Revised 1/2004
HIPAA Language for IRB Letters IRB Project Number:
HIPAA NOT APPLICABLE:
The HIPAA Privacy Rule will not apply to this research. The investigator certifies that he/she is not accessing, using or obtaining protected (i.e., identifiable) health information held by; a) a health care provider (e.g., physician or other health care practitioner, hospital, clinic, nursing home); b) health plan (e.g., group health plan, insurance company, HMO); or c) health care clearinghouse (e.g., billing service) that is governed by the HIPAA privacy federal regulations.
[Note to reviewer: No further HIPAA analysis is necessary. You may skip the remainder of this document]
HIPAA AUTHORIZATION APPLICABLE:
# 1:
Based on the documents submitted, the investigator is accessing, using or obtaining research subject/patient’s identifiable health information (e.g., medical records, mental health information, lab reports, x-rays, tissue samples) from a) a health care provider (e.g., physician or other health care practitioner, hospital, clinic, nursing home); b) health plan (e.g., group health plan, insurance company, HMO); or c) health care clearinghouse (e.g., billing service) that is governed by the HIPAA privacy federal regulations and a waiver of authorization is not applicable.
[Note to reviewer: If you checked the box in # 1, please go to #2. If not, skip to the next section regarding waiver]
#2:
It is noted that a HIPAA-compliant authorization addendum (dated 6/2003 or later) is attached to the Informed Consent. Please remember to obtain the subject’s signature and date on the authorization addendum as well as the informed consent document. The Addendum must be edited specifically for this study only in the areas that allow such alteration. No other changes may be made.
OR
Attach a HIPAA Compliant authorization addendum (dated 6/2003 or later) to the IRB approved Informed Consent when you consent new subjects. The Addendum must be edited specifically for this study only in the areas that allow such alteration. No other changes may be made.
OR
A HIPAA-compliant authorization addendum is not attached to the Informed Consent. Please attach a HIPAA-compliant authorization addendum (dated 6/2003 or later) to your informed consent. The Addendum must be edited specifically for this study only in the areas that allow such alteration. No other changes may be made. The subject must sign and date both the authorization and the informed consent documents. A template addendum can be downloaded from any of the following web sites: at the compliance website at and the USC policies web site at: California Law requires that the HIPAA Authorization should remain a separate document from the Informed Consent.
NOTE TO PI: The next time you update or amend your Informed Consent Document please remove the HIPAA Authorization language from the Informed Consent document and utilize only the HIPAA Addendum as California Law requires that the HIPAA Authorization should remain a separate document from the Informed Consent.
NOTE TO PI: Do not attach a Hipaa Authorization Addendum to the Child/Youth Assent. The Hipaa Authorization Addendum should only be attached to the Parental Permission Form.
#3
PLEASE NOTE: If the subject notifies the investigator directly that the subject is revoking the authorization, the investigator must advise the IRB within 5 working days of the receipt of the revocation.
You may wish to utilize the Authorization for Release of Medical Records located on the IRB web site.
WAIVER OF HIPAA AUTHORIZATION APPLICABLE FOR RECRUITMENT:
The request for a waiver of authorization is approved solely for the purposes of obtaining protected health information held by a non-USC entity (e.g., USC University Hospital, LAC+USC Medical Center, Norris Cancer Hospital) to screen &/or recruit potential research subjects into the study. Please note that you may be asked to provide a copy of this waiver to obtain or access to this protected health information. PLEASE NOTE: YOU MAY LOOK AT, BUT NOT RECORD HIV TEST RESULTS.
OR
The request for a waiver of authorization is not approved solely for the purposes of obtaining protected health information held by a non-USC entity (e.g., USC University Hospital, LAC+USC Medical Center, Norris Cancer Hospital) to screen &/or recruit potential research subjects into the study. Please provide justification by specifically documenting the following:
(1) The use or disclosure of protected health information involves no more than minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: (a) Provide an adequate plan to protect the identifiers from improper use and disclosure; (b) Provide an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and (c) Provide adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart.
