To establish guidelines for procedures in order to use and disclose the protected health information (PHI) of research participants, as defined by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Use and disclosure of PHI for research purposes requires prior IRB approval.
The Cottage Health System IRB has established and shall follow written guidelines for complying with HIPAA regulations and for protecting PHI of individuals enrolled in research studies. All requests for use and disclosure of PHI for research purposes shall first be submitted to the IRB.
PHI – Protect Health Information: As it relates to research, includes all personally identifiable records and documents containing information and/or data pertinent to the research study in which the individual is enrolled. PHI includes the patient's medical record (both physical and electronic charts), and/or other records containing physician notes and progress reports (if related to the patient's study participation), research records (including case report forms), and any other documentation required and necessary to extrapolate essential research data.
“HIPAA”: Health Insurance Portability and Accountability Act of 1996, which includes regulations that specifically address the use of "protected health information" in research.
HIPAA Privacy Rule: PHI Use and Disclosure Allowances (NIH Publication Number 04-5489):
The Privacy Rule permits a covered entity to use or disclose PHI for research under the following circumstances and conditions:
- For reviews preparatory to research if certain representations are obtained from the researcher.
- For research solely on decedents' information if certain representations are obtained from the researcher.
- If the subject of the PHI has granted specific written permission through an Authorization.
- If the covered entity receives appropriate documentation that an IRB or Privacy Board has granted a waiver or an alteration of the Authorization requirement.
- If the PHI has been de-identified in accordance with the standards set by the Privacy Rule (in which case, the health information is no longer PHI).
- If the information is released in the form of a “Limited Data Set”, with certain identifiers removed, and with a Data Use Agreement between the researcher and the covered entity.
- If informed consent of the individual to participate in the research, an IRB waiver of such informed consent, or other express legal permission to use or disclose the information for the research is grandfathered by the transition provisions.
HIPAA Security Rule:
The final Security Rule became effective as of April 21, 2003:
- The rule applies to electronic protected health information. Electronic PHI relates to 1) an individual's past, present, or future physical or mental health or condition, 2) an individual's provision of health care, or 3) past, present, or future payment for provision of health care to an individual. The primary objective of the Security Rule is to protect the confidentiality, integrity, and availability of electronic PHI when it is stored, maintained, or transmitted.
- All Covered Entities (CEs) must comply with the Security Rule. These are health plans (HMOs, group health plans, etc.), health care clearinghouses (billing and repricing companies, etc.), or health care providers (doctors, dentists, hospitals, etc.) who transmit any electronic PHI.
- Covered Entities must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of their electronic PHI against any reasonably anticipated risks.
For some records and database research, Authorization may not be needed. Some of the most important exceptions to the Authorization requirement that pertain to research using repositories and databases are the Waiver of Authorization and the Limited Data Set.
HIPAA references and guides, including the complete Rule, are available from the IRB Department in the Office of Research.
1. The IRB will perform the following HIPAA review and approval responsibilities, within the larger context of its responsibilities for the protection of human research participants, that include review of privacy and confidentiality issues broader than those covered by HIPAA:
- Review and approval of all patient protection components of the informed consent document related to access, use and/or disclosure of PHI for research purposes.
- Review and approval of all separate Authorization documents used by researchers in lieu of, or in addition to, the informed consent document for access, use and/or disclosure of PHI for research purposes.
- Review and approval of all Waivers of Authorization, including limited Waivers of Authorization, for access, use and/or disclosure of PHI for research purposes.
2. Patient Authorizations to use and disclose PHI may be included in the informed consent document or be a separate document. Authorization language must comply with HIPAA regulations by containing sufficient and appropriate information as outlined in this policy.
3. The IRB has developed an Authorization form template for investigators wishing to use separate Authorization forms or when the informed consent document has been waived and the Authorization is the only document required. All language in the template that must be included is indicated (see Attachment A).
4. Certain research studies require prescreening of confidential patient information in order to determine study eligibility. When this is the case, the investigator must complete a Waiver of Authorization (Attachment B) and submit it for review with the IRB application.
