Policy
The IRB reviews HIPAA research de-identification, research authorization, and research waiver of authorization requests for any researcher obtaining protected health information (PHI). Although federal regulations do not require IRBs to review authorization forms or de-identification requests, IRB-Spokane has made a decision to review authorization forms and de-identification requests as a service to its researchers and to assist them in complying with the HIPAA Privacy Rule.
IRB members do not review any research authorizations, waiver of authorization, or de-identification requests in which they have a conflict of interest. (See IRB Member and Consultant Conflict of Interest SOP for additional information.)
Definitions
Covered Entity – Health plans, health care clearinghouses and most health care providers.
HIPAA – Health Insurance Portability and Accountability Act
Protected health information - any of the 18 identifiers listed in the HIPAA Privacy Regulations in combination with health information that is created or maintained by a hospital covered entity (CE) that relates to the past, present, or future physical or mental health or conditions of an individual. PHI is considered individually identifiable when it can be linked to specific individuals by the researcher(s) either directly (name, medical record number) or indirectly (through coding systems or identifiers as defined in the Federal Privacy Rule 45 CFR 164.514).
Procedure
Options for Obtaining Protected Health Information
- Aresearcher has the following options for obtaining PHI for research purposes:
a)De-identified Information - health information that cannot be linked to an individual;
b)Authorization - a document signed by the subject that gives the researcher permission to use/disclose PHI collected during the research study for defined purposes;
c)Waiver of Authorization - a request to forgo the authorization requirement based on the fact that the disclosure of PHI is a minimal risk to the subject and the research can not practically be done without access to/use of PHI;
d)Limited Data Set - a subset of identifiers that contain the following elements: city, state, zip code, date of birth, death, or date of service;
e)Preparatory Work - PHI reviewed for the purpose of designing a research study or identifying potential subjects. PHI cannot be removed from the CE during the review; or
f)Decedent Research - research where PHI is collected from a subject(s) that is deceased prior to the initiation of the study. Washington State law RCW 70.02.140 and the Federal Privacy Rule 45 CFR 164.502(f) consider a deceased person a human participant of research if the research uses private identifiable health information of deceased persons.
- THE IRB, NOT THE RESEARCHER, IS RESPONSIBLE FOR DETERMINING IF THE ACTIVITY IS CONSIDERED RESEARCH AND IF SO, THE LEVEL OF IRB REVIEW REQURIED.
The level of IRB reviewrequired (full board, expedited or exempt) for research involving the use of PHI depends on a number of factors. Factors to be considered in determining the level of review include but are not limited to:
a)Risks of the research
b)Whether any identifiers will be recorded
c)Whether the records, data or specimens to be used exist at the time of IRB review of the research
d)Plans for permanently banking the data, records or specimens for future research
e)Examples of level of review
i)Full board review -
(1)Prospective collection of PHI for research
(2)Collection (prospective or retrospective) PHIof a sensitive nature (psychiatric records, substance use)
(3)Banking of PHI for future research
ii)Expedited review –
(1)Use of existing (defined as on the shelf, in the file, at the time of IRB review) PHI for research. The research data will be coded in a confidential manner (a study code) so that no data can be linked back to the individuals.
iii)Exempt review –
(1)Use of existing, de-identified PHI for research. Research data will be recorded without any identifiers (anonymous). To be de-identified it must not contain any of the 18 identifiers listed in the Federal Privacy Rule.
Case Reports–
- See Single Case Reports and Case Series SOP for definition and requirements.
- HIPAA does apply to the use of PHI for case reports. To comply with HIPAA case reports cannot be published unless the author obtains an authorization from the patient (parents, legally authorized representative), or the published version of the case report has been stripped of identifiers as defined under HIPAA.
- Out of respect for persons, obtaining permission of the patient or their legally authorized representative is strongly encouraged for all case reports.
Data, Tissue or Specimen Banks or Repositories –
- Establishing a data, tissue or specimen bank or repository for research purposes requires IRB review and approval and the consent and authorization of the patient or legally authorized representative to permanently store their PHI in a research bank or repository.
- The IRB will require the person responsible for the research data, tissue or specimen bank or repository to have procedures in place for releasing banked data, tissue or specimens to future researchers in a manner that protects the privacy of the individuals whose data, tissue or specimens are banked.
- The person responsible for maintaining the privacy and confidentiality of banked data, records or specimens shall require documentation of IRB approval prior to releasing or allowing access to banked data, records or specimens with identifiers for research purposes.
- Researchers who receive or access banked data, tissue or specimens with identifiers, are responsible for obtaining IRB approval for their research from their IRB.
- Since the HIPAA Privacy Rule does not give clear guidance on databases or repositories, the IRB follows the NIH’s Research Repositories, Databases and the HIPAA Privacy Rule guidance document. The database or repository does not fall under the Privacy Rule if:
a)De-identifies all data/specimens collected for the database/repository; or
b)Obtains self reported health information from the subject and does not add the health information to a designated record set. For the purposes of this policy, a designated record set is defined as a group of records maintained by or for a covered entity that includes:
- Medical and billing records about individuals maintained by or for a covered health care provider
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan
- Used, in whole or part, by or for the covered entity to make decisions about individuals.
- The IRB does not require theresearcher to comply with the HIPAA requirements if the research database or repository was established before April 14, 2003 and the following conditions are met:
a)The information/specimens in the database/repository are de-identified; or
b)Subjects signed an informed consent; or
c)The IRB waived informed consent.
HIPAA Requirements Pertaining to PHI Used in Research -
- When PHI is used in research the researcher must either:
a)Obtain signed authorization from the patient or their legally authorized representative to use the individuals PHI in research; or
b)Request waiver of authorization from the IRB
- When informed consent is required a signed HIPAA Authorization is required if PHI is used, created or shared. IRB-Spokane requires that the HIPAA Authorization be attached at the end of the informed consent as part of the document (See Informed Consent-HIPAA template).
Waiver of HIPAA Authorization -
- Researcher submits the IRB’s“Application for Waiver of HIPAA Authorization” at the same time as the IRB application for review.
- The Application for Waiver of HIPAA Authorization is reviewed according to the level required by the research study (full board, expedited, exempt).
- If the IRB grants a waiver of signed HIPAA Authorization from the patient or their legally authorized representative to use their PHI in the research and if the PHI is disclosed to persons not a part of the hospital’s workforce covered by the IRB-Spokane (Deaconess Medical Center, Providence Holy Family Hospital, Providence Sacred Heart Medical Center, St. Luke’s Rehabilitation Institute and Valley Hospital and Medical Center), the researcher must keep a record of all the individuals whose PHI was accessed/used in the research. It is the responsibility of the researcher to send this information to the appropriate Health Information Management (medical records) personnel for documentation purposes.
- If the researcher obtained a waiver of informed consent prior to the compliance date, but subsequently seeks informed consent after the compliance date (April 14, 2003) he/she must obtain the subject’s authorization at the time he/she obtains the new informed consent.
Version date 6-2011Page 1 of 4