HIPAA Compliance Requirements

Cyber Hygiene Practices

Data Security Posture Management

HIPAA Awareness

,

HIPAA Accounting of Disclosures: When It Applies and How to Operationalize It (Without Losing Your Mind)

HIPAA Accounting of Disclosures If your organization gets an “accounting of disclosures” request and your first instinct is to search email threads, pull EHR screenshots, and hope it goes away, you’re not alone. The HIPAA Privacy Rule gives individuals a specific right to request an accounting, but only for certain disclosures. The key is building…

tomasirv
5–7 minutes

HIPAA Accounting of Disclosures

If your organization gets an “accounting of disclosures” request and your first instinct is to search email threads, pull EHR screenshots, and hope it goes away, you’re not alone. The HIPAA Privacy Rule gives individuals a specific right to request an accounting, but only for certain disclosures. The key is building a lightweight, repeatable process that (1) captures the disclosures you do have to track and (2) doesn’t burden routine operations.

This blog will break down when HIPAA accounting of disclosures applies and a practical way to operationalize it across teams, vendors, and systems.

Compliance note: This is general information, not legal advice.

What “Accounting of Disclosures” Means Under HIPAA

Under 45 CFR § 164.528, individuals generally have the right to receive an accounting of certain disclosures of their PHI made by a covered entity (and, in practice, disclosures made by business associates on the covered entity’s behalf) for up to the six years prior to the request.

Think of it as:
“Show me who you disclosed my PHI to outside of routine operations, and why.”

The Most Important Rule: Most Disclosures Do Not Need to Be Accounted For

HIPAA’s accounting requirement excludes several large categories, especially disclosures for Treatment, Payment, and Health Care Operations (TPO).

You typically do not include disclosures that are:

  • For TPO (the big one)
  • To the individual (the patient accessing their own info)
  • Made pursuant to a valid authorization
  • Incidental disclosures that occur as a byproduct of an otherwise permitted disclosure
  • Certain specialized exceptions listed in the regulation (some national security/correctional disclosures)

Practical takeaway: Your accounting workflow should focus on “non-TPO disclosures without authorization.”

Common Disclosure Types That Do Trigger Accounting

While you should rely on your counsel/policy definitions, these are common buckets that often fall into “accounting-required” territory when not otherwise excluded by §164.528:

  • Required by law disclosures
  • Public health reporting
  • Health oversight activities
  • Law enforcement (certain disclosures)
  • Judicial/administrative proceedings (depending on form/compulsion)
  • Coroners/medical examiners, organ procurement
  • Research disclosures under certain HIPAA permissions (not authorized by the individual)

This is why operationalization matters: these disclosures often happen outside the EHR (fax, portals, subpoenas, registries, public health reporting systems), and ownership is spread across departments.

What the Accounting Must Include (Data Elements You Need to Capture)

At a minimum, your process needs to be able to output the accounting elements required by§164.528, such as:

  • Date of disclosure
  • Name (and address, if known) of the recipient
  • A brief description of the PHI disclosed
  • A brief statement of purpose (or a copy of the written request for disclosure, in certain cases)
  • For multiple disclosures to the same recipient for the same purpose, HIPAA allows a more general, “summary style” accounting for subsequent disclosures.

Timing Requirements You Must Operationalize

Your SOP should be designed to meet HIPAA’s clock:

  • Respond within 60 days of receiving the request.
  • You may take one 30-day extension if you provide a written statement explaining the delay and the expected completion date.

Also, the accounting covers up to six years prior to the request date (or a shorter period if the individual requests it), subject to limits like not needing to account for disclosures before the Privacy Rule compliance date.

How to Operationalize: A Practical, Low-Drama Operating Model

1) Define “Trackable Disclosures” in Plain English (and Map Them to Owners)

Create a one-page internal definition:

Track it if: it’s a disclosure of PHI outside TPO and not based on the patient’s authorization, and not otherwise excluded by §164.528.

