C. Use Or Disclosure of PHI WITHOUT Authorization

C. Use or Disclosure of PHI WITHOUT Authorization

Investigators who are covered entities, or who are proposing to obtain human subjects information from covered entities, do not always need to get Authorization for research-related activities. There are at least 6 ways that an investigator may use or disclose PHI without Authorization.

1. IRB or Privacy Board Waiver of HIPAA Authorization

Similar to the process for a waiver of informed consent which requires that the research be no more than minimal risk, the waiver of authorization requires that the research be no more than minimal risk to privacy and the application needs to provide for an explicit plan to protect private information, a plan to destroy identifiers as soon as practicable, and written assurance the information will not be re-used or disclosed secondarily. The waiver of authorization also includes the provision that the research could not be practicably carried out without the waiver, but this is directed toward required access to PHI, which is slightly different that the consent waiver requirements regarding impracticability(§45CFR164.508 and 164.512(i)).

If this research results in information pertinent to the subjects whose records/specimens are used, then the investigator must submit a written plan for providing this information to the subjects. This plan must be approved by the IRB before research subjects are contacted.

In order to approve a waiver of HIPAA Authorization, therefore, the following components must be demonstrated:

a.  Outline how the use and disclosure of PHI poses no greater than minimal risk[1] to the subjects.

b.  Written assurance that the PHI will not be reused or disclosed to any other person or entity except as required by law, for study oversight, or for other research for which the use and disclosure of PHI would be permitted;

c.  An adequate plan to protect the identifiers from improper use or disclosure, except as required by law, or for other research as permitted by the HIPAA regulations; and

d.  An adequate plan for the destruction of the identifiers at the earliest opportunity consistent with the conduct of the research, or a health or research justification for retaining the identifiers or provide the legal reference requiring retention of the data (Be specific, state a date or event, such as following data analysis, following publication).

e.  The research could not practicably be conducted without the waiver
or alteration; and

f.  The research could not practicably be conducted without access to
and use of the PHI.

2. Limited Data Set (LDS)

HIPAA allows investigators to use or disclose PHI if the IRB approves the use of a LDS:

a.  Please provide a written assurance that the data set will only include the following PHI elements:

i.  Zip code

ii.  Date of birth or date of death

iii.  Date(s) of service

iv.  Geographic subdivision (city)

b.  Provide the signed data use agreement between the investigator and the Covered Entity (CE) [the institution legally authorized to maintain and provide the information]. The data use agreement must include the following:

i.  List the permitted uses and disclosures of the LDS (recipient cannot use or disclose PHI in a way that the covered entity cannot)

ii.  Establish who is permitted to use or receive the LDS

iii.  Assurance that the recipient or investigator will:

(1)  not use or further disclose the information other than as specifically permitted in the agreement or as required by law,

(2)  Use appropriate safeguards to prevent use or disclosure of the information other than as provided in the agreement,

(3)  Report to the CE any known, unpermitted uses or disclosures,

(4)  Ensure that anyone to whom s/he provides the data (e.g., subcontractors) agrees to the same restrictions and conditions with respect to the information, and

(5)  Not re-identify the information or contact the individuals to whom the information belongs.

3. De-Identification (Removal of Identifiers, a.k.a. “Safe Harbor Standard”)

HIPAA allows investigators to use or disclose PHI if the IRB approves the use or disclosure of de-identified data by removing the identifiers listed below. The investigator must provide an assurance that the following identifiers have been removed:

1. Name / 11. Health plan ID number
2. Location smaller than State / 12. Account number
3. Last 2 digits of zip code / 13. Certificate/license number
4. All dates (year is acceptable) / 14. Vehicle identifier
5. Ages over 89 / 15. Device identifiers and serial numbers
6. Telephone number / 16. URLs
7. Fax number / 17. IP address
8. E-mail address / 18. Biometric identifiers, including finger prints
9. Social Security number / 19. Full face photos and other comparable images
10. Medical record number / 20. Any other unique identifying number, characteristic, or code

4. De-Identification (“Statistical Standard”)

HIPAA allows investigators to use or disclose PHI if the IRB approves the use of de-identified data by using the following methodology:

a.  The Statistical Standard requires documentation from a qualified statistician specializing in de-identification of data demonstrating that the proposed methods and analysis will effectively de-identify the data. Please provide appropriate information about the statistician certifying her/his expertise in de-identification methods and analysis.

b.  Please provide documentation from the statistician that the proposed methods and analysis for the research will result in:

i.  The data being rendered de-identified and

ii.  The risk being very small that the information can be used to identify an individual.

5. Activity preparatory to research

The researcher must certify that:

a. PHI is to be used solely to prepare a protocol, or for a similar preparatory purpose, AND

b. PHI will not be removed from the CE, AND

c. PHI is necessary for research purposes.

For research recruitment purposes, researchers who are not covered entities themselves may use the Preparatory to Research provision to identify subjects (but not remove their PHI from the CE). However, they may not contact subjects without obtaining a Waiver of Authorization or becoming a Business Associate of the CE for the health care operation.

For research recruitment purposes, researchers who are covered entities themselves may use the Preparatory to Research provision to identify subjects (but not remove their PHI from the CE). They may be able to contact subjects without obtaining a Waiver of Authorization for research related treatment and for health care operations.

6. Research that is on decedent’s information

The researcher must certify that:

a. Use or disclosure of PHI is solely for research on decedents, and

b. Individuals are decedents, and the investigator must provide documentation of this fact upon CE’s request, AND

c. PHI is necessary for research purposes.

[1] 45 CFR 46.102(i): Minimal risk means that the probability and magnitude of harm or discomfort anticipated in the research are not greater in and of themselves than those ordinarily encountered in daily life or during the performance of routine physical or psychological examinations or tests.