PHI Disclosure Log Requirements: HIPAA Accounting of Disclosures Explained

Accounting of Disclosures Overview

HIPAA gives individuals the right to receive an accounting of disclosures—an itemized record of when a Covered Entity shared their protected health information (PHI) outside the organization. A “use” happens inside your organization; a “disclosure” sends PHI to someone else. PHI disclosure log requirements ensure you can produce that history on request.

This right applies to all Covered Entities—health care providers, health plans, and health care clearinghouses—and extends to each Business Associate acting for them. You must be able to account for disclosures made in the six years preceding the request, except for specific exemptions detailed below. Accurate PHI Disclosure Documentation is therefore both a compliance obligation and a patient-trust imperative.

A practical disclosure log is the system and record set you maintain (often within an EHR) to capture required data for each non-exempt disclosure and to generate a readable Accounting of Disclosures when an individual asks for it.

Disclosure Exceptions and Exemptions

Not every disclosure must be logged for accounting. HIPAA excludes the following from the Accounting of Disclosures requirement:

• Disclosures for treatment, payment, and health care operations.
• Disclosures to the individual who is the subject of the PHI.
• Incidental disclosures that occur as a byproduct of an otherwise permitted use or disclosure.
• Disclosures made pursuant to a valid HIPAA authorization.
• Disclosures for a facility directory or to persons involved in the individual’s care or notification (when permitted by HIPAA).
• Disclosures for national security or intelligence purposes.
• Disclosures to correctional institutions or law enforcement officials having lawful custody of an inmate.
• Disclosures of Limited Data Sets made under a Data Use Agreement.
• Disclosures that occurred before the entity’s HIPAA compliance date.

Separately, a Health Oversight Agency or law enforcement official may require a temporary suspension of an accounting if providing it would impede an investigation. You must honor written suspension requests (or oral requests for up to 30 days pending written notice).

Required Information for Accounting

For each disclosure that is not exempt, your PHI Disclosure Documentation must capture enough detail to create a meaningful Accounting of Disclosures:

• Date of the disclosure.
• Name (and, if known, address) of the recipient—organization or individual.
• A brief description of the PHI disclosed.
• A brief statement of the purpose of the disclosure or a copy of the written request that prompted it.

When multiple disclosures of the same type are made to the same recipient for a single purpose within a period, you may document the first disclosure’s details plus the frequency or number of disclosures and the date of the last disclosure for that period.

Timeframe and Documentation Retention

You must be able to account for disclosures made in the six years prior to the date of an individual’s request (but not earlier than your HIPAA compliance date). Independently, HIPAA’s record-retention rule requires you to retain policies, procedures, designations, and proof of required actions—including disclosure logs—for at least six years from the date of creation or the date last in effect, whichever is later.

At a minimum, retain the disclosure log, your Accounting of Disclosures policy, workforce training records, relevant Business Associate Agreements, and any Data Use Agreements supporting Limited Data Sets. Strong retention supports defensibility and smooth fulfillment of individual requests.

Business Associates and Disclosure Accounting

A Business Associate that makes disclosures of PHI on your behalf must record the information necessary for you to provide an accounting. The Business Associate must supply those details to the Covered Entity (or, if your Business Associate Agreement so specifies, provide the accounting directly to the individual). Subcontractors of a Business Associate inherit the same obligation through downstream agreements.

Clarify in each Business Associate Agreement who will track, who will generate the Accounting of Disclosures, and how quickly information must be furnished to meet response deadlines. Remember that disclosures of Limited Data Sets under a Data Use Agreement are exempt from accounting, but the underlying DUA must be retained.

Response Time and Extensions

You must act on an individual’s request for an Accounting of Disclosures within 60 days. If you cannot meet the deadline, you may take one 30‑day extension by providing a written statement before day 60 explaining the reasons for the delay and the date by which you will complete the request.

• Format: Provide the accounting in writing (paper or electronic) in a clear, understandable form.
• Fees: The first accounting in any 12‑month period must be free. You may charge a reasonable, cost‑based fee for additional requests if the individual agrees after being informed of the cost.
• Verification: Verify the requester’s identity and authority before releasing any accounting.
• Temporary suspension: If a Health Oversight Agency or law enforcement official has imposed a suspension, do not include the affected disclosures until the suspension expires.

Accounting for Research-Related Disclosures

Research requires special attention because disclosures occur under different legal pathways. Use the following rules to determine what belongs in the Accounting of Disclosures:

When accounting is required

• Disclosures for research made without an authorization under an IRB/Privacy Board waiver must be accounted for.
• Disclosures for decedent research under HIPAA must be accounted for.

When accounting is not required

• Research disclosures made pursuant to a valid individual authorization are exempt from accounting.
• Disclosures of Limited Data Sets made under a Data Use Agreement are exempt from accounting.

Streamlined accounting for large protocols

For protocols involving disclosures of PHI for 50 or more individuals under a waiver, you may provide a “general accounting” that lists the research protocol or activity, a description of the PHI disclosed, the date or period of disclosures, the name of the recipient (for example, the research institution) and a contact point, rather than listing each individual disclosure.

Key takeaways

Build research workflows that flag when a waiver applies, ensure the study team gives you the data needed for accounting, and prefer Limited Data Sets with a Data Use Agreement when possible to reduce accounting burdens while protecting privacy.

FAQs

What disclosures require accounting under HIPAA?

You must account for disclosures that are not exempt—such as those required by law, to public health authorities, to a Health Oversight Agency, for law enforcement or judicial/administrative proceedings (when permitted by HIPAA), to coroners and medical examiners, for organ procurement, to avert a serious threat, for workers’ compensation programs, and for research under an IRB/Privacy Board waiver or decedent research.

How long must covered entities retain PHI disclosure documentation?

Retain PHI Disclosure Documentation, related policies and procedures, and proof of required actions for at least six years from the date of creation or the date last in effect (whichever is later). You must also be able to provide an accounting covering the six years preceding an individual’s request.

Can business associates provide accounting directly to individuals?

Yes, if the Business Associate Agreement designates the Business Associate to do so. Otherwise, the Business Associate must supply complete disclosure details to the Covered Entity so the Covered Entity can provide the Accounting of Disclosures.

What is the response time for providing an accounting of disclosures?

You must respond within 60 days. If needed, you may take one 30‑day extension by sending the individual a written notice before day 60 explaining the reason for the delay and the expected completion date. The first accounting in any 12‑month period is free; additional requests may incur a reasonable, cost‑based fee with the individual’s agreement.