Human
Investigation Committee
Yale University
School of Medicine
47 College Street,
Suite 204
New Haven, CT
06520-8010 USA
Phone:
(203) 785-4688
Fax:
(203) 785-2847
 |
 |
 |
 |
 |
 |
 |
|||||
HIPAA's Impact On Research Protocols
HIPAA's requirements relating to research do not replace or eliminate the requirements of the federal Common Rule. All Common Rule requirements (e.g., IRB approval of human subjects research) still apply.
HIPAA does add certain new requirements to research. Under HIPAA, the use or disclosure of PHI for research purposes requires a signed Research Authorization Form from the research subject unless an exception under HIPAA applies. HIPAA also applies to certain research related activities that are not covered under the Common Rule, e.g., research on decedents or studies determined to be exempt from IRB review.
In addition, HIPAA introduces a concept known as the "minimum necessary" standard. In general, HIPAA requires that only the minimum necessary PHI should be used unless the PHI is used for treatment, or unless the use or disclosure is made subject to a written authorization (including a research authorization). Thus, the minimum necessary standard requires researchers who are engaging in research, but do not have a HIPAA research authorization, to limit their access of PHI to only that needed to accomplish the research initiative and the intended purpose of the use and/or disclosure of PHI.
The additional requirements mandated by HIPAA, as they relate to research access to PHI, are described below.
Requirements for Research Use of PHI
The Privacy Rule applies to the following types of research activities when they involve PHI:
- Research using or creating PHI about living individuals
- Activities preparatory to research
- Research on decedents
- Recruitment
- Research using a limited data set
- Collection of PHI of secondary subjects
The types of research that do not fall under the HIPAA Privacy Rule are:
- Research using de-identified data, i.e., data that contains none of the 18 HIPAA identifiers
- Research conducted by an individual who is not part of a HIPAA covered entity and that does not require access to information held by a HIPAA covered entity
Yale has developed a form to facilitate compliance with HIPAA and access to PHI by outlining the required documentation or certifications that researchers must use in order to access PHI. Researchers should complete the “Request for Access to PHI for Research Purposes” form and provide it and the supporting documentation (described on the form) to the entity responsible for the PHI of interest. Both Yale University and Yale-New Haven Hospital (YNHH) have approved the use of this form. Note that the form does not describe the requirements for access to a Limited Data Set. Access to a Limited Data Set requires a more detailed agreement as described below.
Research Using or Creating PHI of Living Individuals.
PHI may not be used for research purposes unless at least one of the following conditions applies:
- The researcher has informed consent documents or waivers of informed consent obtained prior to April 14, 2003
- The researcher obtains subjects' HIPAA authorization for the research
- The IRB approves a waiver of HIPAA authorization for the research
- The study involves only de-identified data or a Limited Data Set
Consent Obtained Prior to April 14, 2003
Researchers may continue to use or disclose PHI obtained or created before April 14, 2003 pursuant to the informed consent document for that research study. A Research Authorization Form or request for a waiver is not required if the subjects signed informed consent forms to participate in the research prior to April 14, 2003 . Contact with research participants and data collection may continue without a HIPAA Research Authorization Form based on the existence of an informed consent form signed prior to April 14, 2003.
Alternatively, researchers may continue to use or disclose PHI in studies for which there is an approved IRB Waiver of Informed Consent under 45 CFR 46.116(d).
If it becomes necessary to re-consent any participants in such studies after April 14, 2003, researchers must obtain a HIPAA compliant Research Authorization Form or an approved request for waiver of HIPAA authorization in order to obtain or create PHI.
Research under a Participant's Authorization
As mentioned above, HIPAA generally requires a written authorization from the subject permitting a researcher to use or disclose the subject's PHI for research purposes. The researcher is required to obtain written authorization from the research participants via a signed Research Authorization Form. For an incompetent adult subject or a minor subject, a Personal Representative, someone with the legal authority to act on behalf of the subject, should sign the form exercising the subject's rights related to the individual's protected health information. The written Research Authorization Form must contain:
- A specific description of the PHI that will be used and/or disclosed.
- The names of persons or organizations that may use or disclose the PHI.
