Accounting of Disclosures: How HITECH Strengthened Patient Rights (45 CFR § 164.528)

Executive Summary

The HITECH Act significantly enhanced patients’ rights under HIPAA’s Accounting of Disclosures requirement, found in 45 CFR § 164.528. This rule mandates that covered entities maintain, and, upon request, provide, a detailed record of certain disclosures of a patient’s Protected Health Information (PHI). HITECH strengthened these rights by expanding the scope of disclosures that must be tracked, applying the requirement to electronic health records (EHRs), and increasing penalties for noncompliance. For small practices, understanding and implementing these enhanced requirements is essential to maintain trust, avoid regulatory penalties, and demonstrate a strong commitment to transparency in healthcare operations.

Introduction

Patients are increasingly aware of how their health information is shared, and regulators are demanding more accountability from providers. Under HIPAA, the right to an accounting of disclosures empowers patients to see who has accessed or shared their PHI and for what purpose.

With the HITECH Act, the standard changed dramatically. Disclosures made through EHR systems must now be included in the accounting, even for treatment, payment, and healthcare operations, categories previously excluded. This shift reflects HITECH’s push toward greater patient control and oversight of their health information, especially in the digital age.

For small healthcare practices, this means new technical, administrative, and procedural measures are necessary to meet compliance obligations and respond accurately to patient requests.

Understanding 45 CFR § 164.528

Understanding 45 CFR § 164.528

Core Requirements

45 CFR § 164.528 grants individuals the right to receive an accounting of disclosures of their PHI made by a covered entity in the six years prior to the request (or three years for EHR-related disclosures under HITECH). The accounting must include:

  • Date of disclosure

  • Recipient name and address

  • Description of the PHI disclosed

  • Purpose of disclosure

  • Exclusions

Certain disclosures are excluded, such as:

  • To the individual themselves

  • For facility directories

  • Pursuant to an authorization

  • For national security or intelligence purposes

  • To correctional institutions or law enforcement

HITECH Enhancements

HITECH’s primary changes to disclosure accounting requirements include:

  1. Inclusion of EHR Disclosures for TPO Purposes

    Under the HITECH Act, covered entities must now account for certain disclosures made through an electronic health record (EHR) for treatment, payment, and healthcare operations (TPO) purposes, if those disclosures occurred in the three years prior to the patient’s request. This is a significant expansion beyond pre-HITECH HIPAA rules, which excluded most TPO disclosures from accounting.

  2. Shorter Response Times

    Covered entities are required to respond to an accounting request within 60 days, with a single 30-day extension allowed if they provide written notice to the requester. This accelerates the timeline, making it critical for practices to have an established workflow for processing requests.

  3. Mandatory EHR Capability

    HITECH also mandates that EHR systems must be able to generate an accounting report that includes both external and certain internal disclosures. This requirement ensures that covered entities can produce accurate, timely, and complete disclosure histories, reducing the risk of noncompliance during audits or patient disputes.

HITECH’s Impact on Small Practices

For small practices, these changes mean:

  • EHR Configuration: Your EHR must log all disclosures, including internal TPO-related ones.

  • Policy Updates: Written procedures must reflect the expanded scope.

  • Staff Training: All team members must understand when and how to record disclosures.

  • Vendor Accountability: Business associates with access to PHI must also maintain accounting records and share them with the covered entity upon request.

Practical Implementation Steps

Practical Implementation Steps

1. Configure Your EHR to Track All Disclosures

Ensure your EHR has functionality to log the required details automatically, including TPO-related disclosures.

2. Create a Standard Disclosure Log Template

For disclosures outside the EHR (e.g., paper records, faxed documents), maintain a manual log capturing the same data fields required by § 164.528.

3. Define Roles and Responsibilities

Assign a Privacy Officer to oversee disclosure tracking, patient requests, and report generation.

4. Establish a Patient Request Workflow

  • Provide a standard form for accounting requests.

  • Log the date of request and track progress toward the 60-day deadline.

5. Review and Audit Disclosure Logs

Conduct quarterly reviews to ensure accuracy and completeness.

