Skip Navigation

Masks Strongly Recommended but Not Required in Maryland, Starting Immediately

Due to the downward trend in respiratory viruses in Maryland, masking is no longer required but remains strongly recommended in Johns Hopkins Medicine clinical locations in Maryland. Read more.

Institutional Review Board

Organizational Policy on Tracking, and Right for an Accounting of, Disclosures from Research Records (Policy No. HIPAA 164.4)

February 2015

Definitions

Disclosure means the release, transfer, provision of, access to, or the divulging in any manner of PHI to persons or entities outside of the Johns Hopkins Covered Entities and Related OHCA Participants.

HIPAA means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended..

Individual means the person who is the subject of PHI.

Johns Hopkins Covered Entities and Related OHCA Participants -- see Johns Hopkins Privacy Office website for HIPAA Forms/Policies Templates or http://intranet.insidehopkinsmedicine.org/privacy_office

Johns Hopkins means the Johns Hopkins University School of Medicine (JHU SOM).

Permitted General Disclosures For Which Tracking Is Required are any of the following:

  1. Disclosures Required by Law
  2. Disclosures for Public Health Activities
  3. Disclosures About Victims of Abuse or Neglect of Children or Vulnerable Adults
  4. Disclosures for Health Oversight Activities
  5. Disclosures for Judicial and Administrative Proceedings (subpoenas, court orders, etc.)
  6. Disclosures for Law Enforcement Purposes
  7. Disclosures About Decedents to Medical Examiners and Funeral Directors
  8. Disclosures for Organ and Transplant Donation Purposes
  9. Disclosures to Avert a Serious Threat to Health or Safety
  10. Disclosures for Specialized Government Functions
  11. Disclosures to the Secretary pursuant to HIPAA.

Permitted Research Disclosures For Which Tracking Is Required are any of the following:

  1. Disclosures of Research PHI pursuant to an IRB/PB waiver of the authorization requirement
  2. Disclosures of Research PHI on a decedent where no authorization on behalf of the individual has been obtained

PHI means protected health information, i.e., individually identifiable health information.

Privacy Regulations means the regulations promulgated by the Secretary of the Department of Health and Human Services to implement portions of HIPAA that concerns the confidentiality of health information, as amended from time to time; these regulations currently include 45 CFR §§ 160 and 164, subparts A, D, and E.

Research PHI means PHI held as part of, or used in, any research protocol  of any of the Johns Hopkins Covered Entities and Related OHCA Participants.[d1]

Secretary means the Secretary of the federal Department of Health and Human Services.

Policy

It is the policy of Johns Hopkins to protect the privacy rights of all patients, health plan members, employees, students and donors; to maintain the confidentiality of patient information, health plan information, medical records, research information and business operations; and to comply with all applicable laws and regulations, including the Privacy Regulations under HIPAA.

Individuals have a right to receive an accounting of disclosures of their health information made by or through Johns Hopkins Covered Entities and Related OHCA Participants in the six years prior to the date on which the accounting is requested, except for the following (the “Tracking Exceptions”):

  1. Disclosures for treatment, payment and health care operations;
  2. Disclosures to the individual who is the subject of the health information or to their duly constituted patient representative;
  3. Disclosures incident to an otherwise permitted or required use or disclosure;
  4. Disclosures to parties the individual or their duly authorized patient representative authorized to receive health information (i.e., disclosures pursuant to an authorization);
  5. Disclosures made to family members, other relatives or friends who are involved in the individual’s care, or who otherwise need to be notified of the individual’s location, general condition or death;
  6. Disclosures for the facility’s patient directory;
  7. Disclosures for national security or intelligence purposes;
  8. Disclosures to correctional institutions or law enforcement custodial officials;
  9. Disclosures as part of a limited data set.

Procedures

Tracking Disclosures:

  1. General

a. Certain disclosures of Research PHI must be “tracked.”  Therefore, except for disclosures that fall within the Tracking Exceptions (which include disclosures pursuant to HIPAA compliant authorizations), information on disclosures of Research PHI must be maintained.  The time period for maintaining such information is for the prior seven years.

b. There are two types of permitted disclosures of Research PHI that must be tracked.  They are “Permitted General Disclosures For Which Tracking Is Required” and “Permitted Research Disclosures For Which Tracking Is Required” (see definitions above). Different forms are available to track disclosures of Research PHI in these different situations.  Further, disclosures of Research PHI that are made by mistake or to the wrong person must be immediately reported to the Johns Hopkins Privacy Office, in compliance with their breach reporting requirements to [email protected]. The JH Privacy Office will track these disclosures as part of the breach reporting process.

