Does authorization for Protected Health Information (PHI) disclosure exempt tracking of disclosures?

From the Guidelines

The correct answer is B. FALSE. Even after obtaining a participant's authorization for disclosure of Protected Health Information (PHI) in research, covered entities must still keep track of disclosures made. Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities are required to maintain an accounting of disclosures of PHI, including those made for research purposes with authorization, as discussed in the context of regulatory and safety concerns of home monitoring technologies during COVID-19 1. This accounting allows participants to request information about how their PHI has been shared. The requirement helps maintain transparency and accountability in the handling of sensitive health information. Covered entities typically need to track the date of disclosure, who received the PHI, a brief description of the information disclosed, and the purpose of the disclosure. Some key points to consider include:

• The HIPAA Privacy Rule governs the use and disclosures of protected health information, which is individually identifiable health information 1.
• Covered entities, such as most healthcare providers, or their business associates, are subject to HIPAA’s purview 1.
• The HIPAA Security Rule contains security standards for protecting electronic protected health information, highlighting the importance of tracking and securing PHI disclosures 1. This documentation must generally be maintained for six years from the date of disclosure. Proper tracking of PHI disclosures is an essential component of research compliance and participant privacy protection.

From the Research

Disclosure of PHI

• The provided studies do not directly address the disclosure of Protected Health Information (PHI) or the requirements for tracking disclosures after obtaining participant authorization.
• None of the studies 2, 3, 4, 5, 6 discuss the regulations or guidelines surrounding the disclosure of PHI, such as those outlined in the Health Insurance Portability and Accountability Act (HIPAA).
• As a result, there is no evidence to support or refute the statement that once a covered entity obtains a participant's authorization for disclosure of PHI, there is no need to keep track of disclosures made.

Relevant Regulations

• Typically, regulations such as HIPAA require covered entities to track and account for disclosures of PHI, even if the individual has provided authorization for disclosure.
• However, without specific evidence or studies addressing this topic, it is impossible to determine the correct answer to the question based on the provided research.

Answer to the Question

• Based on general knowledge of HIPAA regulations, it is likely that the correct answer is B. FALSE, as covered entities are typically required to keep track of disclosures of PHI, even with authorization.
• However, this answer is not supported by the provided studies, and therefore, it is not possible to provide a definitive answer based on the evidence 2, 3, 4, 5, 6.