Typically Included Disclosure Types for AOD Reports

Accounting of disclosures (AOD) is one “patient right” listed within the HIPAA Privacy Rule. Since the rules were implemented in 2003, AOD has been a topic of much discussion but has not generated much regulatory action from the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) or from patients requesting fulfillment of this right. Few facilities receive these types of requests, and many patients aren’t aware they have this right or what to expect from a request.


The list that follows details disclosure types that typically are included on an AOD report:

  • Subpoenas
  • Law enforcement requests
  • Court orders
  • State required reporting from medical records
  • Birth certificates
  • Insurance company reviews
  • Other external reviewers that are not TPO (RAC is TPO)
  • State Department of Health for medical record requests
  • Joint Commission
  • NB Screening Program
  • Incident reporting to outside entities
  • Government discharge reporting
  • Other planning databases and reporting
  • Disclosures by Business Associates that are not for TPO
  • Underage pregnancy reporting
  • Communicable disease reporting
  • Research disclosures, research disclosures under IRB or Privacy Board waiver
  • Public Health Agencies
  • Health oversight agencies
  • State neonatal reporting
  • Birth defects registry
  • Cancer registry
  • Trauma registry
  • Death registry
  • Poison control
  • County medical examiner
  • Disclosures to funeral homes
  • Reporting to the FDA, CDC, DEA, EPA, OSHA, FEMA, NTSB, DOJ, etc.
  • Disclosures made by BAs for non-TPO purposes
  • Organ procurement
  • For public health surveillance activities (tracking infectious diseases)
  • For public health investigations
  • For public health interventions (e.g., actions taken to limit health authorities (for example, with China, to track and limit the spread of SARS)
  • Birth records reporting
  • Death records reporting
  • Elder abuse/neglect reporting
  • Teen suicide reporting
  • Patient safety reporting (such as to a state department of health)
  • To prevent serious harm (needle stick reporting)
  • Communicable disease reporting
  • Reporting of adverse events, product defects, or biological product deviations
  • To track products
  • To enable product recalls, repairs, or replacements
  • To conduct post-marketing surveillance
  • To manufacturers of defective products
  • To employer requesting health care be provided to an employee when made w/o the employee’s authorization for medical surveillance purposes, in relation to a work related injury or illness, and needed for the employer to comply with OSHA, the Mine Safety and Health Administration (MSHA), or similar state law
  • Required reporting to government benefit programs (such as Medicare, Medicaid)
  • Compliance activities (such as compliance with government benefit programs)
  • Required by civil rights laws
  • Reporting to trauma registry
  • Reporting to tumor registry
  • Alzheimer’s and other dementia reporting
  • Disclosures in judicial and administrative proceedings
  • In response to a court order
  • In response to a subpoena
  • As required by law
  • In response to court order, court ordered warrant, subpoena, or summons
  • In response to an administrative request
  • For purposes of locating a suspect, fugitive, material witness, or missing person
  • During emergency treatment, crime is elsewhere
  • About crime victims
  • About crimes on the health care organization’s premises
  • About suspicious deaths (suspected homicide or suicide)
  • To avert a serious threat to health or safety (of an individual or the public)
  • To coroner or medical examiner
  • To funeral directors
  • For organ, eye, or tissue donation/procurement purposes
  • When an institutional review board waiver is used in place of a patient authorization to release PHI
  • In reviews preparatory to research
  • In research on decedent’s information
  • To department of state related to medical suitability (for example, an individual’s PHI may be disclosed to determine if she is available to serve overseas)
  • By government programs providing public benefits
  • About foreign military personnel to appropriate foreign military authority
  • For military and veterans activities
  • To protective services
  • To state health data commission (unless operations)
  • To U.S. embassies
  • To contractors and business associates (if not for treatment, payment, or healthcare operations)
  • To vendors (if not for treatment, payment, or healthcare operations)
  • To comply w/existing laws, e.g. Workers Comp (see state law)
  • Pursuant to a breach, wrongful access, use or disclosure, whether reportable or not under breach notification as these are not an authorized or TPO type disclosure.


This list of disclosure types is published as an addition to the article “Checking In on Accounting of Disclosures” that appeared in the Journal of AHIMA’s November issue, by Kathy Downing, MA, RHIA, CHP, PMP, and Kelly McLendon, RHIA, CHPS.

Kathy Downing (kathy.downing@ahima.org) is a director of HIM practice excellence at AHIMA. Kelly McLendon (kmclendon@complianceprosolutions.com) is managing director at CompliancePro Solutions.


1 Comment

  1. My calls to records dept. are directed to the hospital’s rep., & requested documents are trickling in.
    These documents were not provided upon discharge, & I am deeply disturbed reviewing forged consent forms, one in particular allowing hospital staff to photograph/video record me during my stay.

    I never liked hospital’s & now after my last experience, I would not seek treatment if I were bleeding profusely. California does not have laws to hold health care providers accountable for their negligence.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!