- The names of persons or organizations to whom the PHI will be disclosed.
- A statement of the purpose of the use and/or disclosure.
- A statement of how long the use and/or disclosure will continue (no expiration date is permitted for research purposes, however this must be specifically stated in the authorization form and justification must be provided in the protocol).
- A statement that the subject can revoke his or her authorization.
- A statement regarding the potential for re-disclosure to others not subject to the HIPAA Privacy Rule.
- A notice that the covered entity either may or may not condition treatment or payment on the individual's signature.
- The individual's signature and the date.
Permissible uses and disclosures are limited to those described in the Research Authorization Form. If a researcher needs to disclose PHI to a person or organization not listed in the Research Authorization Form, the researcher should obtain an additional written Research Authorization from the subject or apply to the IRB for a waiver of Authorization.
The Yale University Research Authorization Form provides standard language for the required statements listed above. Investigators using this form need only specify to whom and where PHI will be sent and what type of PHI will be disclosed. Authorization forms not based on the Yale template or that modify or remove language from the template are subject to review by the Privacy Office. Research Authorization Forms will generally be separate from the Informed Consent Documents but signed at the same time.
Disclosures of PHI made in connection with research conducted pursuant to signed authorization do not need to be tracked for purposes of responding to an individual who requests an accounting of disclosures (see Accounting for Disclosures below).
Research Authorization Forms will usually become part of the individual's medical record. The use of a compound Authorization (e.g., informed consent document plus Research Authorization Form combined) is not appropriate in cases where the compound Authorization will become part of the medical record. The informed consent document usually contains additional information (i.e., information in addition to that required by HIPAA for the Research Authorization Form), and this additional information may not be appropriate for inclusion in the permanent medical record.
Investigators should include completed Research Authorization Forms with the protocol package and submit it to the IRB for expedited review. Investigators will receive from the IRB a stamped Research Authorization Form, which acknowledges IRB receipt and acknowledges that the form will be used in the research protocol.
Copies of the signed Research Authorization Form and the Request Access to PHI for Research Purposes form should be provided to the record holder to obtain access to the appropriate records.
Waiver of Authorization
If the research study involves PHI and certain other conditions exist, the researcher may request, and the IRB may grant, a waiver of HIPAA authorization.
A waiver of HIPAA authorization is permitted only when all of the following exist:
- The research could not be practicably conducted without the waiver.
- The research could not be practicably conducted without access to and use of PHI.
- The researcher provides written assurance to the IRB that the PHI will not be re-used or disclosed (except as required by law, or for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by the HIPAA Privacy Rule).
- The use(s) and/or disclosure(s) of PHI will be limited to the minimum necessary standard.
- The use(s) and/or disclosure(s) involve no more than minimal privacy risk to the subjects.
- The IRB has reviewed and approved the proposed use(s) and disclosure(s) of PHI.
Researchers can request a waiver of Research Authorization by completing the Yale University Request for HIPAA Waiver of Authorization for Research Form and submitting to the IRB for review and approval. The following must be clearly articulated in the waiver application:
- Why the research could not practicably be conducted without the waiver.
- Why the research could not practicably be conducted without access to and use of the PHI.
- A written assurance to the IRB that the PHI will not be re-used or disclosed except as required by law, for authorized oversight of the research, or for other research.
- A written statement describing the PHI that will be used and/or disclosed and an explanation of how the use(s) and/or disclosure(s) of PHI will meet the "minimum necessary" standard.
- A statement that the use(s) and/or disclosure(s) involve no more than minimal privacy risk to the subjects.
- A description of the plan to protect identifiers.
- A description of the p lan to destroy the identifiers as quickly as possible.
- A description of the plan to track disclosures.
