To establish guidelines for procedures in order to use and disclose the protected health information (PHI) of research participants, as defined by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Use and disclosure of PHI for research purposes requires prior IRB approval.
The Cottage Health System Institutional Review Board (CHS IRB) has established and shall follow written guidelines for complying with HIPAA regulations and for protecting PHI of individuals enrolled in research studies. Requests for use and disclosure of PHI for research purposes shall first be submitted to the IRB, or a designated subcommittee, such as the Data Use Committee (DUC). HIPAA references and guides, including the complete Rule, are available from the CHS IRB Department in the Office of Research.
This policy reflects:
- Standards for Privacy of Individually Identifiable Health Information - Title 45 Code of Federal Regulations Parts 160 and 164 (45 CFR 160; 45 CFR 164): Health Insurance Portability and Accountability Act of 1996
- California Civil Code Chapter 2.0 § 56, Disclosure of Medical Information by Providers (the Confidentiality of Medical Information Act)
- Title IV - Health Information Technology for Economic and Clinical Health Act (HITECH) – February 17, 2010
- Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule – November 26, 2012
- Federal Register Vol. 78, No. 17, Friday, January 25, 2013 - 45 CFR Parts 160 and 164: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (Final Rule of 2013)
Covered Entity (CE) – Health plans (HMOs, group health plans, etc.), health care clearinghouses (billing and repricing companies, etc.), or health care providers (doctors, dentists, hospitals, etc.) who transmit any electronic PHI (45 CFR 160.103). Covered Entities must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of their electronic PHI against any reasonably anticipated risks. All Covered Entities must comply with the Security Rule.
“HIPAA”: Health Insurance Portability and Accountability Act of 1996, which includes regulations that specifically address the use of "protected health information" in research.
HIPAA Privacy Rule:
The Privacy Rule permits a covered entity to use or disclose PHI for research under the following circumstances and conditions:
- For reviews preparatory to research if certain representations are obtained from the researcher.
- For research solely on decedents' information if certain representations are obtained from the researcher.
- If the subject of the PHI has granted specific written permission through an Authorization.
- If the covered entity receives appropriate documentation that an IRB or Privacy Board has granted a waiver or an alteration of the Authorization requirement.
- If the PHI has been de-identified in accordance with the standards set by the Privacy Rule (in which case, the health information is no longer PHI).
- If the information is released in the form of a “Limited Data Set”, with certain identifiers removed, and with a Data Use Agreement between the researcher and the Covered Entity.
- If informed consent of the individual to participate in the research, an IRB waiver of such informed consent, or other express legal permission to use or disclose the information for the research is grandfathered by the transition provisions.
HIPAA Security Rule:
The final Security Rule became effective as of April 21, 2003:
- The rule applies to electronic protected health information. Electronic PHI relates to 1) an individual's past, present, or future physical or mental health or condition, 2) an individual's provision of health care, or 3) past, present, or future payment for provision of health care to an individual. The primary objective of the Security Rule is to protect the confidentiality, integrity, and availability of electronic PHI when it is stored, maintained, or transmitted.
PHI – Protect Health Information: As it relates to research, includes all personally identifiable records and documents containing information and/or data pertinent to the research study in which the individual is enrolled. PHI includes the patient’s medical record (both physical and electronic charts), and/or other records containing physician notes and progress reports (if related to the patient’s study participation), research records (including case report forms), and any other documentation required and necessary to extrapolate essential research data.
1. The CHS IRB, or any subcommittee(s) designated on its behalf, will perform the following HIPAA review and approval responsibilities, within the larger context of its responsibilities for the protection of human research participants, that include review of privacy and confidentiality issues broader than those covered by HIPAA:
- Review and approval of all patient protection components of the informed consent document related to access, use and/or disclosure of PHI for research purposes.
- Review and approval of Authorization documents used by researchers when they are a component of the informed consent document for access, use and/or disclosure of PHI for research purposes.
- Review and approval of all Waivers of Authorization, including limited Waivers of Authorization, for access, use and/or disclosure of PHI for research purposes.
2. Patient Authorizations to use and disclose PHI may be included in the informed consent document or be a separate document. Authorization language must comply with HIPAA regulations by containing sufficient and appropriate information as outlined in this policy.
3. The CHS IRB has developed an Authorization form template for investigators wishing to use separate Authorization forms or when the informed consent document has been waived and the Authorization is the only document required. All language in the template that must be included is indicated.
