Privacy Rule Overview

Similar documents
HIPAA & Research Overview for the Privacy Board March 22, UAMS HIPAA Office Vera M. Chenault, JD

Module: Research and HIPAA Privacy Protections ( )

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

The Impact of The HIPAA Privacy Rule on Research

HIPAA COMPLIANCE APPLICATION

Use And Disclosure Of Protected Health Information (PHI) For Research

The Queen s Medical Center HIPAA Training Packet for Researchers

HIPAA Privacy Regulations Governing Research

Recruiting subjects for clinical research outside the academic setting

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

The HIPAA Privacy Rule and Research: An Overview

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

REQUEST TO ACCESS EXISTING MEDICAL RECORDS, CHARTS OR DATABASES FOR RESEARCH

DANA-FARBER / HARVARD CANCER CENTER POLICIES FOR HUMAN SUBJECT RESEARCH TITLE:

Privacy Board Standard Operating Procedures

HIPAA Policies and Procedures Manual

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

TRICARE Management Activity s Human Research Protection Program, Data Sharing Agreement Program, and the TMA Privacy Board

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

System-wide Policy: Use and Disclosure of Protected Health Information for Research

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

PRIVACY IMPACT ASSESSMENT (PIA) For the. Department of Defense Consolidated Cancer Registry (CCR) System. Defense Health Agency (DHA)

Office of Human Research Office of Human Research Policy and Procedure Manual. Version: 4/4/18

Access to Patient Information for Research Purposes: Demystifying the Process!

The University of Chicago Medicine Privacy Program Accounting of Disclosures Definition Table

(Type inside gray boxes, cells will expand) A. EIGHT POINT CRITERIA for IRB Review

The HIPAA privacy rule and long-term care : a quick guide for researchers

APPLICATION FOR RESEARCH REQUESTING AN IRB WAIVER OF CONSENT AND HIPAA AUTHORIZATION

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

UNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

SCREENING PROCEDURES: WHAT IS COVERED BY A

Saint Joseph Mercy Health System Institutional Review Board

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

INSPIRing Changes to the IRB Process: New templates and more

New Study Submissions to the IRB

WHAT IS AN IRB? WHAT IS AN IRB? 3/25/2015. Presentation Outline

Human Subjects Research Policy Update. Naomi Coll Director of Research Policy and Compliance

Authorization and Waiver Frequently Asked Questions

DO I NEED TO SUBMIT FOR THIS?... & OTHER FREQUENTLY ASKED QUESTIONS. March 2015 IRB Forum

1. Contacts and Title

HIPAA PRIVACY NOTICE

UA New Common Rule Implementation

Southwest Acupuncture College /PWFNCFS

1. Department of Defense (DoD) Human Subjects Protection Regulatory Requirements

HIPAA PRIVACY TRAINING

CCSS: HIPAA-Compliant Recruitment. Dennis Deapen, DrPH CCSS Annual Investigators Meeting Memphis, TN October 9-11, 2005

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Summary of the Common Rule Changes

UConn Health Office of Clinical & Translational Research Standard Operating Procedures

Exempt & Expedited Reviews. February 2017 IRB Member Training

USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION WITHOUT AUTHORIZATION

Managing Privacy Risk in Your Research and Development Enterprise. Sujata Dayal, Abbott Justin McCarthy, Pfizer

[Enter Organization Logo] USE AND DISCLOSURE OF MENTAL HEALTH RECORDS. Policy Number: [Enter] Effective Date: [Enter]

ETHICAL AND REGULATORY CONSIDERATIONS

HIPAA Privacy Policies & Procedures Table of Contents

UT Southwestern Medical Center Human Research Protection Program Policy, Procedure and Guidance Documents

THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH

FAQs March 12, 2012 FREQUENTLY ASKED QUESTIONS

Changes to the Common Rule

PROTECTING PATIENT PRIVACY IS NOT ONLY

TITLE: External Audits of DF/HCC Clinical Research SOP #: AUD-102 (formerly QA-706) Page: 1 of 8 Effective Date: 1/14/2016

AAHRPP Accreditation Procedures Approved April 22, Copyright AAHRPP. All rights reserved.

