What Is an Accounting of Disclosures Under HIPAA?

An accounting of disclosures under HIPAA is a written record of certain disclosures of protected health information (PHI). When a patient asks for an accounting of disclosures, the provider must return a list showing who received the information, when the disclosure happened, what information was disclosed, and why the disclosure occurred.

This right is separate from the right to get a copy of medical records, and it is much narrower than many teams expect. HIPAA does not require providers to account for every use or disclosure of PHI. The rule focuses on certain disclosures that fall outside treatment, payment, and healthcare operations. The governing rule appears in 45 CFR § 164.528, and HHS’s Privacy Rule summary outlines the right, the exclusions, and the response framework.

For HIM and compliance teams, the real challenge is operational. Can your organization identify reportable disclosures, separate them from excluded disclosures, and produce a complete accounting of disclosures response on time?

What Counts as a Disclosure Under HIPAA?

Under 45 CFR §160.103, a disclosure is the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.

Not every disclosure belongs in an accounting of disclosures. A referral to a specialist for treatment is a disclosure, but HIPAA excludes it from the accounting requirement. A disclosure to a public health authority for reportable disease surveillance is also a disclosure, and that one is typically included.

That is why accounting of disclosures is a classification task, not just a reporting task.

What Does HIPAA Require Providers to Do?

An accounting of disclosures is a chronological report of certain PHI disclosures made in the six years before the request date, unless the individual asks for a shorter period. Under 45 CFR § 164.528, the provider generally has 60 days to respond. HIPAA allows one 30-day extension if the provider sends a written explanation before the original deadline expires. The first accounting in any 12-month period must be free. Later requests in the same 12-month period may carry a reasonable, cost-based fee if the individual is told in advance and given a chance to narrow or withdraw the request.

The accounting must include disclosures made by the covered entity and disclosures made by its business associates on the covered entity’s behalf. In practice, that means providers need a way to pull together disclosure activity from release workflows, legal or subpoena workflows, public health reporting, research pathways, and vendor-supported processes outside the EHR.

Which Disclosures Must Be Included?

Under 45 CFR § 164.528, an accounting of disclosures includes disclosures that fall outside treatment, payment, and healthcare operations and are not otherwise excluded by the rule. Common examples include disclosures to:

• public health authorities for disease reporting, surveillance, or investigation
• health oversight agencies for audits, inspections, investigations, or licensure actions
• courts or administrative proceedings when the disclosure fits the applicable HIPAA pathway
• law enforcement under HIPAA’s permitted conditions
• entities that receive PHI because disclosure is required by law
• coroners or medical examiners
• funeral directors when needed for their duties
• organ, eye, or tissue donation programs
• persons or authorities involved in preventing or lessening a serious threat to health or safety
• HHS for compliance review or enforcement activity
• researchers under HIPAA’s research permissions rather than patient authorization

These disclosures often create confusion because they are less common than standard patient, provider, or payor exchanges and are often handled by different teams.

HIPAA allows a summary approach in certain recurring situations. If the covered entity made multiple disclosures to the same person or entity for a single purpose under the applicable HIPAA pathways, the accounting may summarize those events instead of listing each one separately. Research disclosures for 50 or more individuals have their own alternative response format under the regulation.

Which Disclosures Are Excluded From the Accounting Requirement?

Most PHI movement does not belong in an accounting of disclosures response. HIPAA expressly excludes disclosures for treatment, payment, and healthcare operations.

HIPAA also excludes disclosures:

• to the individual or the individual’s personal representative
• incident to an otherwise permitted use or disclosure
• made under a valid HIPAA authorization
• for the facility directory
• to persons involved in the individual’s care or for other notification purposes under HIPAA’s involvement in care rules
• for national security or intelligence purposes
• to correctional institutions or law enforcement officials in the specific inmate or lawful custody situations covered by HIPAA
• as part of a limited data set
• that occurred before the covered entity’s HIPAA Privacy Rule compliance date

The key question is not recipient type alone. It is the legal basis and purpose.

