Accounting of Disclosures: HIPAA Definition for Small Clinics

The accounting of disclosures is the individual’s right under 45 CFR § 164.528 to receive a list of certain PHI disclosures your clinic made during the prior six years — specifically those made for purposes other than treatment, payment, and healthcare operations. This right is administratively demanding because it requires your clinic to maintain ongoing tracking records for every qualifying disclosure, starting now, so you can respond to a request six years from today.

Small-clinic example: A patient at a 3-provider internal medicine practice submits a written request for an accounting of disclosures. Your Privacy Officer discovers the clinic has no disclosure log. You cannot reconstruct from memory which records were sent to the county public health department, when a court order required release of records, or whether a workers’ compensation carrier received a chart summary two years ago. The accounting cannot be produced, and your clinic is in violation — not because of the disclosures themselves, but because you never tracked them.

What the Accounting Covers

Under 45 CFR § 164.528(a)(1), a patient has the right to receive an accounting of certain disclosures of PHI your clinic made in the six years prior to the date of the request.

The six-year lookback period means your tracking system must retain each qualifying disclosure record for at least six years from the date it occurred. Reconstructing disclosures after a request arrives is both difficult and legally insufficient.

Disclosures That Must Be Tracked

The accounting obligation applies to disclosures made for purposes other than treatment, payment, and healthcare operations. Your clinic must track and include the following if they occur.

Public health activities (45 CFR § 164.512(b)). Disclosures to public health authorities for disease reporting, injury tracking, vital statistics reporting, FDA reporting, or notification of persons exposed to communicable diseases.

Health oversight activities (45 CFR § 164.512(d)). Disclosures to health oversight agencies — such as state licensing boards, CMS, or OCR — for audits, investigations, inspections, and civil or administrative proceedings.

Judicial and administrative proceedings (45 CFR § 164.512(e)). Disclosures made in response to court orders, subpoenas, or other legal process.

Law enforcement purposes (45 CFR § 164.512(f)). Disclosures to law enforcement officials under the limited circumstances HIPAA permits (pursuant to legal process, to report certain crimes, to identify or locate a suspect).

Decedents (45 CFR § 164.512(g)). Disclosures to funeral directors and coroners or medical examiners.

Cadaveric organ, eye, or tissue donation (45 CFR § 164.512(h)). Disclosures to organ procurement organizations.

Research without authorization (45 CFR § 164.512(i)). Disclosures for research activities when an IRB or privacy board has approved a waiver of authorization.

Serious threat to health or safety (45 CFR § 164.512(j)). Disclosures to prevent or lessen a serious threat to the health or safety of a person or the public.

Specialized government functions (45 CFR § 164.512(k)). Disclosures related to military and veterans activities, national security, and protective services.

Workers’ compensation (45 CFR § 164.512(l)). Disclosures authorized by and necessary to comply with workers’ compensation laws.

Disclosures Excluded from the Accounting

The following disclosures do not need to be tracked for accounting purposes under 45 CFR § 164.528(a)(1):

• Disclosures for treatment, payment, and healthcare operations — the largest category for most clinics
• Disclosures to the individual about their own PHI
• Disclosures made pursuant to the individual’s written authorization
• Disclosures incident to otherwise permissible disclosures
• Disclosures for national security or intelligence purposes under specific circumstances
• Disclosures to correctional institutions or law enforcement custodians under specific circumstances
• Disclosures that are part of a limited data set under a data use agreement

The TPO exclusion covers the overwhelming majority of disclosures in a typical small clinic. Referrals, claim submissions, care coordination, quality improvement reviews, and billing activity are all excluded. The accounting obligation attaches to less frequent, more formal disclosure categories.

What the Accounting Must Include

For each accountable disclosure, your clinic must record the following under 45 CFR § 164.528(b)(1):

• Date of the disclosure
• Name and address of the entity or person who received the PHI
• Brief description of the PHI disclosed
• Brief statement of the purpose of the disclosure that reasonably informs the individual of the basis, or a copy of the written authorization or disclosure request

Exception for recurring disclosures of the same type. If your clinic made multiple disclosures to the same recipient for the same purpose, you may maintain a summary entry listing the PHI disclosed, the recipient, the frequency, and the date of the last disclosure during the accounting period (45 CFR § 164.528(b)(3)). This is practically useful for recurring public health disease reports — log the reporting relationship and update the date of last disclosure rather than logging each individual report.

Temporary Suspension of the Accounting

Under 45 CFR § 164.528(a)(2), your clinic must temporarily suspend a patient’s accounting right for disclosures to a health oversight agency or law enforcement official if that agency or official provides a written statement that the accounting would impede their activities. The suspension lasts for the time specified in the written statement.

In practice: if a law enforcement agency investigating a patient’s case requests that your clinic omit the investigation from any accounting response, your clinic may do so during the active investigation period. Document the suspension and the written request that authorized it.

The Response Timeline

Under 45 CFR § 164.528(c), your clinic must act on an accounting request no later than 60 calendar days after receipt. If you need additional time, one 30-day extension is available — but only if you notify the patient within the original 60-day period of the reasons for the delay.

Cost: Your clinic must provide the first accounting to a patient in any 12-month period at no charge. For a second accounting in the same 12-month period, you may impose a reasonable cost-based fee — but you must inform the patient in advance and give them the opportunity to withdraw or modify the request before the fee applies.

Practical Tracking for Small Clinics

The most common accounting of disclosures failure is not a procedural error in responding — it is never building a tracking log in the first place, which makes the accounting impossible to produce.

1. Identify your accountable disclosure triggers. For a typical small clinic, the most common trackable events are subpoenas, court orders, law enforcement requests, mandatory public health reports, and workers’ compensation disclosures.

2. Log each disclosure at the time it occurs. Record: date, recipient name and address, brief description of PHI, and purpose.

3. Retain the log for six years. A rolling six-year log is the minimum needed to respond to any request.

4. Assign responsibility. Your Privacy Officer should be the designated point of contact for identifying and logging accountable disclosures.

5. Train staff on triggers. Front desk and administrative staff who receive requests from law enforcement or public health agencies must know to route those requests to the Privacy Officer for logging before any records leave the building.

PHIGuard helps covered entities maintain disclosure tracking logs and manage accounting request responses as part of its HIPAA compliance platform. See PHIGuard’s HIPAA page for how the platform supports small clinic compliance.