A Guide to Suspending a Patient's Right to an Accounting of Disclosures for a Law Enforcement Investigation (§ 164.528(a)(2))

Section 164.528 of the HIPAA Privacy Rule gives patients the right to request an accounting of certain disclosures of their protected health information (PHI). However, subsection (a)(2) introduces a key exception: when disclosures are made to law enforcement or a health oversight agency, and the agency provides a statement requesting a temporary suspension of the accounting right. This article outlines when and how practices can honor such suspension requests, what documentation is required, what the request must include, and what mistakes to avoid.

The HIPAA Privacy Rule generally supports a patient’s right to transparency—especially when it comes to how their PHI is shared. Under 164.528, patients can request a report of certain non-routine disclosures of their PHI. That’s where 164.528(a)(2) comes in. It allows law enforcement or health oversight agencies to request that a healthcare provider temporarily suspend a patient’s right to receive an accounting of disclosures. This suspension is permissible when the agency provides a statement that such an accounting would be reasonably likely to impede its activities.

What Is the Right to an Accounting of Disclosures?

Under 164.528(a)(1), patients have the right to receive an accounting of disclosures of their PHI made in the past six years. This right applies to disclosures that were not for purposes such as treatment, payment, or health care operations (TPO), to the individual themselves, or pursuant to an authorization from the patient.

The accounting must include:

• The date of disclosure.

• The name and, if known, the address of the entity or person who received the PHI.

• A brief description of the protected health information disclosed.

• A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or a copy of a written request for the disclosure.

The Exception: Law Enforcement or Oversight Suspensions

What 164.528(a)(2) Says

A covered entity must temporarily suspend a patient’s right to receive an accounting of disclosures when a health oversight agency or law enforcement official provides a statement:

• The statement must be in writing.

• The statement must indicate that such an accounting would be reasonably likely to impede the agency’s activities.

• The statement must specify the time for which the suspension is required.

If the agency or official's statement is made orally, the covered entity must:

• Document the statement, including the identity of the agency or official making the statement.

• Temporarily suspend the individual's right to an accounting of disclosures subject to the statement.

• Limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless a written statement is submitted during that time.
  

A small behavioral health clinic was approached by local law enforcement in connection with a felony investigation. The officer requested access to a specific patient’s protected health information (PHI), explaining that the information was essential to the case. To prevent jeopardizing the investigation, the officer also submitted a written request to suspend the patient’s right to receive an accounting of disclosures for a period of 90 days, as permitted under HIPAA regulations.

The clinic responded appropriately by following the procedural safeguards outlined in the HIPAA Privacy Rule. First, the clinic logged and securely stored the written suspension request, ensuring that it included both the reason for the suspension and the specific time frame. The start and end dates of the 90-day suspension period were clearly documented in the patient’s records.

Next, the clinic ensured that the disclosed PHI was shared only with the requesting law enforcement official and that no further distribution occurred. Additionally, the patient’s record was flagged so that if an accounting of disclosures was requested during the suspension period, the response would be lawfully delayed.

Lesson learned: When law enforcement provides valid written suspension notices, following HIPAA’s requirements for documentation and disclosure limitations protects both the investigation and the clinic from regulatory risk.

What to Do If You Receive a Suspension Request

Step 1: Review the Request Carefully

Ensure the request includes the specified suspension period and a statement that the disclosure would be reasonably likely to impede agency activities.

Step 2: Log and Retain the Request

A covered entity must document the information required to be included in an accounting, the written accounting, and the titles of the persons or offices responsible for receiving and processing requests for an accounting.

Step 3: Flag the Patient’s Record

Use your EHR system to mark the record, so that any accounting of disclosures will be automatically held during the suspension period.

Step 4: Notify Staff Appropriately

Ensure only authorized personnel are aware of the suspension.

Step 5: Resume Accounting After Expiration

Once the suspension period ends:

• Resume normal accounting of disclosures.

• Include the law enforcement disclosure in the final report.

• Pitfall: Accepting a verbal request without documentation.

• Consequence: Noncompliance, exposure to OCR sanctions.

• How to Avoid: If an oral request is made, you must document it immediately, including the identity of the official.

• Pitfall: Failing to log the suspension.

• Consequence: No audit trail.

• How to Avoid: Use a standardized tracking log for all disclosure suspensions.

• Pitfall: Not setting reminders to resume accounting.

• Consequence: Disclosure permanently omitted.

• How to Avoid: Use EHR alerts or a compliance calendar to trigger follow-up.

• Pitfall: Informing the patient prematurely.

• Consequence: Risk to investigation, OCR liability.

• How to Avoid: Train staff never to disclose suspension status to patients, as this would be contrary to the purpose of the regulation.

• Task: Train privacy staff on suspension procedures.

• Task: Log all written and documented oral requests in a secure system.

• Task: Mark patient records to delay accounting.

• Task: Resume disclosure accounting after expiration.
  

How long can the right to an accounting be suspended?

As long as the agency specifies in the written request. For oral requests, the suspension expires after 30 days unless a written request is provided during that time.

Can the patient be notified of the suspension?

The regulation requires a temporary suspension of the individual's right to an accounting to avoid impeding an investigation. Informing the patient of the suspension would defeat the purpose of the rule, which is to prevent the individual from knowing about a disclosure that could interfere with agency activities.

Does this apply to all PHI disclosures to law enforcement?

No. Only those disclosures where a health oversight agency or law enforcement official provides a statement that the accounting would be reasonably likely to impede their activities and specifies the time for the suspension.

Is a subpoena enough to delay the accounting?

Not by itself. A subpoena is not automatically a valid suspension request. A covered entity still needs the specific written or oral statement as required under 164.528(a)(2).

• 45 CFR § 164.528(a)(2) – Suspension of Right to Accounting

• OCR HIPAA Law Enforcement Guidance

• HHS FAQs on Accounting of Disclosures

• OCR Case Examples
  

When law enforcement is involved, the rules around PHI disclosure change—but only with proper documentation. Under § 164.528(a)(2), your small practice has a legal obligation to temporarily suspend a patient’s right to know if law enforcement properly requests it.

By:

• Verifying the request and its required components.

• Logging it securely.

• Respecting the suspension timeline.

• And documenting your actions.

...you protect both the integrity of an investigation and your practice’s compliance standing.