TITLE: Reporting Adverse Events SOP #: RCO-204 Page: 1 of 5 Effective Date: 01/31/18

Section 11. Recruitment of Study Subjects (Revised 7/1/10)

BANKS ON BANKS. Clinical Research Seminar March 20, 2013 Mary A. Banks Director BUMC IRB

DANA-FARBER / HARVARD CANCER CENTER STANDARD OPERATING PROCEDURES FOR HUMAN SUBJECT RESEARCH

1303A West Campus Drive

Submitting Requests for Exemption and Expedited Review to the IRB

Good Documentation Practices. Human Subject Research. for

R. Gregory Cochran, MD, JD

Pain Specialists of Greater Chicago Notice of Privacy Practices

Common Rule Overview (Final Rule)

INDIANA STATE UNIVERSITY POLICIES AND PROCEDURES FOR THE REVIEW OF RESEARCH INVOLVING HUMAN SUBJECTS

PATIENT BILL OF RIGHTS & NOTICE OF PRIVACY PRACTICES

Utilizing the NCI CIRB

HIPAA IMPLICATIONS: Patient Rights Under HIPAA

HIPAA PRIVACY RULE: LIMITING USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION TO THE MINIMUM NECESSARY

FAMILY MEDICAL ASSOCIATES OF RALEIGH 3500 Bush Street Raleigh, NC P: (919) F: (919)

Senior Care Pharmacy Wichita

Waiver of Informed Consent when Using Medical Records or Other Secondary Data or Specimens UNC-CH OHRE Guidance Document

HIPAA-HITECH HELPBOOK NJ Physician Practices

Balance Fitness and Nutrition

REPORT OF THE BOARD OF TRUSTEES. Protection of Clinician-Patient Privilege (Resolution 237-A-17)

Geisinger IRB Member Orientation Session 2. Debra L. Henninger, MHS RN CCRC Associate Director, Research Compliance

IRB Process for SURF April 21, 2015

Release of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA

I. TITLE: RELEASE OF MEDICAL RECORDS FOR THE PURPOSE OF RESEARCH

EXEMPT RESEARCH. 1. Overview

JOINT NOTICE OF PRIVACY PRACTICES

Compliance Policy C-FMS Clinical Research Project Approval Application

The Revised Common Rule

HIPAA P12 CMS Data Use Agreements & Data Management Plans

NOTICE OF PRIVACY PRACTICES

Pablo Tebas, M.D. Joseph Quinn, RN, BSN Yan Jiang, RN, BSN, MSN

Emergency Medical Treatment and Active Labor Act (EMTALA) AUDIT GUIDE

Title: Investigator Responsibilities. SOP Number: 1501 Effective Date: June 2, 2017

Roles & Responsibilities of Investigator & IRB

Transcription:

