TechFactsHub

What Is A Hipaa Disclosure Accounting?

by
Last updated on 4 min read

Contents

  1. What’s going on here?
  2. How do I actually get this done?
  3. That didn’t work—now what?
  4. How do I keep this from becoming a nightmare later?

Need a patient’s full disclosure history but only see TPO disclosures missing? Run a HIPAA Accounting of Disclosures (AOD) report in your EHR’s Privacy Module → Disclosure Log → Filter: “Non-TPO” → Export CSV.

What’s going on here?

HIPAA Disclosure Accounting (also called Accounting of Disclosures or AOD) is the federally required process of tracking every instance where a covered entity or its business associate shares a patient’s protected health information (PHI) for purposes other than Treatment, Payment, or Healthcare Operations (TPO). Come 2026, covered entities must keep this log for six years and hand it over to patients or their personal reps within 60 days of a written request, per the U.S. Department of Health & Human Services.

How do I actually get this done?

  1. Find the Privacy Module
    In your EHR (Epic, Cerner, Meditech, or athenahealth), go to Privacy Module → Disclosure Tracking → Accounting of Disclosures. If you’re on version 2025.2 or newer, look under Administration → Compliance → HIPAA Tools → AOD Dashboard instead.
  2. Pick your dates
    Enter the patient’s requested timeframe. HIPAA lets you batch requests for up to 12 months at once. Use the calendar picker—the default shows the past six years.
  3. Filter out the TPO stuff
    Apply the filter “Purpose ≠ TPO”. That knocks out routine care, billing, and internal quality reviews. Now you should only see disclosures for things like public health reporting, legal subpoenas, or research (with proper authorization).
  4. Double-check the details
    Make sure every entry has: the date of disclosure, who got the info and where they’re located, a quick note on what PHI was shared, and why it was shared (court order, patient okay, etc.).
  5. Export and eyeball it
    Click Export → CSV. Open the file in Excel or Google Sheets. Sort by date to spot missing entries. If a row is blank, peek at the Audit Log under System → Admin → Audit Trail → PHI Disclosure Events to see if the event got logged but mislabeled.

That didn’t work—now what?

  • Check the Authorization Vault
    If the disclosure was for research and the patient signed a valid HIPAA Authorization (HHS-approved form, version 2024 or later), it should auto-populate in the AOD log. Make sure the form hasn’t expired by looking in Privacy Module → Authorization Log → Filter: “Expired”.
  • Flip the “Include Business Associates” switch
    Some PHI shared with vendors (lab couriers, transcription services, etc.) only shows up if your BAA covers disclosure tracking. Re-run the report with “Include Business Associate Disclosures” turned on. If it’s still missing, reach out to the business associate for their AOD log and piece it together yourself.
  • Restore the patient record
    If the EHR shows zero disclosures for the patient, check whether the account was merged or archived. Run Patient → Merge → Audit Trail → Merge History. If it was merged, the AOD data might live in the donor record. Call your IT help desk to temporarily restore the original record so you can pull the report.

How do I keep this from becoming a nightmare later?

What to do How How often
Test your audit trail Every three months, run a test AOD report on yourself (use your employee ID). Make sure every non-TPO disclosure appears, especially those kicked off by “Release of Information” requests. Quarterly
Update your BAAs Review every Business Associate Agreement once a year. Confirm the version signed after 2024 includes clauses that require business associates to log disclosures and attest to it quarterly. Update them in Contract Management → Vendor Portal → BAA Renewals. Annually
Train your staff Run a 15-minute micro-training using the HHS training modules (refreshed for 2026) that zeroes in on non-TPO disclosures. Log completion in your LMS under Compliance → HIPAA → Module: AOD-2026. Twice a year
Take inventory of your PHI Once a year, map every system that stores PHI (EHR, lab systems, billing platforms). Flag any old systems that aren’t hooked up to your AOD module. Either migrate the data or set up a simple Excel log (columns: Date, Recipient, PHI Type, Purpose, Authorization #). Annually
This article was researched and written with AI assistance, then verified against authoritative sources by our editorial team.
TechFactsHub Networking Team
Written by

Covering Android, networking, WiFi, security, privacy, and smart home devices.

Related Articles

What Is A Hipaa Hybrid Entity?
Apr 15, 2026
What Kind Of Drug Test Does Fedex Use?
Apr 14, 2026
What Is UPI Upsc?
Apr 14, 2026
What Does Syncb JCP Mean?
Apr 13, 2026
How Do You Write Copyright Text?
Apr 13, 2026
What Is Cyber Security In Banking?
Apr 13, 2026
What Is The Difference Between OTC And Exchange?What Is A Hipaa Hybrid Entity?