4. Certain research studies require prescreening of confidential patient information in order to determine study eligibility. When this is the case, the investigator must complete a partial Waiver of Authorization for prescreening and submit it for review and approval with the IRB application.
I. HIPAA and IRB Review
HIPAA privacy requirements are in addition to ethical and regulatory protections for human research subjects and do not supersede them. The HIPAA Privacy Regulations are focused on privacy and security protections for individuals’ health care information that is termed protected health information (PHI). If a research study either uses or creates PHI, HIPAA documentation requirements apply to those research uses of PHI in addition to relevant privacy and confidentiality protections that are required by federal regulations for human research subject protection and the ethical standards used to oversee research.
II. Exceptions to HIPAA Authorizations
Research use of PHI requires explicit authorization except under the following circumstances:
- The individually identifiable health information is not generated in the course of healthcare services by a health care provider, health plan, or health care clearinghouse and will not become part of a record applied to treatment, payment or healthcare operations; or
- The IRB has approved a Waiver of Authorization; or
- The data are “de-identified” before the data are provided to the researcher; or
- The data are converted to a “Limited Data Set” before the data are provided to the researcher and the use of the Limited Data Set is governed by a Data Use Agreement that includes HIPAA-specific provisions; or
- The research is limited to decedents (Note that while decedents are not included in the Common Rule definition of “human subjects,” the disclosure of their protected health information by a covered entity is subject to specific HIPAA requirements); or
- The research is limited to a “review preparatory to research.” (Note that the “review preparatory to research” HIPAA option (a) is limited to preparation of a research protocol or assessment of feasibility of performing a specific research protocol; (b) does not include recording any protected health information; and (c) may not be used to prescreen patients as part of the recruitment process. Once there is intent to recruit pursuant to a formulated protocol, then the research activity is sufficiently well prepared to require IRB approval).
Certain of these circumstances are the responsibility of the IRB to oversee, while others (for example, reviews preparatory to research) are not.
III. HIPAA Authorization and Informed Consent
For research that includes the creation or use of protected health information, in addition to following informed consent procedures, researchers generally must also obtain Authorization for use of PHI from the human subjects whose PHI will be included in the study. The Authorization document must include all elements defined in HIPAA. The Authorization document may be executed as a separate document, although it is acceptable for the Authorization to be incorporated into the informed consent document. In such cases, all elements of the Authorization must be included in the informed consent document. An Authorization for access, use or disclosure of psychotherapy notes for research may not be combined with any other Authorization except another Authorization for access, disclosure or use of the psychotherapy notes.
The IRB has an Authorization template that complies with HIPAA requirements. The researcher must customize the Authorization for the specific study he or she intends to perform and submit it with the IRB application for review and approval.
IV. Authorization Requirements for Research under HIPAA
A Covered Entity that creates PHI, in whole or in part, for the purpose of research, must obtain an Authorization for the use or disclosure of such information. Such an Authorization must meet all of the requirements of 45 CFR Section 164.508, which provides that:
1. An Authorization for the use or disclosure of PHI for a specific research study may be combined with any other type of written permission for the same or another research study. This exception includes combining an Authorization for the use or disclosure of PHI for a research study with another Authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research. Where a covered health care provider has conditioned the provision of research-related treatment on the provision of an Authorization for use/disclosure of PHI for such research, any compound Authorization created must clearly differentiate between the conditioned and unconditioned components and provide the individual with an opportunity to opt in to the research activities described in the unconditioned Authorization (45 CFR Section 164.508(b)(3)(iii)).
2. A covered healthcare provider may condition the provision of research-related treatment on the provision of an Authorization for the use or disclosure of PHI (45 CFR Section 164.508(b)(4)).
3. The statement “end of research study” or similar language is sufficient to describe the expiration event for the Authorization to use PHI for research (45 CFR Section 164.508(c)(1)(v)). Since California law does not require an Authorization for use of patient information in this instance, this is an exception to the general rule in California that an Authorization must have a specific expiration date.
4. The statement “none” or similar language is sufficient to describe the expiration event if the Authorization is for the Covered Entity to use or disclose PHI for the creation or maintenance of a research database or research repository (45 CFR Section 164.508(c)(1)(v).
As mentioned above, California’s Confidentiality of Medical Information Act (CMIA) does not require patient Authorization to use or disclose PHI for research purposes. Therefore, an Authorization form to use or disclose PHI for research purposes must contain only the federal HIPAA-required elements, and need not contain the CMIA-required elements.