I. HIPAA and IRB Review
HIPAA privacy requirements are in addition to ethical and regulatory protections for human research subjects and do not supersede them. The HIPAA Privacy Regulations are focused on privacy and security protections for individuals' health care information that is termed protected health information (PHI). If a research study either uses or creates PHI, HIPAA documentation requirements apply to those research uses of PHI in addition to relevant privacy and confidentiality protections that are required by federal regulations for human research subject protection and the ethical standards used to oversee research.
II. Exceptions to HIPAA Authorizations
Research use of PHI requires explicit authorization except under the following circumstances:
- The individually identifiable health information is not generated in the course of healthcare services by a health care provider, health plan, or health care clearinghouse and will not become part of a record applied to treatment, payment or healthcare operations; or
- The IRB has approved a Waiver of Authorization; or
- The data are “de-identified” before the data are provided to the researcher; or
- The data are converted to a “Limited Data Set” before the data are provided to the researcher and the use of the Limited Data Set is governed by a Data Use Agreement that includes HIPAA-specific provisions; or
- The research is limited to decedents (Note that while decedents are not included in the Common Rule definition of “human subjects,” the disclosure of their protected health information by a covered entity is subject to specific HIPAA requirements); or
- The research is limited to a “review preparatory to research.” (Note that the “review preparatory to research” HIPAA option (a) is limited to preparation of a research protocol or assessment of feasibility of performing a specific research protocol; (b) does not include recording any protected health information; and (c) may not be used to prescreen patients as part of the recruitment process. Once there is intent to recruit pursuant to a formulated protocol, then the research activity is sufficiently well prepared to require IRB approval).
Certain of these circumstances are the responsibility of the IRB to oversee, while others (for example, reviews preparatory to research) are not.
III. HIPAA Authorization and Informed Consent
For research that includes the creation or use of protected health information, in addition to following informed consent procedures, researchers generally must also obtain authorization for use of PHI from the human subjects whose PHI will be included in the study. The Authorization document must include all elements defined in HIPAA. The Authorization document may be executed as a separate document, although it is acceptable for the Authorization to be incorporated into the informed consent document. In such cases, all elements of the Authorization must be included in the informed consent document. An Authorization for access, use or disclosure of psychotherapy notes for research may not be combined with any other Authorization except another Authorization for access, disclosure or use of the psychotherapy notes.
The IRB has both an Authorization template and consent form authorization language that comply with HIPAA requirements. The researcher must customize the Authorization for the specific study he or she intends to perform and submit it with the IRB application for review and approval.
IV. Authorization Requirements under HIPAA
A provider may, if it wishes, obtain the consent of an individual to use or disclose PHI for treatment, payment or healthcare operations, but it is not required to do so. HIPAA requires that the Authorization be written in plain language and contain the following core elements:
- A specific and meaningful description of the information to be used or disclosed.
- The name or other specific identification of the persons or class of persons authorized to make the disclosure.
- The name or other specific identifications of the persons or class of persons that will receive the PHI.
- A description of each purpose of the requested use or disclosure, (or the statement, “at the request of the individual,” when appropriate)
- The date (or the event upon which) the Authorization expires. Although HIPAA permits termination on a described event (such as conclusion of a research project), California law requires a specific date [Cal. Civil Code § 56.11(h)].
- A statement of the individual’s right to revoke the Authorization in writing, including the exceptions to this right and an explanation of how to revoke. (An individual may revoke an Authorization at any time except to the extent that the covered entity has taken action in reliance thereon or if the Authorization was obtained as a condition of obtaining insurance coverage.) If these statements are already included in the provider’s Notice of Privacy Practices, the statement need only reference that notice.
- Either: A Statement that the provider will not condition treatment on the individual’s providing authorization; or, in the limited circumstances in which a condition of this kind is permitted, an explanation of the consequences of a refusal to sign.
- The individual’s signature and date. (If the signature belongs to the individual’s personal representative, a description of that person’s authority to act for the individual.)
