Appendix A: Research disclosures should be exempted from the accounting

Under the Privacy Rule, individuals retain the right to seek an "accounting" from entities covered by HIPAA (Covered Entities) of most disclosures of Protected Health Information (PHI) made without the individual's authorization. Under that right, individuals have the ability to request that a Covered Entity provide the individual with a comprehensive list of disclosures over the six years preceding the request, as well as certain substantive information related to each disclosure, including the date of the disclosure, the identity of the person who received the information, a description of the information disclosed, and a statement of the purpose of the disclosure. In limited exceptions, the accounting rules do not apply - for example in the case of disclosures made pursuant to the individual's authorization, or disclosures of a limited data set pursuant to an executed data use agreement. However, disclosures of PHI for research conducted pursuant to IRB or privacy board waiver or alteration of the authorization requirement, research on decedents' information, and reviews preparatory to research are all subject to the accounting requirements. In medical centers and other health care settings where retrospective records research using thousands of medical records is common, the application of this requirement has meant unprecedented, massive additional collections of information as part of each protocol, solely to fulfill these regulatory purposes.

It is SACHRP's belief that application of the accounting requirements to disclosures for research purposes greatly increases the cost and administrative burden of conducting human subjects research, particularly retrospective record reviews, without materially improving the protection of individuals' privacy. The predictable results of this broad requirement are the deterrence of epidemiologic and health services research and some institutions' likely decisions to ignore the accounting requirement, calculating that accepting the risk of noncompliance is preferable to incurring the massive costs of compliance.

Even for research involving 50 or more subjects, a modified accounting requirement added in the Final Privacy Rule for such studies has proved insufficient to alleviate the administrative burden. Under that limited exception, a list of all protocols for which a person's PHI may have been disclosed must be generated in response to a request for an accounting, and in medical facilities, that list is often very extensive. In addition, the burden on Covered Entities under that exception to assist the individual "in contacting the [sponsoring] entity and researcher" is unreasonable. Such a burden creates a disincentive for institutions to allow research involving large numbers of subjects.

SACHRP's conclusion that research disclosures should be exempted from the accounting requirements is based primarily on the fact that the Privacy Rule already imposes sufficient protections for the types of research disclosures to balance any diminishment of individuals' rights to an accounting. Investigators are required to establish a certain standard of privacy protection before the IRB may grant a waiver or alteration of authorization or before the institution may permit an investigator access to PHI for review preparatory to research purposes. Because these types of disclosures are already subject to specific tight oversight and review before they can occur, the additional protection of accounting for the disclosures seems unnecessary.

Furthermore, because the accounting requirements do not apply to "uses" within a Covered Entity, the application of the accounting requirements to research conducted within hospitals and major academic research institutions depends entirely on the artificial "HIPAA relationship" between investigators and the institution, and results in disparate treatment of investigators depending on where they sit in regard to the Covered Entity. To the extent investigators are treated as members of an institution's "workforce" for HIPAA purposes, the sharing of information with such investigators pursuant to an IRB waiver or subject to the investigator's representations required for a review preparatory to research is a "use," not a "disclosure," and therefore the accounting requirements do not apply. However, many Covered Entities elect to treat members of their medical staff, including any investigators with staff privileges, as being in an organized health care arrangement (OHCA) with the Covered Entity, meaning that any information shared is a "disclosure" and the accounting requirements do apply. In light of the administrative burden Covered Entities face in applying the accounting requirements to the research context, institutions are forced to choose between designating all investigators as "workforce" members, which has liability implications far beyond the accounting issues, or disparately applying the accounting requirements to some, but not all, of their researchers. Even under current Department interpretation, therefore, disparate treatment in this regard surely seems to undercut the effectiveness of any protections offered to individuals by the accounting requirements.