The Privacy Rule grants to a patient a right to request and receive an
accounting for some “disclosures” of PHI, including disclosures
made in connection with certain research projects. An accounting is a
record of each disclosure of each patient’s PHI. A right to an accounting
only applies to disclosures
of PHI, not to uses of PHI. Patients
have a right to an accounting only of those disclosures made by researchers
in connection with protocols conducted with a waiver
of authorization. An accounting of disclosures is not required when
a patient authorization is
You do NOT have to account for disclosures during the research study
- Disclosure was made pursuant to a patient authorization; or
- You are disclosing a limited
data set; or
- You are disclosing de-identified
- Your study has been determined by the IRB to be exempt under the Common
Rule, because the existing information you are recording cannot be identified,
directly or through identifiers linked to subjects. [45
C.F.R. § 46.101(b)(4)].
You MUST account for disclosures if:
You make disclosures in connection with a protocol for which the IRB
approved a waiver of authorization.
The Privacy Rule requires you to record the following information using
the Disclosures Log:
- The name of each patient involved in the research whose PHI is disclosed;
- The name and address, if possible, of the person or entity to whom
the PHI is disclosed;
- The date of disclosure;
- A brief description of the PHI disclosed; and
- A brief statement of the purpose of the disclosure or a copy of the
request for the disclosure.
If multiple disclosures of PHI occur to the same person or entity for
the same purpose, then after the first disclosure simply record the frequency
of the disclosures and the date of the last disclosure.
Patient presents to site of care—hospital, clinic, ambulatory
surgery center—and requests an accounting. Time frame for requested
accounting is established. For more information, refer to UW-Madison
Policy and Procedure #7.1.
Care site contacts University Privacy Officer with name of patient
who has requested an accounting.
University Privacy Officer contacts IRB for a list of protocols that
received approvals for waivers of authorization and that stated intent
to make disclosures. The IRB’s list will contain:
PI contact information
University Privacy Officer contacts each PI on the IRB’s list
for the following information about disclosures for each protocol
in which the patient’s PHI may have been used.
Name of person and entity to whom PHI was disclosed
Address of person and entity to whom PHI was disclosed (if available)
Date of disclosure
Brief description of PHI disclosed
Purpose of disclosure (or attach copy of request for disclosure)
PI sends disclosure information to the University Privacy Officer.
- University Privacy Officer arranges with care site to make information
about research disclosures available to the patient.
to HIPAA Research Guide main page
Questions or comments? Contact
August 26, 2003