c. Subject to the Tracking Exceptions (which include disclosures pursuant to HIPAA compliant authorizations), if Research PHI is disclosed to an entity which is NOT one of the Johns Hopkins Covered Entities and Related OHCA Participants, or a workforce member of one of the Johns Hopkins Covered Entities and Related OHCA Participants, as part of the research process (for example, when it is shared with a co-researcher at another study center or with the sponsor of the study), then such disclosure must be tracked for accounting of disclosures purposes.

d. Research PHI that has been obtained by a researcher from one of the  Johns Hopkins Covered Entities and Related OHCA Participants through a review preparatory to research is not to be removed from the covered entity (i.e., disclosed) by the researcher in the course of the review.  Therefore, the matter of tracking should not arise in a review preparatory to research.

e. The tracking of disclosures must be noted in the appropriate IRB databases. [Currently, there are no such databases.  Therefore, until one or more is established, the tracking should be maintained in each protocol’s database and a copy of the completed form should be submitted to the JH Privacy Office at [email protected] .]  

f.   

(i) An individual’s right to receive an accounting of disclosures to a health oversight agency or law enforcement official will be temporarily suspended, for the time specified by such agency or official, if such agency or official provides Johns Hopkins with a written statement that such an accounting to the individual would be reasonably likely to impede the agency’s activities and specifying the time for which such a suspension is required.

(ii)  If the agency or official statement is made orally, Johns Hopkins will:

(a)  Document the statement, including the identity of the agency or official making the statement;

(b)  Share the document of the oral statement with the JH Privacy Office so they can temporarily suspend the individual’s right to an accounting of disclosures subject to the statement; and limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless a written statement is submitted to the JH Privacy Office during that time.

2. Tracking Permitted General Disclosures For Which Tracking Is Required

a. The information to be maintained must include the following for each individual for each disclosure:

(i)  The date of the disclosure;

(ii) The external entity or person who received the PHI and their address (if known);

(iii) A brief description of the Research PHI disclosed; and

(iv) A brief statement of the purpose of the disclosure that reasonably identifies the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure  by the Secretary or for Permitted General Disclosures For Which Tracking Is Required, if any.

b. HIPAA IRB Form 8.4  is to be used for the tracking of Permitted General Disclosures For Which Tracking Is Required. A copy of the completed HIPAA IRB Form 8.4 should be submitted to the JH Privacy Office at [email protected] .

3. Tracking Permitted Research Disclosures For Which Tracking Is Required

a. General Rule

(i)  Unless Subsection 3b applies, the information to be maintained must include the following for each individual for each disclosure:

(a) The date of the disclosure;

(b) The external entity or person who received the PHI and their address (if known);

(c) A brief description of the Research PHI disclosed; and

(d) A brief statement of the purpose of the disclosure that reasonably identifies the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure by the Secretary or for Permitted Research Disclosures For Which Tracking Is Required, if any.

(ii) HIPAA IRB Form 8.1  is to be used for the tracking of Permitted Research Disclosures For Which Tracking Is Required that come under this Subsection 3.a. A copy of the completed HIPAA IRB form 8.1 should be submitted to the JH Privacy Office at [email protected] .

b.   Multiple Disclosures to the Same Person

(i)  Tracking for multiple disclosures of Research PHI to the same person or entity for a single purpose may be made by including the following:

(a)  The information described in subsection 3(a)(i) for the first disclosure during the tracking period;

(b) The frequency, periodicity or number of disclosures made during the tracking period; and

(c) The date of the last such disclosure during the tracking period.

(ii)  HIPAA IRB Form 8.2  is to be used for the Tracking of Permitted Research Disclosures For Which Tracking Is Required that come under this Subsection 3.b. A copy of the completed HIPAA IRB Form 8.2 should be submitted to the JH Privacy Office at [email protected] .

Requests for Accounting of Disclosures:

  1. An individual may request an accounting of disclosures by completing a “Request for An Accounting of Disclosures of My Protected Health Information” form.
  2. All requests for an accounting of disclosures received by a researcher must be forwarded promptly to the Johns Hopkins Privacy Officer who shall be responsible for coordinating and overseeing the response to the request.Requests for an accounting of disclosures shall be processed in accordance with Johns Hopkins HIPAA Policy A064.