DHHS has reversed its position that a HIPAA Authorization that allows the disclosure of PHI to create a research database or repository may not also cover use or disclosure of the PHI for future research. DHHS has harmonized its interpretation of HIPAA with practice under the Common Rule regarding informed consent for future research, and allows Covered Entities, researchers, and IRBs to have flexibility in determining what adequately describes a future research purpose depending on the circumstances. DHHS notes that it is aligning its interpretation with existing practice under the Common Rule in regard to informed consent and still requires that all required elements of Authorization be included in an Authorization for future research, even if they are described in a more general manner than is done for specific studies.
Covered Entities that wish to obtain Authorization for the use or disclosure of PHI for future research may do so at any time after March 26, 2013 [78 Fed. Reg. 5566, 5612-13 (Jan. 25, 213)].
V. Required Components of a HIPAA Authorization
HIPAA requires that the Authorization be written in plain language and contain the following core elements:
- A specific and meaningful description of the information to be used or disclosed.
- The name or other specific identification of the persons or class of persons authorized to make the disclosure.
- The name or other specific identifications of the persons or class of persons that
will receive the PHI.
- A description of each purpose of the requested use or disclosure, (or the statement, “at the request of the individual,” when appropriate)
- The date (or the event upon which) the Authorization expires. HIPAA permits termination on a described event (such as conclusion of a research project).
- A statement of the individual’s right to revoke the Authorization in writing, including the exceptions to this right and an explanation of how to revoke. (An individual may revoke an Authorization at any time except to the extent that the Covered Entity has taken action in reliance thereon or if the Authorization was obtained as a condition of obtaining insurance coverage.) If these statements are already included in the provider’s Notice of Privacy Practices, the statement need only reference that notice.
- Either: A Statement that the provider will not condition treatment on the individual’s providing Authorization; or, in the limited circumstances in which a condition of this kind is permitted, an explanation of the consequences of a refusal to sign.
- The individual’s signature and date. (If the signature belongs to the individual’s personal representative, a description of that person’s authority to act for the individual.)
- A statement that the information used or disclosed may be subject to redisclosure by the recipient, if the recipient is not subject to HIPAA. (California law provides that individually-identifiable information may be disclosed to public agencies, clinical investigators, including investigators conducting epidemiological studies, health care research organizations, and accredited public or private nonprofit or health care institutions for bona fide research purposes. However, no information so disclosed may be further disclosed by the recipient in any way that would disclose the identity of any patient or be violative of this part (California Civil Code Section 56.10(c)(7)).
An Authorization is not valid if it lacks any of the required elements listed above. It is also invalid if it has expired, was not filled out completely, has been revoked, was improperly combined with another document or contains information known to be false.
Providers must document and retain all Authorizations for six years. A Provider must give the individual a copy of his or her signed Authorization if the Authorization was requested by the provider.
The Final Rule amended 45 C.F.R. § 164.508(b)(3)(i) and (iii) to allow a Covered Entity to combine conditioned and unconditioned Authorizations for research, provided that the compound Authorization (1) clearly differentiates between the conditioned and unconditioned research components, and (2) clearly allows the individual the option to opt-in to the unconditioned research activities. The Final Rule permits the use of compound Authorizations for any type of research activities, including optional sub- studies, and secondary future use of data (to the extent secondary future use is permitted by the Final Rule as discussed below), except where the research involves the use and/or disclosure of psychotherapy notes.
The Final Rule does not allow an Authorization to include an option to opt-out of the unconditioned research activities. So, for example, the Authorization cannot say “check here if you do not want your data provided to the biospecimens bank.” In the commentary to the Final Rule, the Department of Health and Human Services (HHS) approves of three methods proposed by the Secretary’s Advisory Committee on Human Research Protections (SACHRP) to obtain the necessary opt-in for unconditioned research activities:
(1) a combined consent / Authorization form for a clinical trial and optional banking component, with a check-box for the individual to have the choice to opt-in to the optional banking component, and one signature;
(2) a combined consent / Authorization form for a clinical trial and optional banking component, with one signature for the clinical trial and another signature to indicate the individual agrees to the optional banking component; and
(3) a combined consent / Authorization form for a clinical trial and optional banking component, with a check box to opt-in to the banking component, one signature, but with the detailed information about the banking presented in a separate brochure or information sheet referenced directly in the consent / Authorization form.