Privacy Rule Overview Protected Health Information (PHI) is private information that is subject to special treatment under the HIPAA Privacy Regulations. PHI can only be used or disclosed in research if one of the following applies: 1. Written Authorization has been obtained from the patient-participant. 2. DFCI IRBs (which serve as the Privacy Boards for DFCI and DF/HCC human research) approve and document a formal Waiver of Authorization. 3. DFCI IRBs receive a satisfactory representation from the investigator that the research involves only a Review Preparatory to Research. 4. DFCI IRBs receive a satisfactory representation from the investigator that the research involves only Decedents Information. 5. DFCI IRBs determine that the research involves only De-identified Information. 6. DFCI IRBs determine that the research involves only a Limited Data Set(s) accompanied by Data Use Agreement. Privacy Rule requirements are in addition to human subject protection requirements. The following chart provides a brief overview of the six mechanisms identified above: Mechanism Minimum Necessary Standard Accounting of Disclosures Submission Requirements Documentation Requirements Retention Requirements Authorization Does Not Apply No IRB for processing Patient-Participant Authorization(s) Waiver/Alteration of Authorization Applies Yes, but simplified if 50 or more IRB for required determinations IRB Documentation Review Preparatory to Research Applies Yes, but simplified if 50 or more IRB for approval PI Representation & IRB Approval Research Using Decedents Info Applies Yes, but simplified if 50 or more IRB for approval PI Representation & IRB Approval Research Using De-Identified Info Does Not Apply No IRB for approval Research Using Limited Data Set Applies No IRB for approval PI Representation (or Statistician s Determination) & IRB approval PI Representation & Data Use Agreement & IRB approval Minimum Necessary Standard. A Covered Entity must use, disclose, or request the least amount of information needed for the intended purpose. If the entire medical record is desired, it must be justified as the minimum necessary. Although the Minimum Necessary Standard does not apply to Uses or Disclosures under an Authorization, all Uses and Disclosures are limited to the purposes described in the Authorization. Accounting for Disclosures. The Privacy Rule generally grants individuals the right to a written Accounting of Disclosures of their PHI made in the six years prior to their request for an Accounting. Accountings are required for Disclosures made under a Waiver of Authorization; research on Decedents Information; and Reviews Preparatory to Research. PHI from Other Covered Entities. DF/HCC institutions have entered into an Organized Health Care Arrangement. Under the agreement, the sharing of PHI between DF/HCC sites for DF/HCC supported research is not considered sharing outside of this Covered Entity. Investigators must observe the Privacy Rule requirements of any Covered Entity from which they access PHI. If the investigator removes PHI from another Covered Entity, then the DF/HCC Privacy Rule requirements also apply. Privacy Rule requirements are in addition to any human subject protection requirements with the DF/HCC and the other entity. Version: 09.10.08

Social & Behavioral Research General Information HIPAA governs the use or disclosure of Protected Health Information. HIPAA is not applicable to research that does not involve health information. HIPAA Privacy Rule requirements are in addition to IRB human subject protection requirements. Social and Behavioral research may or may not involve the use of Protected Health Information, and thus may or may not be subject to the HIPAA Privacy Rule. Example 1: Research studying how social interactions between colleagues at work affect productivity would not ordinarily involve the use or disclosure of health information and would, therefore, not be governed by the HIPAA Privacy Rule. Example 2: However, if the research also studies how an individual s history for treatment of emotional disorders or blood glucose levels affects productivity, the research would involve health information and, therefore, would require compliance with the HIPAA Research Privacy provisions. In this case, one of the following six mechanisms for using or disclosing Protected Health Information must be invoked. Most often, the Social and Behavioral research will involve health information (if unsure, please contact OHRS) and, therefore, will be governed by the HIPAA Privacy Regulations. This means that one of the following must be obtained to use or disclose Protected Health Information. OR Written Authorization from the patient-participant; A Waiver of Authorization approved by the DFCI IRB; OR A satisfactory representation (assurance) from the PI to the IRB that the research involves only: De-identified Information, or A Limited Data Set along with an accompanying Data Use Agreement; or A Review Preparatory to Research, or Research Involving Decedents Information. Epidemiology Research. Epidemiology research targets specific health outcomes, interventions, or disease states and attempts to reach conclusions about cost-effectiveness, efficacy, interventions, or delivery of services to affected populations. Some epidemiology research is conducted through surveillance, monitoring, and reporting programs such as those employed by the Centers for Disease Control and Prevention (CDC). Other epidemiology research may employ retrospective review of medical, public health, and/or other records. Depending upon the nature of the data collected, epidemiology research may be subject to the HIPAA Privacy Rule only, to IRB human subject protection requirements only, or to both.

