Accounting of Disclosures
Plain English Translation
Individuals have the right to request an accounting of certain disclosures of their PHI made by the organization, and a process must exist to generate and deliver this accounting upon request. The accounting covers disclosures made for purposes other than treatment, payment, and healthcare operations.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Establish a manual logging process using a secure, access-controlled spreadsheet to track any non-routine disclosures of PHI made to external parties.
Required Actions (scaleup)
- Implement a dedicated compliance ticketing system to manage accounting of disclosure requests and maintain digital logs of all external data sharing.
Required Actions (enterprise)
- Enforce detailed audit logging modes programmatically across all data environments to automatically track data access events and compile disclosures.
It is a formal process maintained by the organization to provide an accounting of certain disclosures of PHI made to the individual upon request.
It explicitly requires organizations to maintain a systematic process to provide an accounting of certain disclosures of PHI made by the organization to the individual upon request.
Organizations must track non-routine disclosures, including public health reporting, judicial proceedings, and unauthorized breaches. (Note: This information is not from my sources and you may want to independently verify that information.)
Routine disclosures made for treatment, payment, and healthcare operations, as well as those authorized directly by the patient, are typically excluded. (Note: This information is not from my sources and you may want to independently verify that information.)
Organizations are required to retain PHI disclosure tracking records for a minimum of six years. (Note: This information is not from my sources and you may want to independently verify that information.)
Organizations typically must respond to an accounting request within 60 days, with a possible 30-day extension. (Note: This information is not from my sources and you may want to independently verify that information.)
No, the Privacy Rule generally exempts routine disclosures made for treatment, payment, and healthcare operations from the formal accounting requirement. (Note: This information is not from my sources and you may want to independently verify that information.)
Yes, individuals can request this information, and organizations must coordinate with business associates to provide a complete accounting. (Note: This information is not from my sources and you may want to independently verify that information.)
The accounting log typically must include the date of the disclosure, the name of the receiving entity, a description of the PHI, and the purpose. (Note: This information is not from my sources and you may want to independently verify that information.)
Organizations can track disclosures by enforcing detailed audit logging modes and ensuring that data access events are comprehensively logged across all information systems.
Accounting requests often require evidence from multiple systems, teams, and vendors, which makes manual compilation difficult to control. Tools like WatchDog Security's Compliance Center can help centralize request procedures, evidence collection, ownership, and status tracking so the organization can show a consistent process for fulfilling disclosure accounting obligations.
Business associates may make reportable disclosures on the organization's behalf, so the organization needs a reliable way to track vendor responsibilities and request supporting records when needed. Tools like WatchDog Security's Vendor Risk Management can maintain a vendor catalog, risk tiers, assessment records, and follow-up workflows that support business associate coordination.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-05 | Compliance Content Team | Initial publication |