HHS clarifies that, for the third approach, the brochure or information sheet must be incorporated by reference into the Authorization / consent form such that it is considered part of the form. In addition, if the brochure or information sheet includes any of the required elements of the Authorization, and the Authorization has not been altered by an IRB approved waiver, then the brochure / information sheet must be made available to potential research participants before they are asked to sign the Authorization. Finally, in such cases, a Covered Entity must keep not only the signed Authorization, but also a copy of the brochure or information sheet, in order to comply with documentation requirements under the Privacy Rule.
HHS explains in the preamble that Covered Entities are permitted but are not required to create compound Authorizations for conditioned and unconditioned research activities. So, researchers may choose to use separate Authorization forms. HHS makes clear that Covered Entities and researchers have flexibility in the methods used to distinguish the conditioned and unconditioned research activities and to provide the individual with a clear opportunity to opt-in to the unconditioned portions.
In response to a comment asking whether a portion of the compound Authorization can be revoked without revoking the entire Authorization, HHS clarifies that, where it is clear that an individual is revoking only part of a compound Authorization, then the researchers can proceed accordingly. If it is not clear that only a specific part of the compound Authorization is being revoked, then the researchers must either obtain written clarification from the participant or the entire Authorization must be treated as revoked.
Conditioning Treatment upon an Authorization
Conditioning treatment upon Authorization is permitted for research related purposes. However, in general, providers may not condition treatment upon an Authorization.
VI. California-Specific Authorization Requirements
Although some of the requirements for Authorization for PHI uses and disclosures are stricter under California state law, Authorization for PHI for research purposes is exempt. According to the California Civil Code Chapter 2.0 § 56, Disclosure of Medical Information by Providers (the Confidentiality of Medical Information Act), at Section 56.10(a)(c)(7):
“No provider of health care, health care service plan, or contractor shall disclose medical information regarding a patient of the provider of health care or an enrollee or subscriber of a health care service plan without first obtaining an authorization, except as provided in subdivision (b) or (c).
(c) A provider of health care, or a health care service plan may disclose medical information as follows: (7) The information may be disclosed to public agencies, clinical investigators, including investigators conducting epidemiologic studies, health care research organizations, and accredited public or private nonprofit educational or health care institutions for bona fide research purposes. However, no information so disclosed shall be further disclosed by the recipient in any way that would disclose the identity of any patient or be violative of this part.”
Because institutions must comply with regulations by applying the stricter standards (regardless of whether they are state or federal), research conducted in California shall comply with the federal HIPAA requirements.
VII. Procedure for Signing an Authorization
Adults: A competent individual, 18 years of age or older, should always sign the Authorization to use or disclose his/her PHI. A person is competent if he/she has the general ability to understand the concept of release of his/her medical information. If the patient is not conscious, coherent, or not competent for whatever reason, a legally recognized proxy, such as a legal guardian, must sign the Authorization.
Minors: Any parent or legal guardian may sign an Authorization for a minor child in his/her legal custody. (Note that HIPAA does not require that a research-specific assent document include any version of a HIPAA Authorization).
The individual must be provided with a copy of the signed Authorization.
VIII. Waiver or Alteration of the Authorization Requirement by an IRB or Privacy Board
For some types of research, it may be impracticable for researchers to obtain written Authorization from research participants, for example, for some research conducted on existing databases or repositories where no contact information is available. To address these situations, the Privacy Rule contains criteria for the waiver or alteration of the Authorization requirement by an IRB or another review body called a Privacy Board. The Privacy Rule permits a Covered Entity to use or disclose PHI for research purposes without Authorization (or with an altered Authorization), if the Covered Entity received proper documentation that an IRB or Privacy Board has granted a waiver (or an alteration) of the Authorization requirement for the research use or disclosure of PHI. The Privacy Rule establishes criteria to be evaluated by an IRB or Privacy Board in approving an Authorization Waiver or Alteration. For a Covered Entity to use or disclose PHI under a waiver or alteration of the Authorization requirement, it must receive documentation of, among other things, the IRB or Privacy Board's determination that the use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on the presence of at least the following elements:
- An adequate plan to protect the identifiers from improper use and disclosure;
- An adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law;
- Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity (except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted by HIPAA);
- The research could not practicably be conducted without the waiver; and
- The research could not practicably be conducted without access to and use of the PHI.