Biomedical Research General Information HIPAA governs the use or disclosure of Protected Health Information. HIPAA is not applicable to research that does not involve health information. Privacy Rule requirements are in addition to IRB human subject protection requirements. Usually, the biomedical research will involve health information (if unsure, please contact OHRS) and, therefore, is governed by the HIPAA Privacy Regulations. This means that to use or disclose the Protected Health Information, one of the following must be obtained: OR Written Authorization from the patient-participant; A Waiver of the Authorization approved by the DFCI IRB. OR A satisfactory representation (assurance) from the PI to the DFCI IRB that the research involves only: De-identified Information, or A Limited Data Set along with an accompanying Data Use Agreement; or A Review Preparatory to Research, or Research involving Decedents Information. Epidemiology Research. Epidemiology research targets specific health outcomes, interventions, or disease states and attempts to reach conclusions about cost-effectiveness, efficacy, interventions, or delivery of services to affected populations. Some epidemiology research is conducted through surveillance, monitoring, and reporting programs such as those employed by the Centers for Disease Control and Prevention (CDC). Other epidemiology research may employ retrospective review of medical, public health, and/or other records. Depending upon the nature of the data collected, epidemiology research may be subject to the HIPAA Privacy Rule only, to IRB human subject requirements only, or to both.

Screening Records to Identify and/or Contact Prospective Participants For clinical trials, researchers often review medical records, clinic appointment logs and other documents to identify and/or contact prospective participants who meet specified enrollment criteria. This screening constitutes a Use or Disclosure of Protected Health Information and is covered by the HIPAA Privacy Rule. Since the identity of the prospective participants is usually not known until the researchers have reviewed the records, obtaining an Authorization is usually not practicable. Researchers ordinarily have two options for screening records in compliance with Privacy Rule requirements. Option A. Investigators can request a Waiver of Authorization to identify and/or contact prospective participants by applying to the DFCI IRB when all of the following circumstances are satisfied: The use or disclosure of Protected Health Information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: (1) an adequate plan to protect the identifiers from improper use and disclosure; (2) an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for regaining the identifiers or such retention is otherwise required by law; (3) Adequate written assurances that the Protected Health Information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research, or for other research for which the use or disclosure would be permitted under the Privacy Rule; The research could not practicably be conducted without the waiver; The research could not practicably be conducted without access to and use of the Protected Health Information. Note: If the screening information is to be used to contact prospective participants, or if it is to be shown or given to the sponsor or others, the request for Waiver of Authorization must specify how and by whom prospective participants will be contacted, and/or how and why the information will be disclosed. A submission to the DFCI IRB is also required for review of human subject protection requirements. Option B. A more limited option is to propose a Review Preparatory to Research. Investigators can submit to the IRB a representation of a Review Preparatory to Research when all of the following circumstances are satisfied: The Use or Disclosure is being sought solely to review Protected Health Information as necessary to prepare a research protocol or for similar purposes preparatory to research; No Protected Health Information is to be removed from the Covered Entity by the researcher in the course of the review; The Protected Health Information for which use or access is sought is necessary for the research purposes. Note: Under this option, personnel at DF/HCC sites may record information with identifiers, but the information may not be removed from DF/HCC sites at any time, and IRB Human Subject approval is required. Only members of the workforce at DF/HCC sites may contact prospective research participants under this option. Prospective participants may not be contacted by sponsors or any other persons who are not personnel of the covered entity. Information may also be accessed through use of a De-identified Data Set or a Limited Data Set.