- A statement that the information used or disclosed may be subject to redisclosure by the recipient, if the recipient is not subject to HIPAA. (Under California law, a recipient of medical information, whether disclosed pursuant to an Authorization or to the discretionary provisions of Cal. Civil Code § 56.10(c), may not further disclose that medical information except in accordance with a new Authorization or as specifically required or permitted by law. The HIPAA preemption analysis would apply the more restrictive provisions of the California law to all medical information).
California-Specific Authorization Requirements
In compliance with California Civil Code Chapter 2.0 § 56, Disclosure of Medical Information by Providers (the California Medical Records Information Act), the Authorization must:
- Be hand written by the same person who signs it or be in typeface of at least 14 point font [Cal. Civil Code § 56.11(a)].
- Be clearly separate from any other language on the same page and clearly executed (by the signature) for the purposes of authorization only [Cal. Civil Code § 56.11(b)].
- Identify those who are authorized to use or disclose the information (by name or function) [Cal. Civil Code § 56.11(e)].
- Identify those who are authorized to receive the information (by name or function), as well as the specific permitted uses of such information and limitations upon their use [Cal. Civil Code § 56.11(g)].
- Advise the individual signing of the right to receive a copy of the Authorization.
- Include a specific expiration date [Cal. Civil Code § 56.11(h)].
An Authorization is not valid if it lacks any of the required elements listed above. It is also invalid if it has expired, was not filled out completely, has been revoked, was improperly combined with another document or contains information known to be false.
Providers must document and retain all Authorizations for six years. A Provider must give the individual a copy of his or her signed Authorization if the Authorization was requested by the provider.
Authorizations may not be combined with any other document to create a “compound Authorization.” HIPAA permits only a few exceptions to this rule. For example, an Authorization for research may be combined with an informed consent for treatment. Authorizations to use or disclose psychotherapy notes may be combined only with another Authorization related to psychotherapy notes.
Conditioning Treatment upon an Authorization
In general, providers may not condition treatment upon an Authorization. However, conditioning treatment upon authorization is permitted for research related purposes.
V. Procedure for Signing an Authorization
Adults: A competent individual, 18 years of age or older, should always sign the Authorization to use or disclose his/her PHI. A person is competent if he/she has the general ability to understand the concept of release of his/her medical information. If the patient is not conscious, coherent, or not competent for whatever reason, a legally recognized proxy, such as a legal guardian, must sign the Authorization. Requests for PHI for research require adherence to California State Law, Section 24178 of the Health and Safety Code for surrogate consenting.
Minors: Any parent or legal guardian may sign an Authorization for a minor child in his/her legal custody. (Note that HIPAA does not require that a research-specific assent document include any version of a HIPAA Authorization).
The individual must be provided with a copy of the signed Authorization.
VI. Waiver or Alteration of the Authorization Requirement by an IRB or Privacy Board
For some types of research, it may be impracticable for researchers to obtain written Authorization from research participants, for example, for some research conducted on existing databases or repositories where no contact information is available. To address these situations, the Privacy Rule contains criteria for the waiver or alteration of the authorization requirement by an IRB or another review body called a Privacy Board. The Privacy Rule permits a covered entity to use or disclose PHI for research purposes without authorization (or with an altered Authorization), if the covered entity received proper documentation that an IRB or Privacy Board has granted a waiver (or an alteration) of the authorization requirement for the research use or disclosure of PHI. The Privacy Rule establishes criteria to be evaluated by an IRB or Privacy Board in approving an Authorization Waiver or Alteration. For a covered entity to use or disclose PHI under a waiver or alteration of the authorization requirement, it must receive documentation of, among other things, the IRB or Privacy Board's determination that the use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on the presence of at least the following elements:
- An adequate plan to protect the identifiers from improper use and disclosure;
- An adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law;
- Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity (except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted by HIPAA);
- The research could not practicably be conducted without the waiver; and
- The research could not practicably be conducted without access to and use of the PHI.
Authorizations for research use of PHI may be waived by the IRB, provided these criteria are satisfied and documented (generally in addition to satisfaction of waiver of informed consent requirements pursuant to 45 CFR 46.116 since many of the elements overlap). A request for Waiver of Authorization must be completed by the researcher and submitted to the IRB for prior review and approval. The IRB shall maintain documentation of the request and its approval. This request may be combined with a waiver of informed consent for research.
VII. Limited Waiver of Authorization Solely for the purpose of prescreening, contacting and/or recruiting potential research participants
In addition to the scenarios that would support a Waiver of Authorization for all study activity, there is the potential need to grant a Limited Waiver of Authorization solely for the purpose of prescreening, contacting and/or recruiting potential research participants. Since a researcher cannot practicably obtain a potential research participant's authorization for review of PHI in advance of contacting the potential participant, the IRB may issue a Limited Waiver of Authorization permitting specified access and use of PHI solely for prescreening and recruitment contact pursuant to an approved protocol. An example of a scenario in which a limited waiver may be appropriate is if a researcher needs to review health care records to make recruitment contacts.
IRB approval of a Limited Waiver of Authorization will be in accord with the criteria for a Waiver of Authorization as applied to the prescreening, contact, and recruitment procedures described in the protocol and IRB application.
Physicians and other health care professionals who have a direct treatment relationship with an individual may review that individual's PHI for eligibility with respect to a research protocol and may initiate a discussion with the individual about potential participation as a research subject in a protocol relevant to the treatment relationship. This scenario does not require an Authorization or a Waiver of Authorization.
VIII. Recruitment of Subjects identified through Private Medical Information
Recruitment efforts frequently target individuals known to have a specific medical condition. Medical records, patient registries, clinical databases, and referrals from treating physicians can be useful resources to identify potential subjects; however it is essential to take special precautions to ensure that patient privacy is protected and that the individual patient is appropriate to participate in the research. It is not appropriate for investigators to make the first contact with potential subjects identified through their private health information. Rather, active participation by the patient's primary/specialist health care provider in the recruitment process ensures that consideration is given to the appropriateness of an individual patient's participation in the research prior to recruitment and that the patient's privacy is respected.
- The primary/specialist health care provider, usually a physician, who is known to the potential subject and has first hand knowledge of the patient's medical history must (1) give approval for his/her patient to be contacted for research puposes, (2) initially introduce the study to the patient AND (3) obtain the patient's permission to be contacted by study staff.
- The primary/specialist health care provider can introduce the study and obtain the patient's permission to be contacted by study staff either (1) verbally during the course of providing medical care OR (2) through the use of a recruitment letter.
IX. De-identified Data Sets
The Privacy Rule permits covered entities to release data that have been de-identified without obtaining an Authorization and without further restrictions upon use or disclosure because de-identified data is not PHI and, therefore, not subject to the Privacy Rule. A covered entity may de-identify PHI in one of two ways. The first way, the "safe-harbor" method, is to remove all 18 identifiers enumerated at section 164.514(b)(2) of the regulations. Data that are stripped of these 18 identifiers are regarded as de-identified, unless the covered entity has actual knowledge that it would be possible to use the remaining information alone or in combination with other information to identify the subject.
The second way is to have a qualified statistician determine, using generally accepted statistical and scientific principles and methods, that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by the anticipated recipient to identify the subject of the information. The qualified statistician must document the methods and results of the analysis that justify such a determination.
The Privacy Rule allows a covered entity to assign to, and retain with, the de-identified health information, a code or other means of record re-identification if that code is not derived from or related to the information about the individual and is not otherwise capable of being translated to identify the individual. For example, an encrypted individual identifier (e.g., a social security number) would not meet the conditions for use as a re-identification code for de-identified health information because it is derived from individually identified information. (See 67 Federal Register 53233, August 14, 2002.) In addition, the covered entity may not (1) use or disclose the code or other means of record identification for any purposes other than as a re-identification code for the de-identified data, and (2) disclose its method of re-identifying the information.
X. Limited Data Sets
Where only certain identifiers are needed, it may be permissible for a covered entity to provide a researcher with a Limited Data Set
(see Attachment A, Frequently Asked Questions and Answers, p. 6). Limited Data Sets are data sets stripped of certain direct identifiers that are specified in the Privacy Rule. Limited Data Sets may be used or disclosed only for public health, research, or health care operations purposes. They are not de-identified information under the Privacy Rule. Importantly, unlike de-identified data, protected health information in Limited Data Sets may include the following: Addresses other than street name or street address or post office boxes, all elements of dates (such as admission and discharge dates) and unique codes or identifiers not listed as direct identifiers.
Before disclosing a Limited Data Set to a researcher, a covered entity must enter into a Data Use Agreement with the researcher, identifying the researcher as the recipient of the Limited Data Set, establishing how the data may be used and disclosed by the recipient, and providing assurances that the data will be protected, among other requirements. If the covered entity learns that the researcher has violated this agreement, the entity must take reasonable steps to end or repair the violation and, if such steps are unsuccessful, stop disclosing PHI to the researcher and report the problem to the HHS Office for Civil Rights.
XI. Databases and Registries
The collection of data for the purposes of establishing a database or registry, as well as for general research purposes, must comply with HIPAA regulations regarding use and disclosure of protected health information. These activities therefore come under the oversight of the IRB. It is possible that these activities may be reviewed by expedited review or be deemed exempt from further review, however, such determinations must be made by the IRB following the submission of an IRB application.
Local Institutional Review Board approval is required of all clinical studies and deserves to be a major consideration when designing data collection. Regardless of whether it is a retrospective analysis of collected data or a prospective clinical trial, no data collection should be initiated until all ethical, procedural, and legal requirements are satisfied.
See Office of Research Policy #8010.06, Access to Protected Health Information of Research Participants; HIM Policy #9.08, Use and Disclosure of General (Medical) Protected Health Information (PHI); and ISD Policy #8480.14, Electronic Systems Access Eligibility, User ID and Password Provisioning, for specific information regarding passwords and approval of access to electronic data.
XII. Activities Preparatory to Research
Covered entities may permit researchers to review PHI in medical records or elsewhere to prepare a research protocol, or for similar purposes preparatory to research. This review allows the researcher to determine, for example, whether a sufficient number or type of records exists to conduct the research. Importantly, the covered entity may not permit the researcher to remove any PHI from the covered entity. To permit the researcher to conduct a review preparatory to research, the covered entity must receive from the researcher representations that:
- The use or disclosure is sought solely to review PHI as necessary to prepare the research protocol or other similar preparatory purposes.
- No PHI will be removed from the covered entity during the review.
- The PHI the researcher seeks to use or access is necessary for the research purposes.
Under the "preparatory to research" provision of the HIPAA Privacy Rule, an investigator may maintain identifying information at the end of the screening conversation until the subject meets with study staff to discuss the study further and sign the consent form. (If identifiable health information is collected on persons who are not enrolled, there are two options: (1) destroy the information or (2) if a failure log must be maintained, the PI must obtain authorization from each individual.
During the meeting with the potential subject, the subject must be asked to sign the written Authorization, and/or research consent form containing authorization language, to use and disclose his/her identifiable healthcare information and be given a copy of the hospital's Notice of Privacy Practices.
XIII. Retaining Information from Individuals who are Pre-Screened but not Enrolled
Pre-screening documents with identifying information gathered to obtain written Authorization and prior to enrollment (signing of informed consent form) may also be retained in research files, but must have segments containing identifiable information blacked out or cut off as soon as it is clear that the individual will not be enrolled. If identifiable health information is to be retained, the investigator must obtain an Authorization from each of the persons screened.
XIV. Research Involving Decedents' PHI
A covered entity may provide access to decedents' records for research purposes if the covered entity receives from the researcher:
XV. Other Privacy Rule Requirements
- Representations that the decedents' PHI is necessary for the research and is being sought solely for research on the PHI of decedents (not, for example, living relatives of decedents);
- Upon request of the covered entity, documentation of the deaths of the study subjects. No Authorization or Alteration or Waiver of Authorization by an IRB or Privacy Board is needed for use or disclosure of PHI for research only on the PHI of deceased persons, if these conditions are met.
Minimum Necessary Standard
When using or disclosing PHI for research without an Authorization, a covered entity must make reasonable efforts to limit the PHI used or disclosed to the minimum necessary amount to accomplish the research purpose. If an IRB or Privacy Board has granted the researcher a Waiver or an Alteration of Authorization, a covered entity may reasonably rely upon the researcher's request consistent with the description of PHI in documentation from the IRB or Privacy Board as the minimum necessary amount of PHI for the research.
Right to an Accounting of Disclosures
The Privacy Rule grants individuals new rights, including the right to receive an accounting of disclosures made for research by a covered entity without the individual's authorization (e.g., under a Waiver of Authorization), except for disclosures of a Limited Data Set. The individual has a right to such an accounting of disclosures made by a covered entity in the 6 years prior to the date on which the accounting is requested, not including the period prior to the compliance date. For such disclosures, in general, individuals who request an accounting must be told what PHI was disclosed, to whom it was disclosed, and the date and purpose of the disclosure. Covered entities must provide the address of the recipient, if known.
For certain research disclosures made by a covered entity, two other options exist for providing an accounting. When multiple disclosures of PHI are made to the same person or entity for a single purpose, the accounting for such disclosures may consist of the information described above for the first disclosure, plus the number or frequency of disclosures, and the date of the last disclosure during the time period covered by the request.
If, during the period covered by the accounting, the covered entity has disclosed the records of 50 or more individuals for a particular research purpose, the covered entity may provide a more general accounting to the requestor. The covered entity would provide the following information in the general accounting:
- The name and description of the protocols for which their PHI may have been disclosed.
- A brief description of the type of PHI disclosed.
- The date or period of time of the disclosures.
- The contact information of the researcher and the research sponsor.
- A statement that the PHI of the individual may or may not have been disclosed for a particular protocol or research activity.
Section 164.528(b)(4)(ii) of the Privacy Rule requires that, upon request, the covered entity must help the individual contact the sponsor and researcher when it is reasonably likely that the individual's PHI was disclosed for a particular protocol.
XVI. Fines for Unauthorized Access to Patient Information
California Bills SB 541 and AB 211 (effective January 1, 2009) impose significant financial liability on both the individual committing the unauthorized access and/or release of health information, as well as on the institution involved in the unauthorized access. Because research often involves the use of a patient's Protected Health Information (PHI), including the use of electronic access to patient medical records, it is imperative that investigators be familiar with these State Bills. It is the obligation of Cottage Health System to report any willful unauthorized activities to the appropriate authorities.
SB 541: An act to amend sections 1280.1 and 1280.3 of, and to add section 1280.15 to, the Health and Safety Code, relating to health facilities.
- Requires health facilities to prevent unlawful or unauthorized access to, or use or disclose of patient’s medical information.
- Requires health facilities to report any violation to the department (DHS) and the patient (or patient’s representative) no later than 5 days after the violation has been detected by the facility.
- Enables DHS to assess a penalty of $25,000 to $250,000 per reported event.
AB 211: An act to amend sections 56.36 of the Civil Code, and to add Division 109 (commencing with Section 130200) to, the Health and Safety Code, relating to health.
- Establishes the Office of Health Information Integrity within the California Health and Human Services Agency to enforce the CA privacy laws and impose administrative fines.
- Any violation that results in economic loss or personal injury to a patient is punishable as a misdemeanor.
- The INDIVIDUAL who violates the patient's privacy may be fined from $2,500 to $250,000 per violation depending on the nature of the violation.
- Finally, and presumably as an inducement to encourage legal action by local DA's and City attorneys or prosecutors, _ of the penalties assessed will be paid to the treasurer of the county (or city) in which the judgment was entered.
Attachments (WORD Documents):
• Frequently Asked Questions