GuardWell Compliance
HIPAA

Patient Requests an Accounting of Disclosures: What Your Practice Must Provide

By GuardWell Compliance Team·May 7, 2026·9 min read

A patient calls your office and says, “I want to know everyone you’ve shared my medical records with over the past three years.” This is not an unusual request, and HIPAA provides the patient with an explicit right to receive this information. The right to an accounting of disclosures under 45 CFR 164.528 requires your practice to track certain disclosures and produce a detailed log on request. For many practices, this is one of the most operationally challenging patient rights to fulfill — which is exactly why you need a process in place before the request arrives.

What Is an Accounting of Disclosures?

An accounting of disclosures is a written record of certain disclosures of PHI made by your practice during a specified period. The individual may request an accounting covering up to six years prior to the date of the request (though not for disclosures made before your HIPAA compliance date or before April 14, 2003). You must provide the accounting within 60 days of the request, with one 30-day extension available if you provide written notice to the individual.

For each disclosure included in the accounting, you must provide:

  • The date of the disclosure
  • The name and address (if known) of the entity or person who received the PHI
  • A brief description of the PHI disclosed
  • A brief statement of the purpose of the disclosure, or a copy of the request that prompted it

What Must Be Included

The accounting covers disclosures — not uses. Uses of PHI (internal to your covered entity) are generally excluded. Disclosures that must be tracked and reported include:

  • Disclosures required by law (e.g., reporting communicable diseases to a public health authority)
  • Disclosures for public health activities
  • Disclosures about victims of abuse, neglect, or domestic violence
  • Disclosures for health oversight activities
  • Disclosures for judicial and administrative proceedings
  • Disclosures for law enforcement purposes
  • Disclosures to coroners, medical examiners, and funeral directors
  • Disclosures for organ and tissue donation
  • Disclosures for research purposes (with specifics)
  • Disclosures to avert a serious threat to health or safety
  • Disclosures for specialized government functions
  • Disclosures for workers’ compensation
  • Disclosures to the individual’s personal representative
  • Disclosures to HHS for compliance investigations

What Is Excluded from the Accounting

Critically, several major categories of disclosure are exempt from the accounting requirement:

  • Disclosures for treatment, payment, and healthcare operations (TPO): This is the broadest exemption. Sending records to a referring specialist, submitting claims to an insurer, or conducting quality reviews do not need to be tracked for accounting purposes under the current rule.
  • Disclosures to the individual: Providing the patient with their own records is not included.
  • Disclosures pursuant to a signed authorization: If the patient authorized the disclosure, it is excluded.
  • Disclosures for a facility directory: Hospital patient directories are exempt.
  • Disclosures to persons involved in the individual’s care: Family members or others involved in care, with the individual’s agreement.
  • Disclosures for national security or intelligence purposes
  • Disclosures to correctional institutions about inmates
  • Disclosures that are part of a limited data set

The TPO exemption means that for many small practices, the volume of disclosures that actually need to be tracked is much lower than it might initially appear. But the disclosures that do need tracking are precisely the ones that are easy to forget: a subpoena response, a public health report, a workers’ compensation disclosure, or a law enforcement request.

Building a Disclosure Tracking System

The biggest compliance gap we see through GuardWell’s compliance platform is practices that have no disclosure tracking system at all. When a patient requests an accounting, the practice scrambles to reconstruct disclosures from memory, email records, and fax logs. This is unreliable and exposes the practice to an OCR complaint if the accounting is inaccurate or incomplete.

A compliant disclosure tracking system should capture:

  1. Date of disclosure
  2. Recipient name and address
  3. Brief description of the PHI disclosed (e.g., “treatment records for dates 3/1/2025 through 6/30/2025”)
  4. Purpose of the disclosure (e.g., “subpoena response,” “public health reporting,” “law enforcement request”)
  5. Supporting documentation (copy of subpoena, request letter, etc.)

This log should be maintained centrally, reviewed regularly, and accessible to the person responsible for responding to accounting requests. Integrating disclosure tracking into your risk assessment and audit preparation process ensures the data is reliable when you need it.