Case Study: Missed EHR Tracking Leads to OCR Penalty

Case Study: Missed EHR Tracking Leads to OCR Penalty

A small family clinic received a formal patient request for an accounting of disclosures, as permitted under HIPAA and expanded by the HITECH Act. The compliance team acted quickly, compiling a detailed log of all known external releases of protected health information (PHI), including those sent to insurance carriers for claims processing and to outside specialists for coordinated care. This initial effort appeared complete and timely on the surface.

However, during an internal review, it became clear that the accounting omitted a significant number of internal EHR-access events. These included instances where billing staff reviewed patient files to verify insurance coverage, as well as occasions when clinicians accessed charts to provide informal in-clinic consultations. The oversight occurred because staff assumed that internal treatment, payment, and healthcare operations (TPO) activities were not subject to disclosure accounting requirements. In reality, HITECH’s expanded provisions can require inclusion of such internal accesses, particularly when patients request a full accounting and the accesses are captured in the EHR’s audit logs.

This gap not only exposed the clinic to potential regulatory penalties but also highlighted a broader misunderstanding of what constitutes a “disclosure” under current federal privacy rules.

OCR Findings:

The investigation revealed that EHR audit logging had been disabled for all internal treatment, payment, and healthcare operations (TPO) activities. Staff incorrectly believed that such “internal” accesses were exempt from disclosure accounting requirements. OCR noted that under HITECH’s expanded rules, many internal accesses must be logged and reported if requested by the patient.

Outcome:

The clinic entered into a $90,000 settlement with OCR. A corrective action plan required:

  • Enabling and maintaining comprehensive EHR audit logs.

  • Retraining all relevant staff on disclosure accounting obligations.

  • Implementing a standardized review process before fulfilling any patient requests for accounting of disclosures.

Lesson Learned:

This case underscores that “internal” does not automatically mean “exempt.” Any access to ePHI, whether by internal staff or external parties, may be subject to accounting, and disabling audit logs can create costly compliance gaps.

Common Pitfalls to Avoid

Pitfall

Example

Risk

Relying only on EHR vendor defaults

Vendor logging excludes certain user activities

Incomplete accounting, OCR fines

Ignoring internal TPO disclosures

Not logging record access for billing

Breach of HITECH requirements

Delaying patient responses

Missing the 60-day deadline

Regulatory penalty and patient distrust

No centralized disclosure log

Using scattered spreadsheets and notes

Inaccurate or incomplete reporting

Lack of vendor oversight

Business associate fails to log disclosures

Shared liability for noncompliance

Step-by-Step Compliance Checklist

Task

Responsible Party

Frequency

Reference

Enable full EHR audit logging

Privacy Officer / IT

Ongoing

45 CFR § 164.528(a)

Maintain manual disclosure log for non-EHR events

Privacy Officer

Ongoing

45 CFR § 164.528(b)

Train staff on accounting requirements

Privacy Officer

Annually

HITECH § 13405(c)

Review disclosure logs for accuracy

Privacy Officer

Quarterly

45 CFR § 164.528(c)

Respond to patient requests within deadline

Privacy Officer

Per request

45 CFR § 164.528(c)(2)

Verify business associate compliance

Privacy Officer / Legal

Annually

45 CFR § 164.504(e)

Official References

Concluding Recommendations and Next Steps

HITECH’s expansion of the accounting of disclosures requirement reflects a broader shift toward transparency and patient empowerment. For small practices, this means:

  • Configuring systems to automatically track all disclosures

  • Maintaining parallel manual logs for non-digital events

  • Training all staff on the importance and scope of disclosure tracking

  • Holding vendors accountable for their role in compliance

By integrating these steps into daily operations, small practices can reduce compliance risks, respond confidently to patient requests, and strengthen the trust that is central to patient care.

Maintaining compliance is an ongoing process. By adopting a regulatory solution, your practice can track obligations in real time, complete risk assessments with confidence, and stay audit-ready, demonstrating proactive risk management and reinforcing trust with payers and patients.