25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

HIPAA Disclosure Accounting

Posted By on Dec 23, 2025

Section §164.528 of the Privacy Rule is better known as the HIPAA disclosure accounting standard and states that an individual has the right to know who disclosures of Protected Health Information have been made to in the past six years. However, there are so many exceptions to this standard, it is difficult to know what is left to account for.

The HIPAA disclosure accounting standard is included in the HIPAA Privacy Rule to reassure plan members and patients that any disclosures of Protected Health Information (PHI) are accounted for. However, individuals who exercise the right to request an accounting of disclosures may be surprised to find there are very few disclosures a covered entity has to account for.

When is a Disclosure Accounting Required under HIPAA?

A disclosure accounting is required under HIPAA whenever it is requested by an individual who is the subject of the PHI that has been disclosed or their personal representative. There are no limits to how frequently an individual can request a HIPAA disclosure accounting, and covered entities have to provided the requested accounting within 60 days of each request.

An individual can request an accounting of disclosures for any period in the six years prior to the request; but, due to the administrative burden of recording every disclosure, covered entities do not have to provide details of every disclosure in the account. Disclosures that are exempted from the disclosure accounting standard include:

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

  • Disclosures for treatment, payment, and healthcare operations.
  • Disclosures to, or authorized by, the individual.
  • Disclosures for notification purposes or for facility directories.
  • Disclosures for national security or intelligence purposes.
  • Disclosures to law enforcement or correctional institution officials.
  • Disclosures of PHI in a limited data set.

When you go back through the HIPAA Privacy Rule, there are not a lot of disclosures left that have to be accounted for. These are mostly limited to:

  • Disclosures required by law (i.e., to comply with state laws relating to child abuse).
  • Disclosures to public health authorities to reporting a disease for surveillance purposes.
  • Disclosures to the FDA when relevant to faulty medicines or medical equipment.
  • Disclosures to an employer to comply with workplace injury reporting requirements.
  • Disclosures to a school which are relevant to a student´s immunization status.
  • Disclosures to HHS´ Office for Civil Rights during a compliance investigation or audit.

Most other events that would require a disclosure to be accounted for are fairly rare. For example, if identifiable PHI is disclosed for research purposes with IRB approval, if PHI is disclosed during litigation when the covered entity is not a party in the litigation (unless the litigation relates to the covered entity´s healthcare operations), and whistleblower disclosures to a health oversight agency.

Omissions from the events that should be included in an accounting of disclosures include impermissible disclosures and data breaches (including those attributable to business associates). This is because individuals should be notified of impermissible disclosures and data breaches via the Breach Notification Rule. In practice, not all impermissible disclosures are notified to individuals.

HIPAA Disclosure Accounting and Business Associates

In the introduction to the HIPAA Administrative Simplification Regulations, section §160.102 (Applicability) states that business associates are required to comply with “this subchapter” (which includes the HIPAA Privacy Rule) “where provided”. The HIPAA disclosure accounting standard is one example of when HIPAA Privacy Rule standards can apply to business associates.

Like covered entities, business associates have to record all disclosures of PHI not exempted by section §164.528 (listed above). Thereafter, depending on the content of the Business Associate Agreement, business associates either report all eligible disclosures to a covered entity or respond to requests for an accounting of disclosures themselves.

If the business associate has the responsibility of responding to requests for an accounting of disclosures, the same Rules apply inasmuch as a business Aasociate has 60 days to provide an accounting of disclosures and may not charge for the first HIPAA disclosure accounting each year; but is required to provide an account as often as requested.

When an Accounting of Disclosures of PHI to Patients is Not Required under HIPAA

There are no occasions when an accounting of disclosures of PHI to patients is not required under HIPAA, but there are occasions when disclosures of PHI can be temporarily withheld from a HIPAA disclosure accounting. These occur when a health oversight or law enforcement agency provide a written statement to the effect that an accounting of disclosures to the individual would impede the agency´s activities. This can relate to specific disclosures or to all disclosures.

It is also the case that, although there are no occasions when an accounting of disclosures of PHI to patients is not required under HIPAA, covered entities can refuse to provide an accounting of disclosures to a patient´s personal representative if there is reason to believe that providing certain information in the disclosure report to a personal representative of an individual could endanger the individual (see 76 FR 31425 Footnote 5).

If you are a member of an organization´s workforce with a responsibility for recording accountable disclosures or responding to individuals´ requests for an accounting of disclosures, and you would like more information about the HIPAA disclosure accounting standard, it is recommended that you seek advice from a HIPAA compliance professional.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist