Dear Members of the Research Community:
As you are aware, the Health Insurance Portability & Accountability Act (HIPAA) was enacted April 14, 2003. This regulation, also known as the “Privacy Rule”, establishes conditions under which researchers and investigators may have access to and use an individual’s PHI to for research purposes. This regulation indicates that signed authorization must be obtained unless the Institutional Research Privacy Board (RPB) has otherwise designated that this is not necessary.
In a continued effort to implement quality improvement processes within our human research protection program, the UH Research Privacy Board (RPB) has revised the HIPAA Authorization template language that must be used as the basis to obtain written authorization to use and disclose PHI for research purposes. These changes were based on current guidance in the Federal regulations regarding research and the Privacy Rule (http://privacyruleandresearch.nih.gov/), as well as on feedback from UH research investigators. It is believed that these collective efforts will greatly simplify the language in the HIPAA authorization documents and that such changes will be welcomed by investigators.
To assist with this transition, the UH Center for Clinical Research will hold four educational sessions in March 2007. Investigators will receive notification of the time and places shortly.
Investigators may select one of the following three (3) options regarding the new HIPAA Authorization language for existing protocols:
a. submit an amendment to a currently approved IRB protocol to utilize the new Authorization language
b. at the time of continuing review, request a change to the currently approved HIPAA to utilize the new Authorization language
c. continue to use the previously approved HIPAA language until such time that the study is completed and terminated or the HIPAA Authorization language needs to otherwise be revised
Please note: Beginning April 1, 2007 all NEW research protocols submitted to the UH IRB and RPB for review must use the new HIPAA Authorization language template.
If you have any questions or require assistance in preparing your documentation to comply with HIPAA, please contact the Office of Institutional Review at (216) 844-1529 or Phil Cola at (216) 844-5576 or by e-mail to
philip.cola@uhhospitals.org.
Philip Cola, M.A.
Vice President, Research and Technology
Please feel free to view the full
Notice of Privacy Practices online, which describes how medical information and you may be used and disclosed and how you can get access to this information
HIPAA Authorization template v022008
HIPAA Waiver v021307
HIPAA International v021307
Impact of HIPAA on recruitment of patients to clinical trials
Researchers may recruit study participants in a number of ways. Privacy protections must be considered for each. All research in which an individual is contacted or recruited for enrollment must be reviewed and approved by an IRB. The Common Rule requires an IRB to consider the process for subject recruitment as part of its review. The Privacy Rule adds a new privacy focus to this review, as explained below:
An individual may contact a researcher about a study (i.e. respond to a posting or advertisement) with no new Privacy Rule requirements.
A treating physician may share de-identified information with a researcher to determine a patient's eligibility for a study with no new Privacy Rule requirements.
If approved by the IRB, a treating physician and researcher may co-sign a recruitment letter to patients with no new Privacy Rule requirements. The treating physician must send the letter to the patient and the researcher cannot know the prospective subject's identity unless he/she responds to the letter.
If a treating physician shares identifiable health information with a researcher to discuss potential enrollment in research, the Privacy Rule requires that either the patient's authorization must be obtained or the IRB must be asked to approve this sharing with waived authorization.
Revocation of authorization
A subject has always had the right to revoke consent to participate in research. The Privacy Rule also permits a subject to revoke permission for researchers to use or disclose his or her identifiable information for research. The researchers must honor this request, except to the extent they have already relied on the permission. For example, if researchers have already included a person's protected health information in an analysis, the analysis can be maintained. In addition, researchers may "continue using and disclosing protected health information that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study." This means that researchers may not disclose additional information that they have not yet accessed at the time the authorization is withdrawn. They may, however, use or disclose identifiable information already gathered for purposes such as accounting for the subject's withdrawal, reporting adverse events, or complying with investigations.
Individual rights provided by the Privacy Rule to research subjects
The Privacy Rule gives individuals a number of new rights. Research subjects enjoy similar rights. Individuals/subjects have the right to:
Request access to their health care information (see section on Limitations on an individual's right to see research data for limitations related to research data.)
Request that their health care information be amended
Receive, upon request, an accounting of all disclosures of their medical information, if they haven't specifically authorized the disclosures.
Revoke authorization for the use/disclosure of identifiable health information, to the extent the researchers have not already relied on it.
Request an alternative means or place of contacting the individual (e.g., home vs. work)
Right to request restrictions on uses or disclosures (see section on Investigator right to reject subjects from research trials if they do not sign authorization form for rules that apply to research authorization)
Limitations on an individual's right to see research data
Under the Privacy Rule, a subject can access any of their information maintained in a Designated Record Set. The Privacy Rule defines a Designated Record Set as medical and billing records about individuals and any other records used to make decisions about individuals. Therefore, the Designated Record Set includes information that is generated in research and recorded in the medical chart or billing records, as well as information that is recorded elsewhere (e.g., a lab notebook) but that might be used to make clinical or billing decisions about the subject (e.g., a blood pressure reading). However, information that is generated in research and lacks clinical validity or clinical utility generally will be considered outside of the Designated Record Set (unless it is recorded in the medical chart or billing records). The Privacy Rule allows a researcher to delay access to the Designated Record Set until the end of the study (e.g., in the case of a randomized controlled trial). But, the investigator must inform the subject of such a delay in the authorization to use or disclose identifiable health information. It is possible that additional research information might have to be released following a subpoena or other legal process.
Investigator right to reject subjects from research trials if they do not sign authorization
If a research subject refuses to sign authorization, the investigator may choose to consider the subject ineligible for the study. For the investigator to have this option, it must be stated in the consent or authorization form.