The criteria for waiver of Research Authorizations are similar to those for waiving informed consent. Therefore, if the research plan includes obtaining informed consent from research participants, it is unlikely that the IRB will approve a waiver of a HIPAA Research Authorization, except perhaps for recruitment purposes (see Recruitment Section). Disclosures of PHI that are made in connection with research conducted pursuant to a Waiver of HIPAA Authorization must be tracked in order to respond to individuals who request an accounting of disclosures of their PHI. Investigators are responsible for tracking such disclosures made in connection with their own research protocols. (See Yale's policy on accounting for disclosure at http://www.yale.edu/ppdev/policy/5003/5003.pdf)
Investigators should include the completed Yale University Request for HIPAA Waiver of Authorization for Research Form with the protocol package and submit it to the IRB. In most cases, the IRB will assess the request using an expedited review process. However, full IRB committee review is required in cases in which a waiver has been requested by the investigator, but risk to the individual's privacy is greater than minimal. Investigators will receive from the IRB an authorized Approval/Denial of Waiver of HIPAA Authorization.
Copies of the waiver of Research Authorization and the Request Access to PHI for Research Purposes form should be provided to the record holder to obtain access to the appropriate records.
Activities Preparatory to Research
Investigators may access PHI in activities that are "preparatory to research." This type of access is limited to a review of data to assist in formulating a hypothesis, determining the feasibility of conducting the study, determining cell size, or other similar uses that precede the development of an actual protocol.
While an investigator may review PHI during the course of a review preparatory to research, he or she may not remove, copy, or include any PHI in notes. Investigators may not use PHI to identify potential research subjects by name or by any other HIPAA identifier. However, investigators may write down and remove summary data (e.g., number of individuals with a certain disease).
Before accessing PHI for a review preparatory to research, a researcher must provide written assurances to the holder of the PHI that the review of the PHI is necessary to prepare a research protocol and that the PHI will not be removed by the researcher from the entity. No further review or approval is required.
Researchers wishing to conduct activities preparatory to research using Yale University or Yale-New Haven Hospital medical records must complete the Yale-New Haven Health Systems/Yale University Request for Access to Protected Health Information for a Research Purpose. Clinical administrators are not permitted to run IDX reports for research purposes. Researchers should forward all requests for IDX reports to the Yale Medical Group using the appropriate form.
Research on Decedents
HIPAA requires that researchers who wish to access PHI of decedents for research purposes first make certain written representations to the holder of the PHI. The researcher must first represent that the use or disclosure of PHI is solely for research on the PHI of decedents. That is, the researcher may not use the PHI of the decedent to obtain information about a decedent's living relative(s). A researcher may request a decedent's medical history for an outcome study relating to treatment previously administered to the decedent. The researcher must also provide written assurance that the PHI is necessary for the research. The holder of the PHI has a right to require documentation of death of the individuals about whom information is sought.
Researchers wishing to conduct research on decedents using Yale University or Yale-New Haven Hospital medical records must complete the Yale-New Haven Health Systems/Yale University Request for Access to Protected Health Information for a Research Purpose.
Recruitment
The use of PHI to recruit an individual to participate in a research study must comply with HIPAA's general requirement that the use must be pursuant to an authorization or some exception, such as a waiver of HIPAA authorization. Although recruitment procedures usually require access to a limited amount of health information, recruitment is considered to be an accessing of PHI and, therefore, must comply with HIPAA requirements.
Treating providers may not disclose PHI to a third party (including a "researcher" within the same covered entity) for purposes of recruitment in a research study without first obtaining authorization from the individual.
A treating provider does, however, have the option to:
- Discuss with his/her own patients the option of enrolling in a study.
- Obtain written authorization from the patient for referral into a research study.
- Provide research information to the patient so that the patient can initiate contact with the researcher.
- Provide information to a researcher when the researcher has obtained an approved Waiver of Research Authorization from an IRB for recruitment purposes.
HIPAA also applies to recruitment and research activities conducted via medical records and medical registry reviews. Investigators must obtain either a Research Authorization from the subject or a Waiver of HIPAA Authorization approved by an IRB prior to commencing research recruitment activities from these sources. A Waiver of HIPAA Authorization for recruitment purposes only is referred to as a partial waiver. Researchers are required to obtain subjects' Research Authorizations after recruiting and enrolling subjects via a partial waiver and prior to creating or using PHI during research procedures.
Investigators should include the completed Yale University Request for HIPAA Waiver of Authorization for Research Form with the protocol package, including the HIPAA Authorization Form or Requests for Waiver of HIPAA Authorization that will be used after recruitment, and submit the protocol package to the IRB as described in the previous section on waivers.
