HIPAA rules require that a record be made of a disclosure of any personally identifiable information that is made without an authorization by the research participant. Therefore, tracking of disclosures will have to be undertaken for all disclosures if a waiver of authorization, an approval for review preparatory to research or an approval for the use of a decedent’s PHI is obtained for purposes of research, and for any disclosures not previously specified in a signed authorization document. For purposes of this policy, “disclosure” means the release, transfer, provision of access to, or divulging in any other manner of PHI to any person, whether or not employed by Penn State, who is not participating in carrying out the research protocol. The following information about any disclosure must be recorded and made available to the individual who is the subject of the PHI upon request:
- Date of disclosure
- Name of person/entity that received the PHI
- Description of what PHI was disclosed
- Brief statement regarding the purpose of the disclosure
If a research protocol requires multiple disclosures to the same outside party over a period of time, the following information is adequate:
- For the first disclosure, all of the above must be recorded
- For subsequent disclosures, tracking can refer to the initial record of disclosure and should include the frequency, periodicity or the number of disclosures that will be made
- The date of the last disclosure must be documented
Large Studies: When tracking is required and involves the disclosure of PHI from more than 50 people, HIPAA rules allow a modified tracking method. In this instance it is unnecessary to maintain a list of the specific persons about whom PHI has been disclosed, but the following information must be available upon the request of any individual whose information may have been included:
- The name and description of all protocols involving 50 or more people for which authorization has been waived, including the purpose of these and criteria for selecting records
- Brief descriptions of types of PHI disclosed
- Dates or time periods during which disclosures occurred
- Contact information (name, address, telephone number) for sponsors and recipient researchers
- Statement that a specific individual’s PHI may or may not have been disclosed for a particular protocol or research activity
In addition, the researcher must also assist in contacting the sponsor and recipient researcher if it is reasonably likely that an individual’s PHI was disclosed to them. Tracking information as required by HIPAA rules must be maintained by the principal investigator at least six years, and made available to the Privacy Officer.