(2) The research could not practicably be conducted without the waiver or alteration; and
(3) The research could not practicably be conducted without access to and use of the protected health information.
WAIVER OF HIPAA AUTHORIZATION APPLICABLE FOR RECRUITMENT - FOR NEW PROTOCOLS ONLY
You must request a waiver of HIPAA compliant authorization (“Item 33 of the IRB Application”) for this and future applications where you are going to recruit subjects at the LAC+USC Healthcare Network Facilities, USC University Hospital, or USC Norris Hospital in order to review medical records information to learn whether a subject has the condition of interest. This is a request for a limited waiver to review medical records information to assess potential eligibility before approaching the subject to enter the study. Please provide justification by specifically documenting the following:
(1) The use or disclosure of protected health information involves no more than minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: (a) Provide an adequate plan to protect the identifiers from improper use and disclosure; (b) Provide an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and (c) Provide adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart.
(2) The research could not practicably be conducted without the waiver or alteration; and
(3) The research could not practicably be conducted without access to and use of the protected health information.
WAIVER OF HIPAA AUTHORIZATION APPLICABLE FOR RESEARCH SUBJECT:
The request for a waiver of HIPAA Authorization is approved. The investigator has provided justification by specifically documenting the following:
(1) The use or disclosure of protected health information involves no more than minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: (a) There is an adequate plan to protect the identifiers from improper use and disclosure; (b) There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and (c) There are adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart.
(2) The research could not practicably be conducted without the waiver or alteration; and
(3) The research could not practicably be conducted without access to and use of the protected health information.
You must use the data collection form dated.
The following is a brief description of the protected health information for which use or access has been determined as necessary by the IRB:
The request for a waiver of HIPAA Authorization is not approved. The investigator must provide justification by specifically documenting the following:
(1) The use or disclosure of protected health information involves no more than minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: (a) Provide an adequate plan to protect the identifiers from improper use and disclosure; (b) Provide an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and (c) Provide adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart.
(2) The research could not practicably be conducted without the waiver or alteration; and
(3) The research could not practicably be conducted without access to and use of the protected health information.
Submit a copy of the data collection form.
Waiver of HIPAA Authorization Not Applicable for Research Subject:A waiver of HIPAA authorization is not applicable.
or
The request for a waiver of HIPAA authorization is not approved.
Mental Health Records protected by the Lanterman-Petris-Short Act (LPS Act): In order to release medical records that contain information pertaining to mental health or developmental disabilities protected under the LPS Act, you and only those persons responsible for handling the confidential information must sign a confidentiality oath [Welfare and Institutions Code Section5328(e)andSection50421 of Title 17 of the California Code of Regulations (CCR)].The text of the confidentiality oath which must be submitted to the IRB is:
"Asa condition of doing research concerning persons who have received services from ____ (fill in the facility, agency or person), I, ____, agree toobtainthepriorinformedconsent of such persons who have received servicestothe maximum degree possible as determined by the appropriate institutionalreviewboardorboardsforprotection of human subjects reviewingmy research, and I further agree not to divulge any information obtained in the course of such research to unauthorized persons, and not to publish or otherwise make public any information regarding persons who have receivedservicessuchthatthepersonwhoreceivedservicesis identifiable.Irecognizethat the unauthorized release of confidential informationmaymake me subject to a civil action under provisions of the Welfare and Institutions Code."
Drug and Alcohol Treatment Records Protected by Federal Law: Since the medical records contain information pertaining to alcohol or drug treatment which are protected under federal law, in order to release these records you must get either the subject’s authorization or approval from the director of the program at which the services are provided. [Note: If USC holds alcohol or drug treatment records protected by federal law but is not the program at which the treatment services were provided, USC would not be permitted to release the records to researchers absent patient authorization or approval from the program director as described above.]