De-identified Data
De-identified data are data that contain none of the 18 HIPAA identifiers listed above in the "What is PHI?" section. If all of the 18 identifiers are removed, the information is no longer (1) individually identifiable, (2) PHI, and (3) subject to HIPAA's requirements. A de-identified data set may be coded with a unique identifier that cannot be traced back to the individual for the purpose of being re-identified by the recipient at a later date. De-identified data may include gender, age, race, or relevant information regarding disease or tissue source and can later be re-identified, by the original holder of the data, if necessary, by means of a unique, non identifiable, code for purposes of carrying out research. It is important to remember that re-identification will subject the information to HIPAA's requirements. A researcher must resubmit the protocol to the IRB for approval when re-identification of the data is desired.
A data set may also be considered de-identified if an expert in statistical and scientific methods determines and documents that the methods used to de-identify or code the data present a very small risk that the information can be used alone or in combination with other reasonably available information to identify an individual.
"Anonymous" data are not necessarily considered de-identified under HIPAA. Anonymity under the federal Common Rule requires that individuals cannot be readily ascertained by the investigator and cannot be associated with the data. According to the Common Rule standard, anonymous data may retain dates of treatment. Under HIPAA's more stringent requirements, however, such data would be considered identifiable data.
Limited Data Sets and Data Use Agreements
Some studies may need to retain a limited number of identifiers and, thus, not meet the strict HIPAA definition of "de-identified data." However, these studies may present only minimal potential for identifying participants based on the data set. In such circumstances, HIPAA permits use of a "Limited Data Set" for research purposes. A Limited Data Set is PHI that excludes "direct identifiers" of the individual, relatives of the individual, employers, or household members.
A limited data set must exclude:
1. Names
2. Street Addresses
3. Phone and Fax Numbers
4. Email Addresses
5. Social Security Numbers
6. Medical Record Numbers
7. Health Plan Numbers
8. Account Numbers
9. Certificate/Licenses Numbers
10. Vehicle Identifiers/License Plates
11. Device Identifiers
12. Web URLS
13. Internet Protocols (IP)
14. Full Face Photos
A limited data set may include one or more of the following:
1. Towns
2. Cities
3. States
4. Zip Code and their equivalent geocodes. (Note that a zip code cannot
be used if the area composing the zip code has less than 20,000 citizens.)
5. Dates including birth and death
6. Other unique identifying numbers, characteristics, or codes that are
not expressly excluded. (Medical record numbers and pathology numbers
are excluded.)
7. Relevant medical information
A Limited Data Set may be used only for purposes of research, public health, or health care operations. It may be used only if the covered entity providing the data and the recipient of the data first enter into a Data Use Agreement. The investigator, the holder of the PHI, and their respective institutions, must sign Data Use Agreements, either for access to a Limited Data Set or for the release of a Limited Data Set. At Yale, the Offices of Grant and Contract Administration will administer the negotiation and execution of these agreements. These agreements must, among other things, establish the permitted uses and disclosures of the information included in the Limited Data Set and must provide that the recipient of the Limited Data Set will not identify the information or use it to contact individuals. Yale has developed an Internal Data Use Agreement for researchers to use (1) when transferring a Limited Data Set between researchers within Yale, and (2) when bringing into Yale a Limited Data Set that has been collected by the researcher at a site not covered by HIPAA (i.e., when the data was not PHI when collected, but will become PHI when it arrives at a Yale HIPAA covered component).
As with research conducted pursuant to an authorization, disclosure(s) of PHI that are part of a Limited Data Set need not be tracked for purposes of providing an accounting to an individual.
The use of a Limited Data Set in a protocol should be specified in the research plan and confidentiality sections. The IRB will acknowledge the use of the Limited Data Set in the letter of IRB Common Rule approval sent to the principal investigator. The letter will state that the research activity cannot begin until the principal investigator has an authorized Data Use Agreement in place.
