Patient’s Guide to HIPAA – Basic Rights: What are the Limitations of an Accounting of Disclosures?




You are reading the Patient’s Guide to HIPAA, FAQ 42

HIPAA Guide Quick Links:



FAQ 42: What are the Limitations of an Accounting of Disclosures?

Limitations in the HIPAA rule make the accounting of disclosures much less valuable than it should be. First, covered entities do not have to account for all disclosures. They don’t have to keep an accounting of disclosures for treatment, payment, or health care operations. Most disclosures are likely to be for one of these purposes so this loophole is large.

Second, covered entities also don’t have to keep an accounting of disclosures if you authorized the disclosure. That means that you may not be able to track if the covered entity actually disclosed records as you directed. If you casually signed an authorization that allowed the disclosure of any or all information about you (e.g., for a background check), a covered entity can disclose your entire medical record and not even keep a record that it did so. This is another large loophole.

Third, health care institutions do not have to account for uses. A use of information occurs when a record is made available to someone within the institution that maintains the record. A disclosure occurs when a covered entity shares a record with someone outside the covered entity. The accounting requirement only covers some disclosures and no uses.

If you are hospitalized, hundreds of different individuals in the hospital may see your record. The use exemption to accounting can seriously undermine your ability to hold an institution accountable for leaks or other inappropriate activities. Still, in hospitals with modern computers, there is a greater likelihood that a complete audit trail, including uses, will be maintained routinely. Unfortunately, HIPAA does not expressly require that a covered entity share that audit trail for uses, although there may be an argument that disclosure of an entire audit trail is required otherwise by HIPAA or by state law. Ask for a copy of the entire accounting because a reasonable institution will share it with you. Institutions with computerized systems that track all activity might find it easier to provide a requester with the entire history rather than part of it.  However, they are not required to do so.  It doesn’t hurt to ask.

Fourth, sometimes a covered entity must withhold a particular accounting record from an individual who requests a copy of the accounting. A covered entity may make some disclosures to law enforcement, for example, without telling the record subject for a limited time.

Fifth, the HIPAA requirement for an accounting started on April 14, 2003. A health care institution covered by HIPAA did not have to maintain accounting records before that date.

Finally, perhaps the biggest limitation is that the federal health privacy rule does not require an accounting of disclosures for treatment and payment. This means that a lot of information that you would want to find in an accounting will not be available. Covered entities also don’t have to tell you about disclosures for health care operations, an expansive category that covers many management and other functions.

For example, if a hospital gave care to someone in your name and billed your insurance company, you would want to know the details. You may not be able to obtain that information from the accounting of disclosures. Even worse, if a hospital told a credit bureau or collection agency that you did not pay your bill (i.e., a bill run up by an identity thief), the accounting may not reveal the disclosures. These disclosures may be exempt from the accounting requirement because they fall within the exception for disclosures for payment and health care operations.

Sidebar: In 2011, HHS proposed changes to the accounting for disclosures rule. As of 2013, the changes have not yet been made final. It may be a while before covered entities must implement the changes. As proposed, some of the accounting changes were better for patients and some were not. We will have to wait and see when and what will happen.



Roadmap: Patient’s Guide to HIPAA: Part 2: Basic Patient Rights: Right to Receive an Accounting of Disclosures (FAQ 42 of 65)

Jump to list of FAQs 1-65 | See all of Part 2