OGC
Patient Rights

Accounting of Disclosures

What disclosures must be tracked, the six-year retention requirement, exceptions for treatment and operations, and what the accounting must contain.

The Right to an Accounting of Disclosures

The HIPAA Privacy Rule gives individuals the right to receive an accounting of certain disclosures of their PHI made by a covered entity in the six years prior to the date of the request. This right allows individuals to understand who has received their health information and for what purposes — providing a measure of transparency and accountability over PHI disclosures.

Which Disclosures Must Be Tracked

The accounting of disclosures applies to disclosures made for purposes other than treatment, payment, and healthcare operations (TPO). Specifically, the following disclosures must be tracked and included in accountings:

  • Disclosures to public health authorities
  • Disclosures about victims of abuse, neglect, or domestic violence
  • Disclosures for health oversight activities
  • Disclosures for judicial and administrative proceedings
  • Disclosures for law enforcement purposes
  • Disclosures to coroners, medical examiners, and funeral directors
  • Disclosures for cadaveric organ, eye, or tissue donation
  • Disclosures for research (with exceptions for certain research with waivers)
  • Disclosures to avert a serious threat to health or safety
  • Disclosures for specialized government functions
  • Disclosures for workers' compensation

Disclosures Excluded from the Accounting

The following disclosures do not need to be included in an accounting:

  • Disclosures to carry out treatment, payment, and healthcare operations
  • Disclosures to the individual
  • Disclosures incident to an otherwise permitted use or disclosure
  • Disclosures pursuant to a valid authorization
  • Disclosures for the facility's directory or to persons involved in the individual's care
  • Disclosures for national security or intelligence purposes
  • Disclosures to correctional institutions or law enforcement officials having lawful custody
  • Disclosures that are part of a limited data set

Content of Each Accounting Entry

For each disclosure included in the accounting, the covered entity must document:

  • The date of the disclosure
  • The name and, if known, the address of the entity or person who received the PHI
  • A brief description of the PHI disclosed
  • A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or a copy of the individual's written request for the disclosure

For multiple disclosures to the same person for the same purpose (such as ongoing public health reporting), the covered entity may provide the date of the first disclosure, the frequency or number of disclosures, and the date of the last disclosure, in lieu of a separate entry for each disclosure.

Six-Year Retention and Response Timeline

Covered entities must document disclosures and retain the documentation for six years from the date of the disclosure or the date the documentation was created, whichever is later. Upon receiving a request for an accounting, the covered entity must act on the request within 60 days. One 30-day extension is available with written notice to the individual. Covered entities must provide the first accounting in any 12-month period free of charge. Subsequent accountings within 12 months may be subject to a reasonable cost-based fee.

Was this article helpful?

Related Articles

Patient Right of Access to PHI

Patient Rights

Right to Request Amendment of PHI

Patient Rights

The HIPAA Privacy Rule: A Complete Overview

HIPAA Fundamentals