Other resources that provide information on de-identification and Limited Data Set Procedures include:
- Yale University Policy regarding the Use and Disclosure of De-Identified Information and of Limited Data Sets at http://hipaa.yale.edu/
- Yale University Procedure on De-Identification and Limited Data Set Procedures at http://info.med.yale.edu/hic/
- The HIPAA Privacy Office
Databanks and Repositories
The collection or maintenance of PHI in databanks or repositories for future research purposes requires an IRB-approved protocol. In addition, research using data from these databanks and repositories must be conducted under an IRB-approved protocol. Since databanks and tissue repositories frequently survive beyond the lifespan of the initial IRB protocol in which the data/tissue is collected, researchers should normally submit the proposed data/tissue banking activities to the IRB in a separate protocol.
The HIPAA Privacy Rule affects activities such as research using identifiable or coded data or biological specimens such as human tissue, DNA, and blood where the researcher controls the coding. The HIPAA Privacy Rule requires an authorization from the subject about whom information is stored or a HIPAA Waiver of Authorization approved by an IRB for the collection of PHI and prior to conducting subsequent studies using PHI. The IRB must review and approve all proposed uses of stored tissues, irrespective of whether or not the secondary use(s) of the banked tissues will include use of HIPAA identifiers.
Studies Exempted from IRB Review
Studies exempted under the Common Rule that involve the use of PHI are not exempted under HIPAA. HIPAA requirements related to authorization or waiver are applicable to these studies. Investigators should provide a Research Authorization Form or Request for Waiver of HIPAA Authorization to the IRB along with the exemption request.
International Research and Collection of Health Information at Sites Where HIPAA Is Not Applicable
HIPAA does not apply to all sites where individually identifiable health information may be collected. For example, studies conducted at clinical facilities outside of the U.S. or health information collected from an educational record are not governed by HIPAA. Transfer of the data to a HIPAA covered component (at Yale or elsewhere), however, renders any individually identifiable health information PHI by virtue of its being held by a facility covered by HIPAA. Once the data are transferred to a HIPAA covered component, all HIPAA regulations apply.
When individual sites are not covered by HIPAA, researchers are not required to follow HIPAA's patients' rights provisions, e.g., providing a copy of the NOPP, during data collection at those sites. However, because HIPAA requirements become effective upon return of the data to a covered component at Yale, the use and disclosure of the data from Yale requires researchers to adhere to the Research Authorization requirements described above. Therefore, in these cases, when identifiable data will be brought back to a HIPAA covered component (at Yale or elsewhere), researchers should obtain HIPAA Research Authorizations in order to reduce the need to account for subsequent disclosure(s) of the PHI. In some cases, researchers can bring the relevant data to Yale either stripped of all 18 HIPAA identifiers, with or without a code maintained at the collections site, or as a Limited Data Set with an accompanying Internal Data Use Agreement.
Resignations of Investigators or Research Staff
In the event that a Yale investigator or research staff member leaves Yale and wishes to copy or remove research data created or acquired while that individual was at Yale, he or she must first request permission from his or her department chair. If the chair approves the data transfer, the request should then be submitted to the Yale HIPAA Privacy Officer. Taking data to a new institution constitutes a disclosure of PHI under HIPAA that requires tracking in the accounting for disclosures log. The Yale HIPAA Privacy Officer will make each determination related to privacy rules on a case-by-case basis, considering at a minimum the following:
- whether the data includes PHI;
- who, in addition to the departing investigator or staff member, will have access to the removed or copied data, including any other institution with which the departing investigator or staff member will become affiliated;
- the feasibility of permitting the copying or removal of only de-identified, coded data, with the key to the code remaining at Yale;
- whether such copying or removal is contemplated in the Research Authorization signed by each subject;
- the feasibility of requesting additional Research Authorizations from the subjects;
- a review of any representations to, or agreements made by Yale with, the transferors of the data to Yale; and
- whether such copying or removal would be inconsistent with any representations made in the context of a waiver/decedents application.
The HIPAA Privacy Officer will then inform the departing investigator or research staff member of the terms and conditions under which research data may be copied or removed. Research data may be copied or removed from Yale only pursuant to those terms and conditions.
Return
to the Table of Contents
 |
 |
 |
 |
Last modified: Wednesday, 11-Feb-2009 15:49:54 EST. (JJ)