If a patient walked into your practice today and asked, “Who outside your organization has seen my record in the last six years?”, could you answer with confidence and documentation, not guesswork?
Under the HIPAA Privacy Rule, patients have the right to request an accounting of disclosures of their protected health information (PHI) made by a covered entity or its business associates, with some important exceptions. This is not a theoretical right. It is written into federal regulations and is part of the trust patients place in your organization every time they share personal information.
This topic might sound “privacy focused,” but it has a strong security component. You cannot provide an accurate accounting if your systems do not record, protect, and retain the right information.
What Is “Accounting of Disclosures”?
An accounting of disclosures is a record you provide to an individual that lists certain disclosures of their PHI you made to others outside your organization over a specified period. The rule generally requires you to be able to account for disclosures going back six years from the date of the request, with exceptions such as disclosures for treatment, payment, and healthcare operations.
A few key points:
- It covers disclosures, which means PHI that leaves the covered entity or business associate (for example, sent to a government agency, another organization, or an attorney), not routine internal access.
- An individual can request an accounting once every 12 months at no charge; a reasonable fee can be charged for additional requests in the same period.
- Personal representatives (for example, a parent of a minor child or someone with legal authority) may also have the right to receive an accounting.
From a security perspective, you need systems and processes that reliably track these disclosures and protect the logs from tampering.
Why Accounting of Disclosures Matters For Security
Accounting of disclosures is often treated as a paperwork requirement, but it is really a transparency and trust requirement that depends on good security practices.
If you cannot show who received PHI and when, you may also have:
- Weak audit logging
- Inconsistent processes for sending information outside the organization
- Limited oversight of business associate activities
- Gaps in incident detection, because unusual disclosures may never be reviewed
In the event of a complaint or investigation, regulators will not only ask whether a disclosure was allowed. They will also ask what records you kept and how you protect them.
Common Pain Points (And How to Fix Them)
-
Disclosures are handled informally
Staff sometimes send PHI to attorneys, payers outside normal billing channels, or government agencies without consistent logging.
What to do
- Create a standard disclosure log, either in your EHR, compliance platform, or a secure central spreadsheet that is access-controlled.
- Require staff to record: date, recipient, purpose, who approved the disclosure, and what type of information was shared.
-
Business associates disclose PHI, but you have no record
Business associates like billing vendors, IT companies, or specialized consultants may disclose PHI on your behalf, for example to a subcontractor, a payer, or a law firm.
What to do
- Make sure your Business Associate Agreements (BAAs) clearly require the associate to track and report disclosures you are responsible for accounting.
- Include a requirement that they can respond promptly if you receive an accounting request.
-
Logs exist, but no one reviews them
Some organizations maintain an accounting log, but no one checks it for inappropriate patterns.
What to do
- Assign responsibility for reviewing disclosure logs at least quarterly.
- Look for red flags such as: repeated disclosures to the same individual, disclosures with “miscellaneous” or unclear reasons, or disclosures that do not match your policies.
Disclosure Readiness Checklist
| Area | Question to Ask Your Organization |
| Policy and procedure | Do we have a written procedure for tracking external disclosures of PHI? |
| Central tracking | Do we use a central log or system, or are disclosures tracked in many places? |
| Business associate support | Do our BAAs clearly require business associates to track and report disclosures? |
| Response readiness | Could we pull a six-year accounting within the required time if a patient asked today? |
| Oversight | Who reviews disclosure logs and how often? |
Practical Action Steps This Month
- Locate your current disclosure log or confirm whether one exists.
- Check your policies to see what they say about accounting of disclosures and whether they are being followed in daily practice.
- Review at least a small sample of recent disclosures to confirm the information is complete and consistent.
- Check BAAs to ensure business associates must support accounting of disclosures and provide timely information.
- Train front desk and medical records staff on how to recognize an accounting of disclosures request and where to route it.
How EPICompliance Can Help
If you are an EPICompliance customer, you can use the platform to:
- Centralize documentation, including disclosure tracking templates and BAAs
- Assign recurring tasks to review logs and verify that accounting requests are handled on time
If you are not yet an EPICompliance customer, our platform brings together online training, HIPAA tools, BA management, and task tracking so you can build a disclosure process that is documented, repeatable, and visible instead of scattered across multiple files.
You can learn more at: https://epicompliance.com
For short, practical discussions on HIPAA topics, including privacy and security issues, visit our YouTube channel: https://www.youtube.com/@epicompliance
Putting Transparency into Practice
Take ten minutes this week to answer one simple question:
“If a patient asked for an accounting of disclosures today, could we respond with accurate records and confidence?”
If the honest answer is “I am not sure,” make this the month you tighten your processes and fill that gap.