Multiple Disclosures to the Same Entity

If you make multiple disclosures to the same entity for the same purpose during the accounting period, HIPAA allows you to provide the information for the first disclosure plus the frequency, periodicity, or number of subsequent disclosures and the date of the last disclosure in the period. This aggregation rule simplifies accounting for recurring disclosures such as regular public health reports.

Fees

The first accounting in any 12-month period must be provided free of charge. For subsequent requests within the same 12-month period, you may charge a reasonable, cost-based fee — but only if you inform the individual in advance of the fee and give them an opportunity to withdraw or modify the request.

What Happens If You Cannot Produce an Accounting

If a patient requests an accounting and you cannot produce one because you have not been tracking disclosures, you face a compliance problem. OCR expects covered entities to maintain the records necessary to fulfill the accounting right on an ongoing basis. Retroactively attempting to assemble a disclosure history is both unreliable and itself evidence of a compliance gap. Start tracking now, even if your historical records are incomplete. Document any limitations in your current system and the steps you are taking to address them through your audit preparation process.

Training Your Staff

Front desk staff, medical records personnel, and anyone who responds to external requests for PHI must understand the disclosure tracking obligation. Every time PHI leaves your practice for a purpose other than TPO, individual request, or authorized disclosure, it should be logged. Regular HIPAA training should include scenarios involving subpoena responses, public health reports, and law enforcement requests so staff recognize when a disclosure needs to be tracked.

Frequently Asked Questions

Do I need to track disclosures made by my business associates?

Your business associates are independently required to track their own disclosures and make accounting information available to you upon request. Your BAA should include provisions requiring business associates to provide disclosure tracking data within a specified timeframe so you can fulfill patient accounting requests. If your BAA does not address this, it should be updated.

How far back does the accounting need to go?

An individual may request an accounting for any period up to six years prior to the date of the request. You must maintain disclosure records for at least six years from the date of the disclosure. In practice, many practices maintain a rolling six-year log and archive older records.

If we send claims to insurance, do we need to include those in the accounting?

No. Disclosures for treatment, payment, and healthcare operations are exempt from the accounting requirement under the current Privacy Rule. Claims submissions, coordination of benefits, and other payment-related disclosures do not need to be tracked for this purpose.

What if a patient disputes the accuracy of the accounting we provide?

HIPAA does not include a specific dispute mechanism for accounting accuracy comparable to the amendment right for medical records. However, if a patient believes the accounting is incomplete or inaccurate, they may file a complaint with OCR. Maintaining thorough contemporaneous records is your best defense against such a challenge.

accounting of disclosuresHIPAA disclosure log45 CFR 164.528patient rightsaudit trail

Part of our guide to

HIPAA Compliance

See how GuardWell helps medical practices manage hipaa compliance end to end — checklists, policies, training, and audit-ready documentation in one platform.

Ready to simplify compliance?

GuardWell brings HIPAA, OSHA, OIG, and 7 more compliance modules into one affordable platform built for medical practices.

Start Free Trial

Related Articles

HIPAA

HIPAA Compliance Checklist for Small Medical Practices in 2026

A practical HIPAA compliance checklist for small medical practices covering the Privacy Rule, Security Rule, breach notification, risk assessments, and staff training requirements.

Compliance

How to Prepare for a HIPAA Audit: A Practice Manager's Guide

Practical advice for medical practice managers on how to prepare for an OCR HIPAA audit, including what to expect, which documents to have ready, and the most common deficiencies found.

Start your compliance journey today

Join practices using GuardWell Compliance to stay ahead of HIPAA audits, OCR enforcement, and state regulatory inspections — $199/month with annual billing. Try free for 7 days.

No setup fees · No contracts · Cancel anytime

GuardWell

Healthcare Compliance Assistant

Hi! I'm GuardWell's sales assistant.

I can answer questions about our healthcare compliance platform, pricing, and features. How can I help?

Powered by GuardWell AI