ChartRequest - Logo - Color
Close this search box.

+1 (888) 895-8366

HIPAA protects patient privacy, enhances security, and provides rights that help patients understand and control their PHI use and disclosure. Signed patient authorization forms are required for most disclosures, but there are exceptions.

To ensure compliance, it’s important to log these exceptions in an accounting of disclosures form, but not all exceptions are applicable. In this article, we’ll discuss what an accounting of disclosures is, explain when it’s necessary, and more.

As you read on, please do keep in mind that you should always document every disclosure, whether it’s necessary for an accounting of disclosures or not. 


HHS defines disclosure as the “release, transfer, provisions of, access to, or divulgence in any manner of information outside the entity holding the information.” This broad HIPAA definition is pretty simple; if your healthcare organization releases records, it’s disclosure. This definition also applies to breaches or unintentional disclosures.

When dealing with disclosure accounting, however, the definition of disclosure is slightly more specific. 

In this context, disclosures are the access to, delivery of, or transmission of PHI to parties without patient-signed authorization forms. This excludes TPO (treatment, payment, and operations) and healthcare operations business associates with an established BAA.

So while the broad HIPAA definition of disclosure accounts for all movement of protected health information, disclosures in the context of accounting are limited to specific instances. There is a reason for this divide. 

An accounting of disclosures is a report for patients designed to fill gaps in their knowledge of their PHI disclosures. The most significant example of this split is in the context of PHI requests made with signed patient authorization forms. 

When a patient signs a form to authorize disclosure to themselves, another provider, or a 3rd party professional, they’re already aware of the disclosure. While this counts as a disclosure for the broad definition, it’s not necessary to include it in an accounting of disclosures.


To help you understand what you must add to an accounting of disclosures, let’s discuss the exceptions. If you’re a covered entity, it’s important to note that you must include disclosures to or by your business associates. 

Patients have the right to request HIPAA accounting, excluding disclosures made for the following purposes:

Treatment, Payment, and Healthcare Operations

HHS identifies TPO, or treatment, payment, and healthcare operations, as nonessential to report in an accounting of disclosures. These are key functions of medical, billing, and imaging records, and patients should assume covered entities use them as such.

Treatment refers to “the provision, coordination, or management of healthcare and related services.” This includes consultations and patient referrals with other providers and essential functions with third parties (business associates and other covered entities).

Payment refers to the actions healthcare providers take to seek payment or reimbursement for services rendered. It also covers health plans’ activities to obtain premium payments, provide coverage benefits, and provide or collect reimbursement for services.

Healthcare Operations are certain administrative, financial, legal, and quality improvement activities essential for covered entities’ business operations and core functions.

Informing Individuals Directly Involved in Patient Care

There’s a short list of individuals to whom healthcare providers may disclose PHI without reporting in an accounting of disclosures.

The patient receiving treatment can discuss their PHI with their healthcare provider per their doctor-patient relationship without formal accounting. 

Incidental disclosure is a “secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule.” A common example of an incidental disclosure is another patient overhearing part of a confidential doctor-patient conversation.

Signed authorizations for disclosure imply that the patient is aware of and consents to the disclosure of PHI to the recipient.

Patient directories can receive patient data for internal use without accounting.

Individuals responsible for the patient’s care may receive certain PHI about that patient. This individual may be a family member, a close personal friend, or another individual the patient identifies. 

Identified individuals may receive PHI if it’s directly related to their involvement with the patient’s care, payment, and certain notifications. These notifications may relate to the patient’s location, general condition, or death.

Issues of national security or intelligence don’t require disclosure accounting.

Correctional institutions and law enforcement officials don’t require disclosure accounting.

Limited data sets are sets of individually identifiable health information that covered entities may share with certain entities for research, public health, and healthcare operations without patient authorization. Because these records must be stripped of identifiable data including name, address, contact details, etc., they don’t require disclosure accounting.


With such a long list of disclosures that don’t require inclusion in an accounting of disclosures, it may be hard to visualize when inclusion is necessary. There are plenty of situations where disclosure would necessitate accounting, including the following:

Research Purposes

Data used for research purposes that have not been de-identified must be included in an accounting of disclosures. Depending on the scope of the study, this may also apply to Institutional Review Boards and Privacy Boards.

Marketing and Sales Purposes

PHI used for marketing and sales purposes is also necessary to include in your accounting. This may also apply to situations in which a patient has provided consent, such as client marketing stories.

Legal Use

In certain situations, the release of information is legally required, and you must include these in your accounting. Examples of mandatory disclosures include subpoenas, court orders, emergencies, and state reporting. 

