What is a HIPAA Accounting?

HIPAA Accounting

Under the HIPAA Privacy Rule, an individual, under certain circumstances, has the right to receive an accounting of disclosures — HIPAA Accounting — of that individual’s protected health information (PHI) made by a covered entity in the last six years prior to the date on which the account is requested.

What Information Must be Included in a HIPAA Accounting?

The HIPAA Privacy Rule requires certain information to be included in a HIPAA accounting made by a covered entity. This information must include disclosures of protected health information that occurred during the six years prior to the date of the request of the accounting. The accounting must include disclosures to or by business associates of the covered entity.

An individual may request an accounting of disclosures for a period of time less than six years from the date of the request. If such request is made, the accounting must include disclosures of PHI that occurred during this shorter time period. 

Generally, the HIPAA accounting must include, for each disclosure:

  • The date of the disclosure;
  • The name of the entity or person who received the protected health information and, if known, the address of such entity or person;
  • A brief description of the protected health information disclosed; and
  • A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure. In lieu of such a statement, the accounting may consist of a copy of a written request for disclosure, if that request was made:
    • By the Secretary of the Department of Health and Human Services, to investigate or determine the covered entity‘s compliance with this subchapter.
    • Under circumstances for which written authorization to use or disclose PHI was not required.

By When Must the HIPAA Accounting be Provided?

The covered entity must provide the requested accounting no later than 60 days after receipt of such a request.

If the covered entity is unable to provide the accounting within the 60 days, the covered entity may extend the time to provide the accounting for up to an additional 30 days, provided that:

  • The covered entity, during the initial 60 days, provides the requesting individual with a written statement of the reasons for the delay and the date by which the covered entity will provide the accounting; and
  • The covered entity may have only one such extension of time for action on a request for an accounting.

Can a Covered Entity Charge a Fee for a HIPAA Accounting?

Under the HIPAA Privacy Rule, the covered entity must provide the first accounting to an individual in any 12 month period without charge.

The covered entity may charge a reasonable, cost-based fee (i.e., a fee based on costs incurred by the covered entity with respect to responding to the accounting) for each subsequent request for an accounting by the same individual within the 12 month period, provided that:

  • The covered entity informs the individual in advance of the fee; and
  • The covered entity provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee.

When is a Covered Entity Not Required to Provide a HIPAA Accounting?

The HIPAA Privacy Rule requires certain information to be included in a HIPAA accounting made by a covered entity. This information must include disclosures of protected health information that occurred during the six years prior to the date of the request of the accounting. The accounting must include disclosures to or by business associates of the covered entity.

The individual has the right to a HIPAA accounting except for disclosures that are made:

Learn How Simple Compliance Can Be

With HIPAA Compliance Software

Get Compliant Today!