Authorizations for research use of PHI may be waived by the IRB, provided these criteria are satisfied and documented (generally in addition to satisfaction of waiver of informed consent requirements pursuant to 45 CFR 46.116 since many of the elements overlap). A request for Waiver of Authorization must be completed by the researcher and submitted to the IRB for prior review and approval. The IRB shall maintain documentation of the request and its approval. This request may be combined with a waiver of informed consent for research.
IX. Limited Waiver of Authorization Solely for the Purpose of Prescreening, Contacting and/or Recruiting Potential Research Participants
In addition to the scenarios that would support a Waiver of Authorization for all study activity, there is the potential need to grant a Limited Waiver of Authorization solely for the purpose of prescreening, contacting and/or recruiting potential research participants. Since a researcher cannot practicably obtain a potential research participant’s Authorization for review of PHI in advance of contacting the potential participant, the IRB may issue a Limited Waiver of Authorization permitting specified access and use of PHI solely for prescreening and recruitment contact pursuant to an approved protocol. An example of a scenario in which a limited waiver may be appropriate is if a researcher needs to review health care records to make recruitment contacts.
IRB approval of a Limited Waiver of Authorization will be in accord with the criteria for a Waiver of Authorization as applied to the prescreening, contact, and recruitment procedures described in the protocol and IRB application.
Physicians and other health care professionals who have a direct treatment relationship with an individual may review that individual’s PHI for eligibility with respect to a research protocol and may initiate a discussion with the individual about potential participation as a research subject in a protocol relevant to the treatment relationship. This scenario does not require an Authorization or a Waiver of Authorization
X. Recruitment of Subjects identified through Private Medical Information
Recruitment efforts frequently target individuals known to have a specific medical condition. Medical records, patient registries, clinical databases, and referrals from treating physicians can be useful resources to identify potential subjects; however it is essential to take special precautions to ensure that patient privacy is protected and that the individual patient is appropriate to participate in the research. It is not appropriate for investigators to make the first contact with potential subjects identified through their private health information. Rather, active participation by the patient's primary/specialist health care provider in the recruitment process ensures that consideration is given to the appropriateness of an individual patient's participation in the research prior to recruitment and that the patient's privacy is respected.
- The primary/specialist health care provider, usually a physician, who is known to the potential subject and has first hand knowledge of the patient's medical history must (1) give approval for his/her patient to be contacted for research puposes, (2) initially introduce the study to the patient AND (3) obtain the patient's permission to be contacted by study staff.
- The primary/specialist health care provider can introduce the study and obtain the patient's permission to be contacted by study staff either (1) verbally during the course of providing medical care OR (2) through the use of a recruitment letter.
XI. De-identified Data Sets
The Privacy Rule permits Covered Entities to release data that have been de-identified without obtaining an Authorization and without further restrictions upon use or disclosure because de-identified data is not PHI and, therefore, not subject to the Privacy Rule. A Covered Entity may de-identify PHI in one of two ways. The first way, the "safe-harbor" method, is to remove all 18 identifiers enumerated at section 164.514(b)(2) of the regulations. Data that are stripped of these 18 identifiers are regarded as de-identified, unless the Covered Entity has actual knowledge that it would be possible to use the remaining information alone or in combination with other information to identify the subject.
The second way is to have a qualified statistician determine, using generally accepted statistical and scientific principles and methods, that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by the anticipated recipient to identify the subject of the information. The qualified statistician must document the methods and results of the analysis that justify such a determination.
The Privacy Rule allows a Covered Entity to assign to, and retain with, the de-identified health information, a code or other means of record re-identification if that code is not derived from or related to the information about the individual and is not otherwise capable of being translated to identify the individual. For example, an encrypted individual identifier (e.g., a social security number) would not meet the conditions for use as a re-identification code for de-identified health information because it is derived from individually identified information. (See 67 Federal Register 53233, August 14, 2002.) In addition, the Covered Entity may not (1) use or disclose the code or other means of record identification for any purposes other than as a re-identification code for the de-identified data, and (2) disclose its method of re-identifying the information.