This also includes disclosures made for government functions like military and veteran activities. Worker’s Compensation disclosures necessary for legal compliance are also included.

Disclosure of PHI may also be mandatory for patients who have faced abuse, neglect, and/or domestic violence, necessitating accounting. 

Public Health

The release of PHI may be necessary to avoid threats to public well-being, and these must also be included in the accounting. HHS, FDA, and other such organizations may require disclosures to prevent disease, perform investigations, and protect from terroristic threats. 

End of Life

When a patient reaches the end of their life, certain health information may be important to protect the health of coroners, funeral directors, and those involved in the organ donation process. 

Incorrect Recipient

In addition to fulfilling Breach Notification Rule requirements, PHI disclosed unintentionally or to the incorrect party requires accounting.


When patients request an accounting of disclosures, your report must include disclosures made 6 years prior to the request date. Requestors can provide a date range for this request, but it may not extend beyond this 6-year period.

When an accounting of disclosures request reaches an organization, that organization has 60 days to fulfill the request. With a detailed, written statement that includes the reason for delay and expected date of fulfillment, covered entities may extend this deadline an extra 30 days.

Once you’ve determined which disclosures require inclusion in an accounting of disclosures, it’s important to include all necessary information. This information includes:

Disclosure details, including the date of the disclosure and the name and address of the entity that received the PHI.

A brief description of the PHI disclosed. This should include a brief statement of the reason for the disclosure. 

If a disclosure request was submitted by the Secretary of HHS to investigate the covered entity’s compliance or under circumstances that would not necessitate written authorization, a copy of the written disclosure request is acceptable. 


In most cases, covered entities may not charge for releasing a requested accounting of disclosures. The HIPAA Privacy Rule requires covered entities to release the first accounting in any given 12-month period for no charge. 

In situations where an individual requests their accounting of disclosures more than once in 12 months, covered entities may charge. This charge must be a reasonable, cost-based fee, and it may only be required if the covered entity informs the individual of the fee in advance. They must also offer the requestor an opportunity to change or rescind their request.


Manually logging every disclosure of protected health information can be a major challenge for healthcare workers. The release of information alone can devour hours of your team’s time between ensuring compliance, answering calls and emails regarding request status, hunting down incoming and verifying outgoing faxes, and so much more.

ChartRequest eliminates the burdens associated with the release of information to free your team for other important tasks. We understand people don’t enter healthcare for the paperwork, so we enable our partners to spend more time helping patients.

One key way we cut down the administrative legwork for our partner organizations is with our Automated Audit Log. This feature collects a complete log of every single action within every single request for enhanced security and compliance.

Our Automated Audit Log can help protect you in the event of an audit, and it provides a thorough view of each request necessary to include in an accounting of disclosures. It’s just one of many ways our Release of Information Software can simplify compliance to help your organization thrive.

Want to learn more about our Automated Audit Log or the other features that make ChartRequest one of the leaders in the compliant release of information? Click here to set up a brief chat with a member of our success team.

Leverage Medical Records For Mass Tort Payouts
Mass tort payouts can be massive, but they often require quick and accurate access to your clients' medical records.
Hackensack Meridian Health Penalized $100K For Medical Records Right of Access Penalty
Hackensack Meridian Health, also known as Essex Residential Care, recently faced a $100,000 penalty for Right of Access failure.
What Is the Epic Vs. Particle Health Dispute Regarding Carequality?
The dispute between Epic vs. Particle Health has healthcare professionals split, and this article provides an unbiased breakdown.
Mass Tort Litigation Guide for Personal Injury Attorneys
Mass tort litigation can be a practical way to pursue compensation for numerous personal injury and medical malpractice claimants.
What is a Combined Ratio in Risk Adjustment?
The combined ratio is a financial metric that measures insurance company revenue compared to claims payout.
10 EHR Systems for Physicians to Consider in 2024 by ChartRequest
Reviewing EHR systems can be daunting, so this article covers what you should look for and features 10 high-end systems for you to compare.

Want to Stay Updated?

Subscribe to our newsletter to learn:

  • Tips to Ensure Compliance
  • Strategies for ROI Success
  • Relevant Healthcare News

We respect your inbox, so we’ll only reach out to share high-quality content.

Sign Up for Automated Care Coordination Updates!

Our automated care coordination and referral management solution is coming soon!
If you’d like to be the first to learn new information and find out when it’s ready, please fill out this form:
This field is for validation purposes and should be left unchanged.