Under the HIPAA Privacy Rule, covered entities are required to provide an accounting of disclosures, which is a detailed record of when and to whom Protected Health Information (PHI) has been disclosed for purposes other than treatment, payment, or healthcare operations, ensuring transparency and allowing patients to track the sharing of their sensitive information, which contributes to maintaining trust and privacy in the healthcare system. A HIPAA accounting of disclosures refers to a detailed record of when and to whom PHI has been disclosed for purposes other than treatment, payment, or healthcare operations. This includes disclosures for legal proceedings, law enforcement purposes, research, public health activities, and other specific situations where patient authorization is not required. The intent behind this provision is to give patients greater visibility into how their health information is being used and shared, thereby reinforcing their autonomy and control over their personal data.
For healthcare providers and organizations, compliance with this aspect of HIPAA involves meticulous record-keeping. Each disclosure must be documented with specific details, including the date of disclosure, the name and, if known, the address of the entity to which PHI was disclosed, a brief description of the PHI disclosed, and the purpose of the disclosure. This information must be stored for six years from the date of the disclosure, reflecting HIPAA’s emphasis on long-term accountability and patient rights. Patients have the right to request an accounting of disclosures, and covered entities are required to comply with this request. Typically, patients can request an accounting for disclosures made in the past six years. The covered entity must respond to the request within a specified timeframe, usually 60 days, with the possibility of a one-time extension of 30 days. This response time is intended to balance the administrative burden on the healthcare provider with the patient’s right to timely information.
The HIPAA Privacy Rule also mandates that the first accounting of disclosures provided in a 12-month period be free of charge. Covered entities may impose a reasonable, cost-based fee for additional requests within the same 12-month period, as long as they inform the patient of this cost upfront. This provision is designed to prevent abuse of the system while ensuring that the right to an accounting of disclosures remains accessible to all patients.