HIPAA

Deidentified Data Set

Accounting for Disclosures

The Privacy Rule grants the right to request and receive an accounting for some “disclosures” of PHI, including disclosures made in connection with certain research projects. An accounting is a record of each disclosure of each patient’s PHI. A right to an accounting only applies to disclosures of PHI, not to uses of PHI. Patients have a right to an accounting of disclosures made in the six years prior to the patient’s request, and only of disclosures in connection with protocols conducted with a waiver of authorization.

Investigators must keep an accounting of the following disclosures:

  • Disclosures made in research conducted with a waiver of authorization approved by the IRB (Privacy Board) for the study or for recruitment purposes
  • Disclosure of PHI to a person or entity not on the authorization
  • Disclosure of PHI to or from a federal- or state-mandated registry
  • Disclosure of PHI that is used for reviews preparatory to research unless the information is deidentified or in a limited data set
  • Disclosure of a decedent’s PHI used for research

The following templates may be helpful for investigators when accounting for disclosures:

For more information, see the IU IRB SOP on Confidentiality and Privacy.

Research with Decedent PHI

Research involving use of decedent PHI is not considered human subjects research and does not require IRB review. However, the IU SOP on Confidentiality and Privacy requires that investigators conducting research with decedent PHI document certain criteria. A certification form is available below.

Certification for Research on Protected Health Information (PHI) of Decedents

Investigators should complete this form prior to beginning their research and should be able to produce it upon request.

Lost, Stolen, or Misdirected Data

IU Policy ISPP-26 requires immediate reporting of lost, stolen, or misdirected data or devices. This policy applies to all:

  • Information—whether in printed, verbal, or electronic form—created, collected, stored, manipulated, transmitted, or otherwise used in the pursuit of Indiana University’s mission, regardless of the ownership, location, or format of the information.
  • Information systems used in the pursuit of Indiana University’s mission irrespective of where those systems are located.
  • Individuals encountering such information or information systems regardless of affiliation.

Per the procedures below, all individuals are required to immediately report to the University Information Policy Office (UIPO) any:

  • Suspected or actual security breaches of information – whether in printed, verbal, or electronic form—or of information systems used in the pursuit of the university’s mission.
  • Abnormal systematic unsuccessful attempts to compromise information—whether in printed, verbal, or electronic form—or information systems used in the pursuit of the university’s mission.
  • Suspected or actual weaknesses in the safeguards protecting information—whether in printed, verbal, or electronic form—or information systems used in the pursuit of the university’s mission.

Policy: ISPP-26—Information and Information System Incident Reporting, Management, and Breach Notification