accounting for disclosures of records, right to (HIPAA)

HIPAA's Privacy Rule includes a right to an "accounting of disclosures" -- a listing of all disclosures of an individual's protected health information (PHI) made by the covered entity or its business associates for up to six years preceding the request.

The right is far less expansive than it might first appear. It does not provide that individuals are entitled to know about anyone who has had access to their PHI, as there are many exclusions. However, covered entities are free to go beyond the minimal accounting that HIPAA requires.

Most importantly, the accounting may exclude disclosures made by the covered entity to carry out treatment, payment and health care operations, which constitute the overwhelming majority of communications.

In addition, the accounting may exclude disclosures:

  • to the individual, of his or her own protected health information;
  • for the facility’s directory or other notification purposes;
  • incidental to otherwise permissible disclosures; or
  • that occurred prior to the compliance date (14 April 2003 for large entities, one year later for small ones).

Temporary suspension of an accounting is permitted for health oversight, national security, or law enforcement purposes. Such suspensions require that an agency or official provide a written statement that an accounting would be reasonably likely to impede their activities. The statement must specify the time for which such a suspension is required. (Oral requests of this kind are permitted, but can be in effect for no longer than 30 days without a written request as a follow-up.)

Note that disclosures for research operating under a waiver of authorization are not exempt from the accounting requirement, though disclosures made pursuant to an authorization for research are (because all authorization-based disclosures are exempt). The requirement can be met by providing individuals with a list of all protocols for which their PHI may have been disclosed pursuant to a waiver, as well as the researcher's name and contact information. (Where 50 or fewer records are involved, the accounting must meet the normal specificity requirements listed below.)

Written accountings, for information not subject to the above exemptions, must include for each disclosure:

  • the date of the disclosure (if multiple disclosures, the start and stop dates and the frequency);
  • the name of the entity or person who received the protected health information and, if known, the address of such entity or person;
  • a brief description of the protected health information disclosed; and
  • a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure.

Covered entities have 60 days to meet such requests. An additional 30-day extension beyond that is allowed if the requestor is provided with a written explanation for the delay.

Individuals are entitled to a single accounting every 12 months without charge. Additional requests within a 12-month period may be subject to a "reasonable, cost-based fee" (provided that this is detailed in the Notice of Privacy Practices).

As with other HIPAA rights, institutions must designate a privacy office/officer to handle disclosure accounting requests, and must document the processing of any requests that are received.

See also:


   © 2002-2006 Contributing authors and University of Miami School of Medicine