HIPAA Privacy Standards and the UAB IRB

1
HIPAA Privacy Standardsand the UAB IRB

• What researchers need to know

2
Objectives

• HIPAA Privacy Standards
• Changes to IRB protocol submission
• PHI involved in research.
• De-identified or limited data set
• Patient authorization to use PHI or request for
  waiver of patient authorization.
• IRB Forms
• Participant Authorization
• Researcher Request for Waiver
• IRB Confirmation of Waiver
• Data Repositories
• Transition schedule approval of existing
  research protocols
• Questions

3
HIPAA Privacy Standards

• Covered Entities may not use or disclose PHI,
  except as authorized by HIPAA
• Covered Entities providers who submit
  electronic claims for healthcare services
• Hybrid Entities one entity can designate
  covered and excluded operating units, based on
  functions of those units
• PHI any information, including demographic
  information that is transmitted or maintained in
  any medium that is created or received by a
  healthcare provider, health plan or health care
  clearinghouse that relates to or describes the
  past, present or future mental health or physical
  condition of an individual or future payment for
  the provision of healthcare to the individual,
  and that can be used to identify the individual
  

4
HIPAA Privacy Standards

• No patient authorization required for
  use/disclosure of PHI for
• Treatment, payment and healthcare operations
  (TPO)
• Required by law
• To coroner/medical examiner
• To health oversight agencies
• Organ donation
• Workers compensation
• Incidental disclosures
• Research is NOT TPO.

5
HIPAA and Research

• Research is a systematic investigation,
  including research development, testing, and
  evaluation, designed to develop or contribute to
  generalizable knowledge.
• Research that involves PHI generated by or
  through a Covered Entity must meet one of the
  following
• Patient Authorization to use PHI
• IRB Waiver of Patient Authorization
• Same standards for waiver of Informed Consent
• Decedent Research/Reviews Preparatory to Research
  
• De-identified Data No Patient
  Authorization/Waiver required
• Limited Data Set No Patient Authorization/Waiver
  required

6
HIPAA and Research

• HIPAA Privacy Standards apply when research
  involves the use or disclosure of protected
  health information (PHI).
• PHI is health information that can be used to
  identify an individual. If any of the following
  identifiers are used in research with respect to
  health information, the HIPAA privacy standards
  apply
• names, all geographic subdivisions smaller than a
  State, all elements of dates (except year)
  related to an individual, telephone numbers, fax
  numbers, email addresses, social security
  numbers, medical record numbers, health plan
  beneficiary numbers, account numbers,
  certificate/license numbers, vehicle identifiers
  and serial numbers, device identifiers and serial
  numbers, biometric identifiers, full face
  photographic images and any other unique
  identifying number

7
Deidentified Data

• HIPAA privacy standards do not apply to
  deidentified data
• Research that excludes ALL of the following is
  not subject to HIPAA privacy standards
• names, all geographic subdivisions smaller than a
  State, all elements of dates (except year)
  related to an individual, telephone numbers, fax
  numbers, email addresses, social security
  numbers, medical record numbers, health plan
  beneficiary numbers, account numbers,
  certificate/license numbers, vehicle identifiers
  and serial numbers, device identifiers and serial
  numbers, biometric identifiers, full face
  photographic images and any other unique
  identifying number

8
Limited Data Sets

• Researchers may use limited data sets of PHI
  for research without obtaining authorization or
  waiver of authorization.
• Limited data sets are PHI that exclude all the
  identifiers listed for de-identified data with
  the exception of dates and all geographic
  subdivisions (limited data sets must exclude
  postal address information, other than town or
  city, State and zip code).
• The researcher must sign a Data Use Agreement
  certifying that the use of the data will be
  limited to the research protocol.

9
Authorization

• Participant Authorization
• Written authorization from the participant to use
  and disclose their PHI in research is required,
  unless the researcher requests a waiver
• Authorization is in addition to the Informed
  Consent
• Authorization must be limited to use and
  disclosure of PHI for the specific research
  protocol
• Authorization form available from IRB

10
Waiver of Authorization

• Waiver of Participant Authorization
• Researchers may request the IRB to waive the
  participant authorization requirement by
  certifying to the following
• The use/disclosure of PHI involves no more than
  minimal risk to the privacy of individuals
• There is a plan to protect the identifiers from
  improper use and disclosure.
• There is a plan to destroy the identifiers at the
  earliest opportunity consistent with conduct of
  the research, unless there is a health or
  research justification for retaining the
  identifiers or such retention is otherwise
  required by law
• There is assurance that the PHI will not be
  reused or disclosed to any other person or
  entity, except as required by law, for authorized
  oversight of the research study, or for other
  research for which the use or disclosure of PHI
  would be permitted
• The research cannot practicably be conducted
  without the waiver or alteration
• The research cannot practicably be conducted
  without access to and use of the PHI
• Waiver Form available from IRB

11
IRB HIPAA Forms

• Protocol Submission
• Check-off for identifying PHI
• Check-off for deidentified or limited data set
• Participant Authorization Form
• Researcher Request for Waiver Form
• IRB Confirmation of Waiver

12
Data Repositories

• Data Repositories
• Clinical data repositories contain PHI and used
  exclusively for clinical care
• No IRB approval required to establish data
  repository
• Research using PHI from the clinical data
  repository requires IRB approval and participant
  authorization or waiver of authorization of
  use/disclose the PHI
• De-identified data repositories contain
  de-identified health information
• No IRB approval required, other than approval of
  the research protocol using the data from the
  repository
• Data Repositories contain PHI that is used for
  research or other non-clinical purposes
• IRB approval of data repository is required
• IRB approval of each research protocol required
• IRB approval of access by other researchers
  required

13
Transition --Approval of Current Protocols

• Protocols with Informed Consent
• Participants enrolled prior to 4/14 are not
  required to sign an Authorization
• Participants enrolled on and after 4/14 must sign
  an Authorization
• Protocols where Informed Consent Waived
• Authorization requirement waived upon
  presentation of justification from researcher
• IRB Staff will visit Departments and have open
  office hours to review protocols, approve
  Authorization forms and approve waivers prior to
  4/14