Also known as Accounting of Disclosures of Protected Health Information, it is a mandate under 45 CFR § 164.528 of the Security and Privacy, Subpart E - Privacy of Individually Identifiable Health Information.

The mandate states that "an individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested."

What should be included in the Accounting of Disclosures?

The accounting of disclosures must include the following:

  1. The date of the disclosure;
  2. the name (and address, if known) of the entity or person who received the Protected Health Information (PHI);
  3. a description of the information disclosed; and
  4. a brief statement of the purpose of the disclosure (if available, include the written request copy of the disclosure).

Comparison of Accounting of Disclosures by Privacy Rule and the HITECH Act?

Criteria Privacy Rule HITECH Act
Types of disclosures to be included in the accounting Disclosures NOT related to Treatment, Payment and Health Care Operations (TPO) All disclosures
Implications of inclusion and non-inclusion, respectively, of TPO in regards to accounting Business Associates (BA) are NOT identified; therefore, the patient cannot contact each BA for an accounting of disclosures. Business Associates (BA) are identified; thereby, enabling the patient to contact each BA for an accounting of the BA's disclosures.
Period of disclosure to be included in the accounting Within six years of the patient's Accounting of Disclosure request Within three years of the patient's Accounting of Disclosure request

Accounting of Disclosures Quick Takes