XII. Limited Data Sets
Where only certain identifiers are needed, it may be permissible for a covered entity to provide a researcher with a Limited Data Set (see Attachment A, Frequently Asked Questions and Answers, p. 6). Limited Data Sets are data sets stripped of certain direct identifiers that are specified in the Privacy Rule. Limited Data Sets may be used or disclosed only for public health, research, or health care operations purposes. They are not de-identified information under the Privacy Rule. Importantly, unlike de-identified data, protected health information in Limited Data Sets may include the following: Addresses other than street name or street address or post office boxes, all elements of dates (such as admission and discharge dates) and unique codes or identifiers not listed as direct identifiers.
Before disclosing a Limited Data Set to a researcher, a Covered Entity must enter into a Data Use Agreement with the researcher, identifying the researcher as the recipient of the Limited Data Set, establishing how the data may be used and disclosed by the recipient, and providing assurances that the data will be protected, among other requirements. If the Covered Entity learns that the researcher has violated this agreement, the Entity must take reasonable steps to end or repair the violation and, if such steps are unsuccessful, stop disclosing PHI to the researcher and report the problem to the HHS Office for Civil Rights.
XIII. Databases and Registries
The collection of data for the purposes of establishing a database or registry, as well as for general research purposes, must comply with HIPAA regulations regarding use and disclosure of protected health information. These activities therefore come under the oversight of the IRB. It is possible that these activities may be reviewed by expedited review or be deemed exempt from further review, however, such determinations must be made by the IRB following the submission of an IRB application.
Local Institutional Review Board approval is required of all clinical studies and deserves to be a major consideration when designing data collection. Regardless of whether it is a retrospective analysis of collected data or a prospective clinical trial, no data collection should be initiated until all ethical, procedural, and legal requirements are satisfied.
For some records and database research, Authorization may not be needed. Some of the most important exceptions to the Authorization requirement that pertain to research using repositories and databases are the Waiver of Authorization and the Limited Data Set.
See Office of Research Policy #8010.06, Access to Protected Health Information of Research Participants; HIM Policy #9.08, Use and Disclosure of General (Medical) Protected Health Information (PHI); and ISD Policy #8480.14, Electronic Systems Access Eligibility, User ID and Password Provisioning, for specific information regarding passwords and approval of access to electronic data
XIV. Activities Preparatory to Research
Covered Entities may permit researchers to review PHI in medical records or elsewhere to prepare a research protocol, or for similar purposes preparatory to research. This review allows the researcher to determine, for example, whether a sufficient number or type of records exists to conduct the research. Importantly, the Covered Entity may not permit the researcher to remove any PHI from the Covered Entity. To permit the researcher to conduct a review preparatory to research, the Covered Entity must receive from the researcher representations that:
- The use or disclosure is sought solely to review PHI as necessary to prepare the research protocol or other similar preparatory purposes.
- No PHI will be removed from the Covered Entity during the review.
- The PHI the researcher seeks to use or access is necessary for the research purposes.
Under the “preparatory to research” provision of the HIPAA Privacy Rule, an investigator may maintain identifying information until the subject meets with study staff to discuss the study further and sign the consent form. During the meeting with the potential subject, the subject must be asked to sign the written Authorization, and / or research consent form containing Authorization language, to use and disclose his / her identifiable healthcare information and be given a copy of the hospital’s Notice of Privacy Practices.
If identifiable health information is collected on persons who are not enrolled, there are several options: (1) destroy the information; (2) obtain IRB approval of a Waiver of Authorization for Prescreening; or (3) obtain Authorization from each individual.
If a failure log must be maintained for a trial sponsor, the PI must do one or more of the following, depending upon the study and data disclosed: (1) completely de-identify the log prior to disclosure; (2) obtain IRB approval of a Waiver of Authorization for Prescreening, which specifically identifies the data to be shared and to whom it will be disclosed; (3) limit the data to a Limited Data Set and include a Data Use Agreement Addendum to the Clinical Trial Agreement; and/or (4) obtain Authorization from each individual.
XV. Retaining Information from Individuals who are Pre-Screened but not Enrolled
Pre-screening documents with identifying information gathered to obtain written Authorization and prior to enrollment (signing of informed consent form) may also be retained in research files, but must have segments containing identifiable information blacked out or cut off as soon as it is clear that the individual will not be enrolled. If identifiable health information is to be retained, the investigator must obtain an Authorization from each of the persons screened.
XIV. Research Involving Decedents' PHI
A Covered Entity may provide access to decedents' records for research purposes if the Covered Entity receives from the researcher:
- Representations that the decedents' PHI is necessary for the research and is being sought solely for research on the PHI of decedents (not, for example, living relatives of decedents);
- Upon request of the Covered Entity, documentation of the deaths of the study subjects. No Authorization or Alteration or Waiver of Authorization by an IRB or Privacy Board is needed for use or disclosure of PHI for research only on the PHI of deceased persons, if these conditions are met.
