HIPAA requires a place to track the release of protected health information (PHI) subject to Accounting of Disclosures. But does Accounting of Disclosures mean logging all PHI disclosures? Somewhat surprisingly, no! Despite popular belief, an Accounting of Disclosure log is only necessary for a subset of Release of Information (ROI) requests.

When are Accounting of Disclosure logs not required?

Accounting of Disclosure logs are not required in most ROI processes.  This may be because there is a HIPAA-compliant authorization or permissible reason regulated by HIPAA for distributing the PHI.  For instance, a log is not required for ROI requests that are:

  • for treatment / payment / operations (TPO) activities;
  • authorized through a HIPAA-compliant authorization;
  • Right of Access requests
  • for a use or disclosure otherwise permitted or required;
  • for national security or intelligence purposes;
  • for correctional institutions or law enforcement officials;
  • part of a limited data set; or
  • six years or older than the date of the Accounting of Disclosures request.


While the name “Accounting of Disclosures” tends to make people think it is accounting of all disclosures, as you can see from the above list that’s not the case; there are a lot of ROI situations that do not require an Accounting of Disclosures log!

When are Accounting of Disclosure logs required?

Accounting of Disclosures includes ROI scenarios where a patient may not be initially informed or authorize the disclosure of their PHI.  These situations can include:

  • unauthorized disclosures like a breach;
  • subpoenas and other judicial / administrative proceedings; or
  • requests for a Workers Compensation case, etc.


In the above situations, a patient may not know their PHI was disclosed.  The Accounting of Disclosures log serves to maintain a comprehensive list of these types of disclosures that the patient is entitled to be informed of through their Accounting of Disclosures right.

What needs to be included in the log?

When releases occur that are pursuant to Accounting of Disclosures, the log must include certain elements like:

  • the date of the disclosure;
  • the name and address of the organization / person who received the PHI;
  • a brief description of the PHI disclosed; and
  • A brief statement or the request itself that explains the basis for the disclosure


Many electronic health record (EHR) systems have an Accounting of Disclosures feature, sometimes called a PHI log, which may have fields to record additional details about a request. Even though the EHR may have more fields, the Accounting of Disclosures content provision explains that only the above details are needed for compliance.

Do I need to record requests that are not subject to Accounting of Disclosures?

Quite simply, no. But while there is not a requirement under HIPAA to record requests that are not subject to Accounting of Disclosures, many organizations choose to record these requests as well.  While patients are only entitled to have those requests subject to Accounting of Disclosures provided to them if they request the log, many misunderstand that any and all requests for PHI will be documented in the log.  If your organization would like to go above and beyond the Accounting of Disclosures requirement by recording all PHI disclosures, a compliant authorization has the details to correspond with the log.

Release records requests to a partner.

If you find records requests and the ensuing compliance concerns like what constitutes an Accounting of Disclosures request take too much of your staff’s valuable time, consider releasing this administrative burden to a partner.  ScanSTAT Technologies processes hundreds of thousands of records requests annually and is an industry leader with our 24-hour turnaround time and accuracy rate.  If you are ready to focus on patient care and leave the records requests (and compliance questions) behind, request a demo today to see how we can help.

This FAQ is for informational purposes only and does not constitute legal advice. Seek your own legal counsel to ensure compliance with federal and state law.