Under HIPAA, a “disclosure accounting” is required
The Correct Answer and Explanation is :
Under the Health Insurance Portability and Accountability Act (HIPAA), a “disclosure accounting” is required for all human subjects research that uses Protected Health Information (PHI) without an authorization from the data subject, except for limited data sets.
HIPAA mandates that covered entities maintain a record of certain disclosures of PHI made without patient authorization. This record, known as an accounting of disclosures, must be provided to individuals upon request. The purpose is to enhance transparency and allow individuals to understand how their health information has been shared, thereby fostering trust in the handling of their sensitive data.
The accounting must include specific details for each disclosure:
- Date of the disclosure
- Name and address of the entity or person who received the PHI
- Brief description of the PHI disclosed
- Brief statement of the purpose of the disclosure
However, there are notable exceptions to this requirement. Disclosures made for treatment, payment, and healthcare operations are exempt from accounting. Additionally, disclosures to the individual themselves, those made pursuant to an authorization, and those that are part of a limited data set are also excluded.
In the context of research, if PHI is disclosed without patient authorization, an accounting is generally required. An exception exists for limited data sets, which are partially de-identified datasets used for research, public health, or healthcare operations under a data use agreement. These limited data sets exclude direct identifiers, thereby reducing privacy risks, and disclosures of such data sets do not require accounting.
It’s important to note that the first accounting provided to an individual within any 12-month period must be free of charge. For subsequent requests within the same period, a reasonable, cost-based fee may be charged, provided the individual is informed in advance and given an opportunity to modify or withdraw the request to avoid or reduce the fee.
Maintaining accurate records of disclosures is crucial for compliance with HIPAA regulations. Covered entities must implement systems to track and document disclosures appropriately, ensuring they can provide a complete accounting when requested by an individual. This practice not only complies with legal requirements but also promotes transparency and trust between healthcare providers and patients.