Tracking of access to Protected Health Information is now required
The Privacy Rule requires that a record be kept that tracks the disclosure of any identifiable information that is made without an authorization. Hence for research, tracking of disclosures will have to be done if an IRB waiver of authorization is obtained. UH must maintain a record of individuals who had PHI disclosed within the last six years. The following items generally must be tracked and made available to an individual upon request.
Date of the disclosure
Name of person/entity or specific protocol that received the PHI
Description of what PHI was disclosed
Brief statement regarding the purpose of the disclosure
FAQ
Q: When does a covered entity have discretion to determine whether a research component of the entity is part of their covered functions, and therefore, subject to the HIPAA Privacy Rule? (Note: CWRU is a hybrid entity; UHC is not.)
A: A covered entity that qualifies as a hybrid entity, meaning that the entity is a single legal entity that performs both covered and non-covered functions, may choose whether it wants to be a hybrid entity. If such a covered entity decides not to be a hybrid entity then it, and all of its components, are subject to the Privacy Rule in its entirety. Therefore, if a researcher is an employee or workforce member of a covered entity that has decided not to be a hybrid entity, the researcher is part of the covered entity and is, therefore, subject to the Privacy Rule. If a covered entity decides to be a hybrid entity, it must define and designate as its health care component(s) those parts of the entity that engage in covered functions. "Covered functions" are those functions of a covered entity that make the entity a health plan, a health care provider, or a health care clearinghouse. Thus, research components of a hybrid entity that function as health care providers and engage in standard electronic transactions must be included in the hybrid entity's health care component(s), and be subject to the Privacy Rule.
However, research components that function as health care providers, but do not engage in standard electronic transactions may, but are not required to, be included in the health care component(s) of the hybrid entity. For example, a hybrid entity, such as a university, has the option to include or exclude a research laboratory that functions as a health care provider but does not engage in electronic transactions as part of the hybrid entity's health care component. If such a research laboratory is included in the hybrid entity's health care component, then the employees or workforce members of the laboratory must comply with the Privacy Rule. But if the research laboratory is excluded from the hybrid entity's health care component, the employees or workforce members of the laboratory are not subject to the Privacy Rule.
Q: Can the preparatory research provision of the HIPAA Privacy Rule at 45 CFR 164.512(i)(1)(ii) be used to recruit individuals into a research study?
A: The preparatory research provision permits covered entities to use or disclose protected health information for purposes preparatory to research, such as to aid study recruitment. However, the provision at 45 CFR 164.512(i)(1)(ii) does not permit the researcher to remove protected health information from the covered entity's site. As such, a researcher who is an employee or a member of the covered entity's workforce could use protected health information to contact prospective research subjects. The preparatory research provision would allow such a researcher to identify prospective research participants for purposes of seeking their authorization to use or disclose protected health information for a research study. In addition, the Rule permits a covered entity to disclose protected health information to the individual who is the subject of the information. See 45 CFR 164.502(a)(1)(i). Therefore, covered health care providers and patients may continue to discuss the option of enrolling in a clinical trial without patient authorization, and without an Institutional Review Board (IRB) or Privacy Board waiver of the authorization.
However, a researcher who is not a part of the covered entity may not use the preparatory research provision to contact prospective research subjects. Rather, the outside researcher could obtain contact information through a partial waiver of individual authorization by an IRB or Privacy Board as permitted at 45 CFR164.512(i)(1)(i). The IRB or Privacy Board waiver of authorization permits the partial waiver of authorization for the purposes of allowing a researcher to obtain protected health information as necessary to recruit potential research subjects. For example, even if an IRB does not waive informed consent and individual authorization for the study itself, it may waive such authorization to permit the disclosure of protected health information as necessary for the researcher to be able to contact and recruit individuals into the study.
Q: Will the Office for Human Research Protections (OHRP) assess compliance with the requirements of the HIPAA Privacy Rule during OHRP's compliance oversight evaluations?
A: Since OHRP does not implement or enforce the HIPAA Privacy Rule, OHRP will NOT assess compliance with the requirements of the HIPAA Privacy Rule during its compliance oversight evaluations.
Q: Is a business associate contract required for a covered entity to disclose protected health information to a researcher?
A: No. Disclosures from a covered entity to a researcher for research purposes do not require a business associate contract, even in those instances where the covered entity has hired the researcher to perform research on the covered entity's own behalf. A business associate agreement is required only where a person or entity is conducting a function or activity regulated by the Administrative Simplification Rules on behalf of a covered entity, such as payment or health care operations, or providing one of the services listed in the definition of "business associate" at 45 CFR 160.103. However, the HIPAA Privacy Rule does not prohibit a covered entity from entering into a business associate contract with a researcher if the covered entity wishes to do so. Notwithstanding the above, a covered entity is only permitted to disclose protected health information to a researcher as permitted by Rule, that is, with an individual's authorization pursuant to 45 CFR 164.508, without an individual's authorization as permitted by 45 CFR 164.512(i), or as a limited data set provided that a data use agreement is in place as permitted by 45 CFR 164.514(e).
Q: Does the HIPAA Privacy Rule permit the creation of a database for research purposes through an Institutional Review Board (IRB) or Privacy Board waiver of individual authorization?
A: Yes. A covered entity may use or disclose protected health information without individuals' authorizations for the creation of a research database, provided the covered entity obtains documentation that an IRB or Privacy Board has determined that the specified waiver criteria were satisfied. Protected health information maintained by a covered entity in such a research database could be used or disclosed for future research studies as permitted by the Privacy Rule - that is, for future studies in which individual authorization has been obtained or where the Rule would permit research without an authorization, such as pursuant to an IRB or Privacy Board waiver.