Under HIPAA, a “disclosure accounting” is required: For all research where the data crosses state lines, otherwise state law applies. For all human subjects research that uses PHI. Solely at the principal investigator’s discretion. For all human subjects research that uses PHI without an authorization from the data subject, except for limited data sets.
The Correct Answer and Explanation is :
The correct answer is:
For all human subjects research that uses PHI without an authorization from the data subject, except for limited data sets.
Explanation
Under the Health Insurance Portability and Accountability Act (HIPAA), the Privacy Rule establishes standards for the use and disclosure of Protected Health Information (PHI). A disclosure accounting is a record of disclosures of PHI made by a covered entity or business associate. This is required to ensure transparency and provide data subjects with insight into how their PHI is used or shared.
HIPAA specifically requires an accounting of disclosures of PHI in certain circumstances, including:
- For all human subjects research using PHI without an individual’s authorization: When PHI is disclosed for research purposes without the explicit consent or authorization of the data subject, the entity must maintain a record of such disclosures. This requirement ensures accountability and enables individuals to request and review an accounting of when and why their PHI was shared.
- Exception for limited data sets: A limited data set is a form of PHI that excludes direct identifiers (e.g., names, addresses, social security numbers) and can be disclosed under a data use agreement. Disclosures of limited data sets for research, public health, or healthcare operations do not require an accounting under HIPAA.
Key Considerations
- Disclosure accounting is required unless the data subject has authorized the release or the disclosure falls under an exemption.
- Principal investigator discretion does not dictate whether a disclosure accounting is required; it is a legal obligation under HIPAA.
- State laws may impose additional requirements but do not replace the HIPAA accounting requirements.
By requiring this accounting, HIPAA ensures that individuals retain control over their sensitive health information and fosters trust in the use of PHI for research and other purposes.