§164.528(b) Implementation specifications: Content of the accounting. The covered entity must provide the individual with a written accounting that meets the following requirements.
(1) Except as otherwise provided by paragraph (a) of this section, the accounting must include disclosures of protected health information that occurred during the six years (or such shorter time period at the request of the individual as provided in paragraph (a)(3) of this section) prior to the date of the request for an accounting, including disclosures to or by business associates of the covered entity.
(2) Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure: (i) The date of the disclosure; (ii) The name of the entity or person who received the protected health information and, if known, the address of such entity or person; (iii) A brief description of the protected health information disclosed; and (iv) A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure under §§ 164.502(a)(2)(ii) or 164.512, if any.
(3) If, during the period covered by the accounting, the covered entity has made multiple disclosures of protected health information to the same person or entity for a single purpose under §§ 164.502(a)(2)(ii) or 164.512, the accounting may, with respect to such multiple disclosures, provide: (i) The information required by paragraph (b)(2) of this section for the first disclosure during the accounting period; (ii) The frequency, periodicity, or number of the disclosures made during the accounting period; and (iii) The date of the last such disclosure during the accounting period.
(4)(i) If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with § 164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: (A) The name of the protocol or other research activity; (B) A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records; (C) A brief description of the type of protected health information that was disclosed; (D) The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period; (E) The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and (F) A statement that the protected health information of the individual may or may not have been disclosed for a particular protocol or other research activity. (ii) If the covered entity provides an accounting for research disclosures, in accordance with paragraph (b)(4) of this section, and if it is reasonably likely that the protected health information of the individual was disclosed for such research protocol or activity, the covered entity shall, at the request of the individual, assist in contacting the entity that sponsored the research and the researcher.

Audit Inquiry

Does the covered entity have policies and procedures consistent with the established performance criterion to provide an accounting that contains the content listed?
Obtain and review policies and procedures to determine whether the policies and procedures accurately provide for inclusion of the content listed in the established performance criterion.
Obtain and review a sample of requests for accounting and entity fulfillment of those requests to consider whether the accountings provided meet the established performance criterion.