In 2011, a small physician practice in the Midwest received a patient's written request for an accounting of disclosures. The office manager had never heard the term. No log existed. No tracking system was in place. When the patient filed a complaint with OCR, the resulting investigation exposed far more than a single missing report — it revealed systemic Privacy Rule failures. This scenario plays out more often than most healthcare organizations realize, and it starts with one fundamental requirement: HIPAA requires an accounting of disclosures for nearly every release of protected health information that falls outside treatment, payment, and health care operations.

What the Privacy Rule Actually Says About Accounting of Disclosures

Under 45 CFR §164.528, every covered entity must provide individuals, upon request, with an accounting of disclosures of their protected health information (PHI) made during the six years prior to the request. This is not optional. It is a patient right embedded in the HIPAA Privacy Rule, and OCR treats failures here as violations of individual rights — one of the most commonly investigated complaint categories.

The accounting must include the date of each disclosure, the name and address of the entity or person who received the PHI, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure. If multiple disclosures were made to the same entity for a single purpose, you can provide a summary rather than itemizing each one — but you must still document the frequency and the date range.

Disclosures You Must Track Under the Accounting Requirement

Not every disclosure triggers the accounting obligation, but the list of those that do is longer than many compliance officers expect. Your organization must track and be prepared to account for disclosures made:

  • Pursuant to a court order or subpoena
  • To public health authorities for disease reporting or surveillance
  • To law enforcement in response to a lawful request
  • To health oversight agencies for audits or investigations
  • For research purposes when a waiver of authorization was granted by an IRB
  • To coroners, medical examiners, or funeral directors
  • For workers' compensation proceedings
  • As required by law — including mandatory state reporting obligations

In my work with covered entities, I consistently find that disclosures to public health authorities and law enforcement are the most frequently untracked categories. Organizations make these disclosures regularly but rarely log them in any systematic way.

The Exceptions Your Workforce Needs to Understand

HIPAA requires an accounting of disclosures, but the Privacy Rule carves out specific exceptions. You do not need to include disclosures made:

  • For treatment, payment, or health care operations (TPO)
  • To the individual who is the subject of the PHI
  • Pursuant to a valid written authorization signed by the patient
  • To persons involved in the individual's care (the "facility directory" exception)
  • For national security or intelligence purposes
  • To correctional institutions or law enforcement officials regarding inmates
  • As part of a limited data set

The TPO exception is by far the largest, which is why many organizations mistakenly believe they have very little to track. But once you factor in mandatory public health reports, responses to subpoenas, and disclosures to oversight agencies, the volume grows quickly — especially in hospital and health system settings.

Building a Disclosure Tracking System That Survives an OCR Audit

OCR does not prescribe a specific technology or format for maintaining your accounting log. Spreadsheets, EHR modules, and dedicated compliance platforms all qualify — as long as they capture the required data elements and retain records for at least six years from the date of the disclosure or the date the accounting was last provided, whichever is later.

Practical steps I recommend to every covered entity and business associate:

  • Centralize the log. Distributed tracking across departments creates gaps. One system of record reduces risk.
  • Assign ownership. Your Privacy Officer or a designated compliance staff member should be responsible for reviewing entries monthly.
  • Integrate with your EHR. Many modern EHR platforms include disclosure tracking modules. If yours does, configure it — don't let it sit dormant.
  • Include business associate disclosures. Under the Omnibus Rule, if a business associate makes disclosures on your behalf, those must be included in the accounting. Your BAA should explicitly address this obligation.
  • Document the response timeline. You have 60 days from the date of a patient's request to provide the accounting, with one 30-day extension permitted if you notify the individual in writing.

The Workforce Training Requirement Most Organizations Underestimate

A disclosure tracking system is only as reliable as the people feeding data into it. Front-desk staff who fax records to a law enforcement officer need to know that event must be logged. Health information management professionals responding to a subpoena must understand the documentation requirement. Your compliance team cannot track what they never learn about.

This is why workforce training is not a separate initiative from your accounting of disclosures program — it is the foundation. Every member of your workforce who handles PHI must understand when a disclosure triggers the accounting requirement and how to report it internally. Comprehensive HIPAA training and certification programs build this awareness from onboarding forward, reducing the risk that disclosures fall through the cracks.

Penalties for Failing to Provide an Accounting

OCR's enforcement actions make the stakes clear. Violations of patient rights provisions — including the right to an accounting of disclosures — fall under the Privacy Rule's penalty structure at 45 CFR §160.404. Depending on the level of culpability, penalties range from $137 to $68,928 per violation, with an annual cap of over $2 million per violation category under the current inflation-adjusted tiers.

More critically, an inability to produce an accounting signals to OCR investigators that your organization may lack fundamental Privacy Rule safeguards. What begins as a single complaint about a missing accounting often expands into a broader compliance review — covering your risk analysis, minimum necessary standard practices, Notice of Privacy Practices, and business associate agreements.

Action Steps for Your Organization Today

If you cannot produce a complete accounting of disclosures for any patient within 60 days of a request right now, your organization has a compliance gap that demands immediate attention. Start with these priorities:

  • Audit your current disclosure tracking process — or confirm that one exists at all.
  • Identify every category of non-TPO disclosure your organization routinely makes.
  • Ensure your business associate agreements include disclosure accounting obligations aligned with the Omnibus Rule.
  • Train every workforce member who handles PHI on their role in the tracking process through a structured workforce HIPAA compliance program.
  • Test your system by running a mock accounting request and evaluating completeness against the 45 CFR §164.528 requirements.

HIPAA requires an accounting of disclosures not as a bureaucratic formality but as a meaningful patient right. Organizations that treat it as an afterthought consistently find themselves explaining gaps to OCR — a conversation no compliance officer wants to have.