Because these types of disclosures are already subject to specific tight oversight and review before they can occur, the additional protection of accounting for the disclosures seems unnecessary.įurthermore, because the accounting requirements do not apply to "uses" within a Covered Entity, the application of the accounting requirements to research conducted within hospitals and major academic research institutions depends entirely on the artificial "HIPAA relationship" between investigators and the institution, and results in disparate treatment of investigators depending on where they sit in regard to the Covered Entity. Investigators are required to establish a certain standard of privacy protection before the IRB may grant a waiver or alteration of authorization or before the institution may permit an investigator access to PHI for review preparatory to research purposes. SACHRP's conclusion that research disclosures should be exempted from the accounting requirements is based primarily on the fact that the Privacy Rule already imposes sufficient protections for the types of research disclosures to balance any diminishment of individuals' rights to an accounting. Such a burden creates a disincentive for institutions to allow research involving large numbers of subjects. In addition, the burden on Covered Entities under that exception to assist the individual "in contacting the entity and researcher" is unreasonable.
Under that limited exception, a list of all protocols for which a person's PHI may have been disclosed must be generated in response to a request for an accounting, and in medical facilities, that list is often very extensive. The predictable results of this broad requirement are the deterrence of epidemiologic and health services research and some institutions' likely decisions to ignore the accounting requirement, calculating that accepting the risk of noncompliance is preferable to incurring the massive costs of compliance.Įven for research involving 50 or more subjects, a modified accounting requirement added in the Final Privacy Rule for such studies has proved insufficient to alleviate the administrative burden.
It is SACHRP's belief that application of the accounting requirements to disclosures for research purposes greatly increases the cost and administrative burden of conducting human subjects research, particularly retrospective record reviews, without materially improving the protection of individuals' privacy. In medical centers and other health care settings where retrospective records research using thousands of medical records is common, the application of this requirement has meant unprecedented, massive additional collections of information as part of each protocol, solely to fulfill these regulatory purposes. However, disclosures of PHI for research conducted pursuant to IRB or privacy board waiver or alteration of the authorization requirement, research on decedents' information, and reviews preparatory to research are all subject to the accounting requirements.
In limited exceptions, the accounting rules do not apply - for example in the case of disclosures made pursuant to the individual's authorization, or disclosures of a limited data set pursuant to an executed data use agreement. Under that right, individuals have the ability to request that a Covered Entity provide the individual with a comprehensive list of disclosures over the six years preceding the request, as well as certain substantive information related to each disclosure, including the date of the disclosure, the identity of the person who received the information, a description of the information disclosed, and a statement of the purpose of the disclosure. Under the Privacy Rule, individuals retain the right to seek an "accounting" from entities covered by HIPAA (Covered Entities) of most disclosures of Protected Health Information (PHI) made without the individual's authorization.
0 kommentar(er)
