Tracking and Accounting for Research Disclosures of PHI

February 2015

1) What are “tracking and accounting” and what must I do?

The HIPAA Privacy Rule gives a person the right to request a written record (“an accounting”) when a covered entity has made certain disclosures of that person’s protected health information (“PHI”).  The accounting must include all covered disclosures in the six years prior to the date of the person’s request.

The principal investigator of a JHM IRB-approved research project or a project for which the IRB has granted exempt status is responsible for compliance with the following two HIPAA accounting requirements:

  • Tracking certain disclosures of an individual subject’s PHI, or of all subjects’ PHI, that are made by any member of the study team; and
  • Providing the disclosure tracking information to the JH Privacy Office or to Health Information Management (HIM) (as explained below).

The JH Privacy Office responds to patient requests for accountings and uses the information provided by the principal investigator and by HIM for this purpose.

2)  What is a “disclosure,” and which disclosures are covered?

Disclosures occur whenever PHI is shared with a person or organization outside the JH covered entities, unless the covered entity has designated a recipient as a “workforce member” of the covered entity. 

Note:  The BSPH is not a JH covered entity; however, a JHM PI must track PHI shared with someone at BSPH only under the following circumstances:

  • The recipient of the PHI at BSPH is not a member of the JHM study team (either as a co-investigator or study staff); AND
  •  The recipient of the PHI at BSPH was not listed in a HIPAA authorization signed by the research subjects (e.g., the PHI is shared under an IRB waiver, or for research on decedents’ PHI). 

[Official members of the study team for a JHM IRB study who have completed all required training are considered members of the JHM workforce for tracking purposes.]

Not all disclosures must be tracked:  For example, the Privacy Rule does not require JHM to account for disclosures that a person has authorized. Disclosures that need not be tracked include:

  • Disclosures covered by a HIPAA authorization form that the person or his or her personal representative has signed,
  • Disclosures of PHI in the form of a limited data set;
  • Disclosures made to the subject of the PHI; and
  • Disclosures that JHM makes for treatment, payment, QA/QI, or internal audit or investigation purposes.

There are other categories of disclosures that must be tracked:

The first category is general disclosures.  General disclosures of PHI include those made as required by or authorized by other law (such as disclosures to public health authorities or law enforcement), or made in response to court orders, subpoenas, etc (with certain exceptions, as noted above). 

An investigator, who will make a general disclosure of PHI from clinical records, should consult the JH Privacy Office (Phone: 410-614-9900). General disclosures should be tracked using the form 8.4 Tracking Form for Permitted Disclosures of PHI From Clinical or Research Records. When a general disclosure is made from research records, this tracking form should be submitted to the JH Privacy Office via email ([email protected]) or fax (443-529-1548).  When a general disclosure is made from clinical records, form 8.4 should be completed and sent to the applicable HIM department.

The second category is disclosures (whether from clinical or research records) of PHI for a research project if the PHI was or will be obtained or disclosed without individual authorization.  Specifically, the investigator must track the following:

  • When PHI will be disclosed in the course of a research project for which the IRB has issued a waiver of authorization (this would include a disclosure of PHI collected under a partial waiver for screening/recruitment purposes); and
  • When PHI will be disclosed for research limited to decedents’ information (despite the fact that authorization is not required for such research, disclosures must still be tracked).  NOTE: Research PHI that has been obtained by a researcher from one of the  Johns Hopkins Covered Entities and Related OHCA Participants through a review preparatory to research is not to be removed from the covered entity (i.e., disclosed) by the researcher in the course of the review.  Therefore, the matter of tracking should not arise in a review preparatory to research.

3)  How do I track research disclosures?

The investigator should maintain a record of all disclosures (as described above) made by the research team that are subject to the HIPAA tracking requirement. 

The investigator must also transmit this tracking information promptly to the JH Privacy Office (via fax or email) or HIM, as applicable, using one of the tracking forms available on the OHSR website HIPAA section.

  • When the investigator or any member of the study team will make a disclosure (whether from clinical or research records) for a general purpose, the investigator should complete and submit Form 8.4 (General Disclosure tracking form).
  • For disclosures of PHI in connection with waived research or decedents’ research (as described above), complete and submit one of the following forms:
  • For a one-time disclosure of PHI about a single individual for a research purpose, use Form 8.1.
  • For repeated disclosures of one individual’s PHI to the same person/entity (e.g., over a period of time) for a research purpose, use Form 8.2 .

4)  What are some examples of how to track research disclosures?

  • A JHM researcher receives IRB approval of a waiver of consent and authorization to create a database of JHM PHI that the researcher will analyze along with another investigator at BSPH (or at another institution) who is not a member of the JHM study team.  The investigator must complete a Form 8.1 for each subject and email these forms to the JH Privacy office. An investigator receives IRB approval of a waiver of consent and authorization to conduct a longitudinal study in which JHM PHI will be abstracted from subjects’ medical records over a period of time.  The data will also be analyzed by an investigator at another institution who is not a member of the JHM study team. To track this disclosure of PHI to the outside investigator, the JHM investigator must submit a Form 8.2 for each subject.
  • An investigator has received IRB approval of a waiver of consent and authorization to conduct a chart review study funded by a pharmaceutical company.  Certain HIPAA identifiers (e.g., date of birth and date of diagnosis) will be shared with the study sponsor.  The investigator should submit Form 8.1 for each subject.

For questions about tracking general disclosures from a research database

The JH Privacy Office
[email protected]

If you have questions about IRB approval of waiver of consent/authorization, please contact a member of the Office of Human Subjects Research compliance group at: 410-955-3008.