Then map disclosure types to functional owners, for example:

  • Subpoenas/legal: Legal/Compliance
  • Public health reporting: Clinical leadership / HIM
  • Quality oversight/government audits: Compliance
  • Research: Research admin / IRB office
  • External registries: Operations / HIM

This eliminates the most common failure mode: “Everyone thought someone else was logging it.”

2) Implement a Simple “Disclosure Log” That People Will Actually Use

You do not need a complex system to start. What you do need is consistency.

Minimum recommended fields:

  • Patient identifier (MRN or unique ID)
  • Date of disclosure
  • Recipient name, organization, and contact info
  • Disclosure category (dropdown)
  • PHI description (high level)
  • Purpose / authority (“required by law,” “public health reporting,” “subpoena”)
  • Method (portal/fax/mail/secure email)
  • Department owner
  • Notes and link to supporting documentation

Design principle: If it takes more than 2 minutes to log, adoption will fail.

3) Centralize Intake and Clock Management

Operationally, treat accounting requests like a ticketed workflow:

  • Intake goes to a single mailbox/form (Privacy Office or HIM)
  • Assign a case owner
  • Start the 60-day timer
  • Trigger internal data collection tasks by department

This is where organizations get burned: the request sits in a queue for 3 weeks, then becomes a fire drill.

4) Build Department “Standard Pulls” (Repeatable Evidence Collection)

For each disclosure owner, define what to search and where:

  • Subpoenas: legal matter folder, disclosure log entry, copy of request
  • Public health: registry submission confirmation, log entry
  • Oversight audits: agency request, response package, log entry
  • Research: IRB documentation, data release record, and log entry

Your goal is not perfection, it’s repeatability.

5) Don’t Forget Business Associates: Contract + Workflow Alignment

Even when disclosures occur through a vendor workflow (cloud fax, billing services, registries, hosted EHR modules), your organization needs a practical way to retrieve what’s needed for an accounting.

Actionable approach:

  • Add an internal requirement: BAs must provide disclosure details needed for §164.528 within an agreed SLA.
  • Maintain a short BA list of “likely-to-disclose” vendors (release of information, labs, registries, population health platforms).
  • Test it once a year with a tabletop request (“Provide all trackable disclosures for Patient X for the past 12 months”).

The most expensive time to discover your vendor can’t report disclosures is when a real request arrives.

6) Train the Front Line on “What to Log”

Most staff don’t need to know the regulation. They need decision support. Provide a micro-cheat-sheet: Log it if you disclose PHI to an outside party and it’s not for TPO and not patient-authorized. Don’t log routine referrals, billing, care coordination, or normal ops.

A “Good Enough” Accounting Output Template

When you generate the final accounting, ensure it includes:

  • The requested period (up to six years)
  • The required disclosure details per entry
  • A note explaining categories excluded by HIPAA (e.g., TPO), so patients understand why common activities are not listed
  • Documentation of any extension used (if applicable)

Common Pitfalls That Create OCR-Grade Headaches

  • Over-logging (tracking everything, including TPO) → bloated, error-prone reports and staff burnout
  • Under-logging (no consistent capture of public health/legal disclosures) → cannot produce a complete accounting
  • No BA pathway → you can’t reconstruct disclosures that occurred via vendors
  • No single owner → deadlines get missed

FAQ: Accounting of Disclosures (Quick Answers)

Does HIPAA require us to document all oral disclosures?
Not across the board, HIPAA does not require documenting all oral communications, and TPO disclosures are generally excluded from accounting.

Do we have to account for incidental disclosures?
The accounting standard includes a specific exception for incidental disclosures that are permitted by the Privacy Rule.

How far back does the accounting go?
Up to six years prior to the request date (or a shorter period if requested), with regulatory limits such as not requiring disclosures before the compliance date.

How fast do we have to respond?
Within 60 days, with one allowed 30-day extension if properly documented.

Leave a Reply

Trending

Discover more from HIPAA-Critical

Subscribe now to keep reading and get access to the full archive.

Continue reading