Screening Non-DF/HCC Site Records to Identify and/or Contact Prospective Participants For clinical trials, researchers often review medical records, clinic appointment logs and other documents to identify and/or contact prospective participants who meet the enrollment criteria. This screening constitutes a Use or Disclosure of Protected Health Information and is covered by the HIPAA Privacy Rule. Since the identity of the prospective participants is usually not known until the researchers have reviewed the records, obtaining an Authorization is usually not practicable. In instances where researchers are reviewing records at another Covered Entity, the privacy requirements set forth by that Covered Entity should be followed. However, as a general guideline, researchers will have two options when conducting pre-screening such that they comply with the Privacy Rule requirements: Option A. Investigators can request a Waiver of Authorization from the IRB or Privacy Board at the other Covered Entity when all of the following circumstances are satisfied: The use or disclosure of Protected Health Information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: (1) an adequate plan to protect the identifiers from improper use and disclosure; (2) an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for regaining the identifiers or such retention is otherwise required by law; (3) Adequate written assurances that the Protected Health Information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research, or for other research for which the use or disclosure would be permitted under the Privacy Rule; The research could not practicably be conducted without the waiver; The research could not practicably be conducted without access to and use of the protected health information. Note: The request for Waiver of Authorization must specify how and why the information will be disclosed to you, as well as how and by whom prospective participants will be contacted. Submissions to the DFCI IRB and the IRB at the other Covered Entity are also required for review of human subject protection requirements. Option B. A more limited option is to propose a Review Preparatory to Research. Investigators can submit to the other Covered Entity s IRB or Privacy Board a representation of a Review Preparatory to Research when all of the following circumstances are satisfied: The Use or Disclosure is being sought solely to review Protected Health Information as necessary to prepare a research protocol or for similar purposes preparatory to research; No Protected Health Information is to be removed from the Covered Entity by the researcher in the course of the review; The Protected Health Information for which use or access is sought is necessary for the research purposes. Note: DFCI personnel may not remove the information from the Covered Entity at any time and may not contact prospective research participants under this option. Submissions to the DFCI IRB and the IRB at the other Covered Entity are also required for review of human subject protection requirements. Information may also be accessed through use of a De-identified Data Set or a Limited Data Set.

Retrospective Studies Using Existing Identifiable Health Information Many studies involve the collection and use of existing identifiable health information. Often under the Human Subject Protection regulations, these studies can be reviewed by an IRB member using an expedited review procedure. The Privacy Rule also applies to the Use and Disclosure of existing identifiable health information (Protected Health Information), and researchers have the following options to meet the Privacy Rule requirements: Option A. Investigators of the institution can request a Waiver of Authorization by applying to the DFCI IRB when all of the following circumstances are satisfied: The use or disclosure of Protected Health Information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: (1) an adequate plan to protect the identifiers from improper use and disclosure; (2) an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for regaining the identifiers or such retention is otherwise required by law; (3) Adequate written assurances that the Protected Health Information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research, or for other research for which the Use or Disclosure would be permitted under the Privacy Rule; The research could not practicably be conducted without the waiver; The research could not practicably be conducted without access to and use of the protected health information. More limited options include the following: Option B. Investigators can submit to the IRB a representation that the information has been De-identified when all of the following circumstances are satisfied: An expert has determined that the risk is very small that the information could be used, either alone or in combination with other reasonably available information to identify an individual; OR (1) The many requisite identifiers of the individual or of the relatives, employers, or household members of the individual are all removed; (2) DF/HCC institutions do not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a participant of the information. Note: If codes are maintained to re-identify the De-identified information, then the following circumstances must also be satisfied: The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; The code or record identification is not used or disclosed for any other purpose and the mechanism for re-identification is not disclosed. Option C. Investigators can submit a representation to the IRB that the research involves a Limited Data Set when all of the following circumstances are satisfied: The many requisite identifiers of the individual or of relatives, employers, or household members of the individual are all removed; A Data Use Agreement has been obtained which stipulates that the recipient will use or disclose the information only for the limited purposes described in the agreement. NOTE: For all options, a submission to the DFCI IRB is also required for review of human subject protection requirements.

