Officer sets policy, translates regulations into workable procedures, and defines Privacy Officer Responsibilities for logging and accounting. They oversee workforce training, approve or escalate complex disclosures, and ensure minimum necessary standards are applied consistently.

They coordinate with legal, compliance, HIM, IT, and business associates to keep templates current, automate capture where possible, and remediate gaps found in audits. The Privacy Officer also manages patient accounting requests, evaluates fee assessments, documents any temporary suspensions, and ensures timely responses and accurate records.

Access to Disclosure Logs

Access to the disclosure log must follow strict Access Control. Limit internal visibility to staff with a need to know, use unique user IDs, and maintain audit logs that record who viewed or edited entries and when. Apply the same safeguards you use for PHI to the log itself.

Patient access and delivery

Patients have the right to request an accounting for the six years preceding the request date. Verify identity, clarify the requested period, and deliver in the format the patient accepts when reasonably possible (e.g., paper or secure electronic). Document fulfillment, timing, and any cost‑based fees for additional requests within the same 12‑month window.

Internal access and security

Define roles for creating, reviewing, and approving log entries. Use dual review for sensitive disclosures, encrypt data at rest and in transit, and reconcile entries with source documents such as subpoenas or public health reports. Retain audit logs for at least the same period as the disclosure log.

Conclusion

By capturing precise details for non‑routine disclosures, honoring exemptions, retaining records for at least six years, and enforcing strong Access Control, you maintain a HIPAA‑compliant PHI disclosure log. Clear procedures, staff training, and active Privacy Officer oversight keep your disclosure accounting accurate, defensible, and patient‑centered.

FAQs

What information must be included in a PHI disclosure log?

Record the date of disclosure; the recipient’s name and, if known, address; a brief description of the PHI disclosed; and a brief statement of the purpose or a copy of the request. For repeated disclosures to the same recipient for a single purpose, you may summarize frequency, period, and date of the most recent disclosure.

How long must PHI disclosure logs be retained?

Maintain disclosure accounting capability and supporting records for at least six years. Many organizations choose six to seven years to align with HIPAA documentation requirements and provide operational buffer, subject to any longer state or contractual mandates.

Are disclosures for treatment exempt from logging?

Yes. Disclosures for treatment, payment, and health care operations are exempt from disclosure accounting. Other common exemptions include disclosures made with a valid patient authorization, limited data set disclosures, certain national security and correctional disclosures, and incidental disclosures.

How does a Privacy Officer ensure compliance with disclosure logs?

The Privacy Officer establishes policy, standardizes log fields, trains staff, and embeds approval checkpoints for Non‑Routine Disclosures. They monitor performance with audits, coordinate with business associates, manage patient accounting requests and timelines, and enforce Access Control and retention requirements.