Even when a disclosure is excluded, providers still benefit from documenting what happened and why. A consistent audit trail reduces rework and makes it easier to defend release decisions later.

What Information Does a Provider Have to Return?

For each reportable disclosure, the accounting of disclosures response must list:

• the date of the disclosure
• the name of the person or entity that received the PHI and, if known, the address
• a brief description of the PHI disclosed
• a brief statement of the purpose of the disclosure, or a copy of the written request for the disclosure if that is more practical

The PHI description does not need to reproduce the records themselves. It needs to be specific enough for the patient to understand what category of information was disclosed.

If the same recipient received repeated disclosures for the same purpose, the organization can use HIPAA’s summary approach.

When Can a Provider Temporarily Suspend an Accounting?

HIPAA includes a narrow suspension rule for certain law enforcement and health oversight matters. If the agency or official states that providing the accounting would be reasonably likely to impede the activity and specifies the suspension period, the provider must temporarily suspend the patient’s right to receive the accounting for those disclosures. Oral requests can be honored for up to 30 days if the provider documents who made the request.

How Should Organizations Prepare Before a Request Arrives?

A defensible accounting of disclosures response starts long before a patient asks for one. If your team has to reconstruct disclosure history across email, fax confirmations, legacy systems, spreadsheets, and notes kept separately by department, the workflow is the problem.

Start by identifying every workflow that can generate a reportable disclosure. That usually includes release of information activity, subpoenas and legal requests, public health reporting, research disclosures, compliance investigations, and manual release processes outside the core ROI system.

Then assign ownership. HIM may coordinate the final response, but legal, compliance, infection prevention, research administration, and IT may all own part of the underlying disclosure history.

Training matters too. Staff need to understand the difference between a routine disclosure and a reportable accounting event. They also need to know when a valid medical records release form takes a disclosure out of scope and when a nonroutine disclosure still needs to be logged.

Retention matters as well. If disclosure history disappears when a system is replaced or archived, the organization has already created a future response problem. That is one reason a practical HIPAA audit checklist should test whether disclosure history remains retrievable.

A stronger HIPAA ROI compliance program turns these rules into a repeatable daily process instead of ad hoc judgment calls.

How Is an Accounting of Disclosures Different From an Audit Log or an Access Request?

An accounting of disclosures is a patient-facing report about certain external disclosures of PHI. It answers the question: who outside the organization received my information, when, and for what reason?

An access request is different. It is the patient’s right to inspect or obtain a copy of their own records. It focuses on the content of the record, not a list of who received it. The right to access medical records is a separate HIPAA right with its own timing and response rules.

An audit log is different again. Audit logs show internal system events such as who viewed, modified, exported, or otherwise interacted with a record. HIPAA does not create a general patient right to receive a full audit log.

How Can Providers Turn Accounting of Disclosures Into a Defensible Workflow?

Accounting of disclosures becomes burdensome when the underlying release workflow is fragmented. Teams end up searching through email chains, fax confirmations, paper authorizations, legacy logs, and notes kept separately by department to answer a request that should have been manageable.

ChartRequest is built to reduce that fragmentation. Structured intake helps teams capture the reason for the request, the legal basis for disclosure, supporting documents, and the delivery path at the front of the workflow instead of reconstructing those details later. User-attributed actions, timestamps, and linked release records create a stronger foundation for accounting of disclosures because the evidence stays attached to the disclosure event itself.

That same structure supports more consistent release decisions, makes nonroutine disclosures easier to trace, and gives leaders better visibility into where exceptions, delays, and manual workarounds are building up. Stronger HIPAA compliance and medical records exchange depends on centralized intake, secure delivery, and auditable workflows that support disclosure decisions across request types.

If your team wants a clearer way to standardize accounting of disclosures intake, track release decisions, and keep audit-ready evidence attached to every request, review your disclosure workflow with our team.

Frequently Asked Questions