Decedents are not included in the Common Rule definition of “human subjects,” however, the disclosure of their protected health information by a Covered Entity is subject to specific HIPAA requirements. Moreover, the HIPAA-HITECH Final Rule of 2013 established that PHI becomes public record 50 years following a person’s death.
XVII. Other Privacy Rule Requirements
Minimum Necessary Standard
When using or disclosing PHI for research without an Authorization, a Covered Entity must make reasonable efforts to limit the PHI used or disclosed to the minimum necessary amount to accomplish the research purpose. If an IRB or Privacy Board has granted the researcher a Waiver or an Alteration of Authorization, a Covered Entity may reasonably rely upon the researcher's request consistent with the description of PHI in documentation from the IRB or Privacy Board as the minimum necessary amount of PHI for the research.
Right to an Accounting of Disclosures
The Privacy Rule grants individuals new rights, including the right to receive an accounting of disclosures made for research by a covered entity without the individual's Authorization (e.g., under a Waiver of Authorization), except for disclosures of a Limited Data Set. The individual has a right to such an accounting of disclosures made by a Covered Entity in the 6 years prior to the date on which the accounting is requested, not including the period prior to the compliance date. For such disclosures, in general, individuals who request an accounting must be told what PHI was disclosed, to whom it was disclosed, and the date and purpose of the disclosure. Covered Entities must provide the address of the recipient, if known.
For certain research disclosures made by a Covered Entity, two other options exist for providing an accounting. When multiple disclosures of PHI are made to the same person or entity for a single purpose, the accounting for such disclosures may consist of the information described above for the first disclosure, plus the number or frequency of disclosures, and the date of the last disclosure during the time period covered by the request.
If, during the period covered by the accounting, the Covered Entity has disclosed the records of 50 or more individuals for a particular research purpose, the Covered Entity may provide a more general accounting to the requestor. The Covered Entity would provide the following information in the general accounting:
- The name and description of the protocols for which their PHI may have been disclosed.
- A brief description of the type of PHI disclosed.
- The date or period of time of the disclosures.
- The contact information of the researcher and the research sponsor.
- A statement that the PHI of the individual may or may not have been disclosed for a particular protocol or research activity.
Section 164.528(b)(4)(ii) of the Privacy Rule requires that, upon request, the Covered Entity must help the individual contact the sponsor and researcher when it is reasonably likely that the individual's PHI was disclosed for a particular protocol.
XVIII. Fines for Unauthorized Access to Patient Information
California Bills SB 541 and AB 211 (effective January 1, 2009) impose significant financial liability oon both the individual committing the unauthorized access and/or release of health information, as well as on the institution involved in the unauthorized access. Because research often involves the use of a patient’s Protected Health Information (PHI), including the use of electronic access to patient medical records, it is imperative that investigators be familiar with these State Bills. It is the obligation of Cottage Health System to report any willful unauthorized activities to the appropriate authorities.
SB 541: An act to amend sections 1280.1 and 1280.3 of, and to add section 1280.15 to, the Health and Safety Code, relating to health facilities.
- Requires health facilities to prevent unlawful or unauthorized access to, or use or disclose of patient’s medical information.
- Requires health facilities to report any violation to the department (DHS) and the patient (or patient’s representative) no later than 5 days after the violation has been detected by the facility.
- Enables DHS to assess a penalty of $25,000 to $250,000 per reported event.
AB 211: An act to amend sections 56.36 of the Civil Code, and to add Division 109 (commencing with Section 130200) to, the Health and Safety Code, relating to health.
- Establishes the Office of Health Information Integrity within the California Health and Human Services Agency to enforce the CA privacy laws and impose administrative fines.
- Any violation that results in economic loss or personal injury to a patient is punishable as a misdemeanor.
- The INDIVIDUAL who violates the patient's privacy may be fined from $2,500 to $250,000 per violation depending on the nature of the violation.
- Finally, and presumably as an inducement to encourage legal action by local DA's and City attorneys or prosecutors, _ of the penalties assessed will be paid to the treasurer of the county (or city) in which the judgment was entered.
Attachments (WORD Documents):
• Frequently Asked Questions