HIPAA Privacy Rule: WHAT?
Accounting for disclosures of Protected Health Information (PHI)


The Privacy Rule grants to a patient a right to request and receive an accounting for some “disclosures” of PHI, including disclosures made in connection with certain research projects. An accounting is a record of each disclosure of each patient’s PHI. A right to an accounting only applies to disclosures of PHI, not to uses of PHI. Patients have a right to an accounting only of those disclosures made by researchers in connection with protocols conducted with a waiver of authorization. An accounting of disclosures is not required when a patient authorization is obtained.


You do NOT have to account for disclosures during the research study if:

  1. Disclosure was made pursuant to a patient authorization; or
  2. You are disclosing a limited data set; or
  3. You are disclosing de-identified information; or
  4. Your study has been determined by the IRB to be exempt under the Common Rule, because the existing information you are recording cannot be identified, directly or through identifiers linked to subjects. [45 C.F.R. § 46.101(b)(4)].

You MUST account for disclosures if:

You make disclosures in connection with a protocol for which the IRB approved a waiver of authorization.


The Privacy Rule requires you to record the following information using the Disclosures Log:

  1. The name of each patient involved in the research whose PHI is disclosed;
  2. The name and address, if possible, of the person or entity to whom the PHI is disclosed;
  3. The date of disclosure;
  4. A brief description of the PHI disclosed; and
  5. A brief statement of the purpose of the disclosure or a copy of the request for the disclosure.

If multiple disclosures of PHI occur to the same person or entity for the same purpose, then after the first disclosure simply record the frequency of the disclosures and the date of the last disclosure.


  1. Patient presents to site of care—hospital, clinic, ambulatory surgery center—and requests an accounting. Time frame for requested accounting is established. For more information, refer to UW-Madison Policy and Procedure #7.1.

  2. Care site contacts University Privacy Officer with name of patient who has requested an accounting.

  3. University Privacy Officer contacts IRB for a list of protocols that received approvals for waivers of authorization and that stated intent to make disclosures. The IRB’s list will contain:

    Protocol number
    Protocol title
    PI name
    PI contact information

  4. University Privacy Officer contacts each PI on the IRB’s list for the following information about disclosures for each protocol in which the patient’s PHI may have been used.

    Name of person and entity to whom PHI was disclosed
    Address of person and entity to whom PHI was disclosed (if available)
    Date of disclosure
    Brief description of PHI disclosed
    Purpose of disclosure (or attach copy of request for disclosure)

  5. PI sends disclosure information to the University Privacy Officer.

  6. University Privacy Officer arranges with care site to make information about research disclosures available to the patient.

Return to HIPAA Research Guide main page

Questions or comments? Contact us.
Last updated: August 26, 2003