Retrospective Studies Using Existing De-Identified Health Information Many studies involve the collection and use of existing De-identified health information, often from a data registry or tissue repository. It is very important to distinguish De-identified information (as defined under the HIPAA Privacy Rule) from non-identifiable or anonymous information (as used under the human subject protection regulations). In the case of non-identifiable or anonymous information, there is no way to link the information to the individual from whom it was derived. However, De-identified information may include a code or link that permits the information to be re-identified, i.e., linked back to the individual from whom it was derived. Thus, De-identified information is potentially identifiable and cannot be considered anonymous from a human subject protection standpoint. Researchers have the following options to meet the Privacy Rule requirements when using De-identified information. A submission to the DFCI IRB is also required for review of human subject protection requirements. Option A. Investigators can request a Waiver of Authorization by applying to the DFCI IRB when all of the following circumstances are satisfied: The use or disclosure of Protected Health Information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: (1) an adequate plan to protect the identifiers from improper use and disclosure; (2) an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for regaining the identifiers or such retention is otherwise required by law; (3) Adequate written assurances that the Protected Health Information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research, or for other research for which the use or disclosure would be permitted under the Privacy Rule; The research could not practicably be conducted without the waiver; The research could not practicably be conducted without access to and use of the protected health information. Option B. A more limited option is a specific request to use De-Identified Information. Investigators can submit a representation to the DFCI IRB that the information has been De-identified when all of the following circumstances are satisfied: An expert has determined that the risk is very small that the information could be used, either alone or in combination with other reasonably available information to identify an individual; OR (1) The requisite identifiers of the individual or of the relatives, employers, or household members of the individual are removed; (2) DF/HCC institutions do not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. Note: If codes are maintained to re-identify the de-identified information, then the following circumstances must also be satisfied: The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; The code or record identification is not used or disclosed for any other purpose and the mechanism for re-identification is not disclosed. Information may also be accessed through use of a Limited Data Set. NOTE: For all options, a submission to the DFCI IRB is also required for review of human subject protection requirements.

Research on Decedent s Information The Human Subject Protection regulations apply to research involving living human beings. Accordingly, Human Subject Protection requirements typically do not apply to research involving decedents unless the research also involves information that identifies living individuals. However, the Privacy Rule does apply to decedents information. Researchers have the following options to meet the Privacy Rule requirements: DFCI investigators can submit a representation that the research involves Decedents Information to the DFCI IRB when all of the following circumstances are satisfied: The information is solely for research on the protected health information of decedents; Documentation of the death of such individual is available at the request of the covered entity; The protected health information is necessary for the research. Decedents Information may also be accessed through use of a Waiver of Authorization, a Deidentified Data Set, or a Limited Data Set.

Overview of Accounting of Disclosures Accounting of Disclosures. The Privacy Rule generally grants individuals the right to a written Accounting of Disclosures of their Protected Health Information made in the six years prior to their request for an Accounting. Accountings do not go back before April 14, 2003. In general, an Accounting of Disclosures must be provided within 60 days of receipt of the request. Required Accountings. According to the Privacy Rule, an Accounting of Disclosures is required for: 1. Routinely Permitted Disclosures (e.g., under public health authority, to regulatory agencies, to persons with FDA-related responsibilities) with limited exceptions (e.g., law enforcement, national security, etc.) 2. Disclosures made pursuant to: a. Waiver of Authorization b. Research on Decedents Information c. Reviews Preparatory to Research Elements of Accounting. When an Accounting of Disclosures is made, the Accounting must include the following elements: 1. All Disclosures of the individual s Protected Health Information made by the Covered Entity, including Disclosures to or by the Covered Entity s Business Associates 2. Date of each Disclosure 3. Name and address, if known, of the person or entity receiving the information 4. Brief description of the Protected Health Information disclosed, and 5. Brief statement of the purpose of and basis for the Disclosure, or a copy of the written request for the Disclosure. Elements of Simplified Accounting for Multiple Disclosures to the Same Person/Entity. Where multiple Disclosures of an individual s Protected Health Information have been made to the same person or Entity for a single purpose, a full Accounting of the first Disclosure is required as described in the section above. Accounting for subsequent Disclosures may be accomplished by providing the following: 1. The frequency, periodicity, or number of Disclosures made. 2. The date of the last Disclosure. Elements of Simplified Accounting of Disclosure of Protected Health Information for 50 or More Individuals. Where Disclosures of Protected Health Information for 50 or more individuals have been made for a single purpose, the Accounting may be accomplished by providing the following: 1. Name of the protocol or research activity 2. Brief description of the purpose of the research and criteria for record selection. 3. Brief description of the type of Protected Health Information disclosed. 4. Dates or time periods when Disclosure may have taken place. 5. Name, address, and phone number of sponsoring entity and research investigator. 6. Statement as to whether other Disclosures of the individual s Protected Health Information have been made.

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback