University Policies

Page tree

Versions Compared

Old Version 5

changes.mady.by.user Unknown User (kanchia1)

Saved on

compared with

New Version 6

changes.mady.by.user Rowan, James J.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Subject: Research Integrity

Policy No:  Res: 2014: 02

Applies: University-wide

Issuing Authority: Vice President for Research

Responsible Officer: RowanSOM Senior Associate Dean for Research

Adopted: 03 03-10-14

Last Revision: 

...

02/04/2015 

Last Reviewed:

...

 10/

...

20/

...

2015  

 

I. PURPOSE

The purpose of this policy is to articulate the additional new requirements HIPAA adds to research.

...

  1. The HIPAA Privacy Rule
    1. The HIPAA privacy rule contains comprehensive privacy regulations. The final HIPAA Privacy Rule was issued August 14, 2002 (requiring compliance by April 14, 2003).
    2. The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. 
  2. The Privacy Board 
    1. The Privacy Board was founded to help researchers meet the privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These requirements may affect any research that uses certain protected health data. Under the HIPAA Privacy Rule, any research that involves protected health information, regardless of the source of funding, must be authorized by the individuals whose health data they intend to use or the researcher must obtain a Waiver of Authorization. The Privacy Board was specifically established to review requests for a Waiver of Authorization. 
    2. The Privacy Board at RowanSOM is also the Institutional review Board. It is composed of individuals experienced in reviewing a wide variety of clinical research, including research involving confidential and sensitive health information. It is the most efficient and cost-effective resource for any organization engaged in research involving protected health information and data.
    3. While most research is regulated by the Common Rule (45 CFR part 46) and FDA regulations (CFR Parts 50 and 56), since the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) became effective on April 14, 2003, researchers now need to take precautions to protect the privacy of individually identifiable health information, or "protected health information" ("PHI"). 

VI. FUNDAMENTAL RULES FOR RESEARCH

  1. Patient Authorization 
    1. Researchers may request information inside a patient's medical file if the individual has granted written permission for its release to the researcher by means of a signed authorization form.
    2. The Research Authorization required under the HIPAA Privacy Rule is a written patient authorization that must specify:
      1. Who can use or disclose PHI
      2. To whom PHI may be disclosed
      3. What PHI may be used or disclosed
      4. The purposes of the used or disclosed PHI
      5. The duration of the authorization (expiration date or event
  2. Preparatory to Research
    1. The Privacy Rule applies to the use of protected health information (PHI) in those activities preparatory to research that are necessary to prepare a research protocol for a grant application or IRB review or for similar purposes.
    2. Preparatory to research activities are defined as:
      1. the development of research questions;
      2. the determination of study feasibility (in terms of the available number and eligibility of potential study participants);
      3. the development of eligibility (inclusion and exclusion) criteria; and
      4. the determination of eligibility for study participation of individual potential subjects. The Office of Civil Right guidance permits a researcher to identify prospective research participants for purposes of seeking their authorization to use or disclose protected health information (PHI) for a research study. The PHI used to identify prospective research participants could include contact information, diagnosis or condition, and other information necessary to determine study eligibility. Although OCR considers the use and disclosure of PHI to determine study eligibility a preparatory to research activity, the actual process used to recruit subjects remains a research activity and requires IRB approval. A researcher may use PHI for preparatory to research activities, only if before such use, the researcher makes certain representations about the use of PHI by submitting "Preparatory to Research Representation" form.This form and the procedures to follow to obtain permission wherein a researcher uses/reviews PHI for the purpose of developing a research protocol; formulating a research hypothesis; or to screen for study eligibility is available in the following link: http://www.rowan.edu/som/hsp/guidance/index.html.
  3. IRB or privacy board approval:
    A hospital or health plan can allow a researcher access to patient medical information upon receipt of documentation that an Institutional Review Board (IRB), or a privacy board, has granted the researcher a waiver of the requirement to obtain individual authorization. The IRB or Privacy board, a committee formally designated by an institution to review research involving human subjects, can grant a waiver if it determines that the research project cannot proceed without the data, according to HHS. 
  4. De-identified data: 
    The HIPAA privacy rule allows researchers access to patient health information that has been de-identified through removal of 18 identifiers. Under this condition the IRB (Privacy Board)may approve the use/disclosure of data/information without an individual's authorization if it determines that health information is not individually identifiable. To meet this condition, all of the 18 elements of identifiers must be removed before the data is released to the researcher. 
  5. Limited data set: 
    1. HIPAA's Privacy Rule makes provisions for a "limited data set," authorized only for public health, research, and health care operations purposes. A limited data set could include the following potentially identifying information:
      1. admission and discharge, and service dates;
      2. dates of birth and, if applicable date of death;
      3. age, including age 90 or over and
      4. five digit zip code or any other geographic subdivision, such as state, county, city, precinct and their equivalent geocodes except street addresses.
    2. The disclosure of the limited data set requires the use of a "data use agreement", which establishes the permitted uses and disclosure of such information consistent with the purposes of research, public health and healthcare operations. It limits who can receive and use data and requires the recipient to not re-identify the data or contact the individuals. 
  6. Research on protected health information of decedents: 
    Representations from the researcher, either in writing or orally, that the use or disclosure being sought is solely for research on the protected health information of decedents, that the protected health information being sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is being sought. See 45 CFR 164.512(1)(iii). 

VII. DIFFERENCES BETWEEN CONSENT AND AUTHORIZATION

  1. The Common Rule and FDA regulations require consent to participate in research.
  2. The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. However, the privacy rule requires an "authorization" for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. 

VIII. RESEARCH USE WITHOUT AUTHORIZATION 

  1. Under the Privacy Rule at section 164.512, a covered entity may use or disclose PHI for a research study without Authorization (or with an altered Authorization) from the research participant if the covered entity obtains proper documentation that an IRB or Privacy Board has granted a waiver (or alteration) of the Authorization requirements. Among other requirements under section 164.512, a covered entity must obtain a statement that an IRB or a Privacy Board has determined that the alteration or waiver, in whole or in part, of Authorization satisfies the following three criteria in the Privacy Rule. The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
    1. An adequate plan to protect the identifiers from improper use and disclosure.
    2. An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law.
    3. Adequate written assurances that the PHI will not be reused or disclosed except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted by the Privacy Rule.
    4. The research could not practicably be conducted without the waiver or alteration
    5. The research could not practicably be conducted without access to and use of the PHI.
  2. This provision of the Privacy Rule might be used, for example, to conduct records research, when researchers are unable to use de-identified information, and the research could not practicably be conducted if research participants' authorization were required. 

IX. RESEARCH USE/DISCLOSURE WITH INDIVIDUAL AUTHORIZATION

  1. A Privacy Rule Authorization is an individual's signed permission to allow a covered entity to use or disclose the individual's protected health information (PHI) that is described in the Authorization for the purpose(s) and to the recipient(s) stated in the Authorization. In contrast, an informed consent document is an individual's agreement to participate in the research study and includes a description of the study, anticipated risks and/or benefits, and how the confidentiality of records will be protected, among other things. An Authorization can be combined with an informed consent document or other permission to participate in research. If a covered entity obtains or receives a valid Authorization for its use or disclosure of PHI for research, it may use or disclose the PHI for the research, but the use or disclosure must be consistent with the Authorization. 
  2. The Authorization must be written in plain language. A copy of the signed Authorization must be provided to the individual signing it if the covered entity itself is seeking the Authorization. The Privacy Rule specifies core elements and required statements that must be included in an Authorization. An Authorization is not valid unless it contains all the required elements and statements. An Authorization form may also, but is not required to, include additional, optional elements so long as they are not inconsistent with the required elements and statements and are not otherwise contrary to the Authorization requirements of the Privacy Rule.

X. CORE ELEMENTS OF AUTHORIZATION

  1. Description of PHI to be used or disclosed
  2. The name(s) of persons or other specific identification of person(s) class of persons authorized to make the requested used or disclosure.
  3. The name(s) or other specific identification of the person(s) or class of persons who may use the PHI or to whom the covered entity may make the requested disclosure. 
  4. Description of each purpose of the requested use or disclosure. Researchers should note that this element must be research study specific, not for future unspecified research. 
  5. Authorization expiration date or event that relates to the individual or to the purpose of the use or disclosure (the terms "end of the research study" or "none" may be used for research, including for the creation and maintenance of a research database or repository). 
  6. Signature of the individual and date. If the Authorization is signed by an individual's personal representative, a description of the representative's authority to act for the individual

XI. REQUIRED STATEMENTS IN THE RESEARCH AUTHORIZATION AGREEMENT

  1. The individual's right to revoke Authorization in writing and either (1) the exceptions to the right to revoke and a description of how the individual may revoke Authorization or (2) reference to the corresponding section(s) of the covered entity's Notice of Privacy Practices.  Note: A research subject may revoke Authorization at any time. However, a covered entity may continue to use and disclose PHI that was obtained before the individual revoked Authorization to the extent that the entity has taken action in reliance on the Authorization. In cases where the research is conducted by the covered entity, this would permit the covered entity to continue using or disclosing the PHI as necessary to maintain the integrity of the research.
  2. Notice of the covered entity's ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the Authorization, including research-related treatment, and, if applicable, consequences of refusing to sign the Authorization. 
  3. The potential for the PHI to be re-disclosed by the recipient and no longer protected by the Privacy Rule. This statement does not require an analysis of risk for re-disclosure but may be a general statement that the Privacy Rule may no longer protect health information.

...

 XII. TRACKING AND ACCOUNTING FOR RESEARCH DISCLOSURES OF PHI 

  1. The HIPAA Privacy Rule gives a person the right to request a written record ("an accounting") when a covered entity has made certain disclosures of that person's protected health information ("PHI"). The accounting must include all covered disclosures in the six years prior to the date of the person's request, but no further back than April 14, 2003.  The principal investigator of an IRB-approved research project or a project for which the IRB has granted exempt status is responsible for compliance with the following two HIPAA accounting requirements:
    1. Tracking certain disclosures of an individual subject's PHI, or of all subjects' PHI, that are made by any member of the study team; and
    2. Providing the disclosure tracking information to the HIPAA Office or to Medical Records (as explained below)
  2. The HIPAA compliance Office at RowanSOM responds to patient requests for accountings and uses the information provided by the principal investigator and by Medical Records for this purpose. For research, the investigator should maintain a record of all disclosures (as described above) made by the research team that are subject to the HIPAA tracking requirement. 
  3. This accounting must include disclosures of protected health information that occurred during the six years prior to the individual's request for an accounting, or since the applicable compliance date (whichever is sooner), and must include specified information regarding each disclosure. A more general accounting is permitted for subsequent multiple disclosures to the same person or entity for a single purpose. See 45 CFR 164.528(b)(3). Among the types of disclosures that are exempt from this accounting requirement are:
    1. research disclosures made pursuant to an individual's authorization and
    2. disclosures of the limited data set to researchers with a data use agreement under 45 CFR 164.514(e).
  4. In addition, for disclosures of protected health information for research purposes without the individual's authorization pursuant to 45 CFR164.512, and that involve at least 50 records, the Privacy Rule allows for a simplified accounting of such disclosures by covered entities. Under this simplified accounting provision, covered entities may provide individuals with a list of all protocols for which the patient's protected health information may have been disclosed under 45 CFR 164.512, as well as the researcher's name and contact information. Other requirements related to this simplified accounting provision are found in 45 CFR 164.528(b)(4). 

...

 XIII. TRANSITION PROVISIONS

  1. The Privacy Rule contains a transition provision that, under certain conditions, allows covered entities to continue to use or disclose PHI without an Authorization, or waiver or alteration of the Authorization requirement, in connection with ongoing research, including research involving repositories or databases. For many such uses and disclosures of PHI in connection with ongoing research, a covered entity may rely on any one of the following that was obtained prior to the compliance date:
    1. an Authorization or other express legal permission from an individual to use or disclose PHI for research;
    2. the informed consent of the individual to participate in the research and
    3. a waiver by an IRB of informed consent in accordance with applicable laws and regulations governing informed consent, unless informed consent is sought after the compliance date 
  2. If the transition provisions do not apply and the information is not de-identified, subsequent uses and disclosures of PHI from databases and repositories held by covered entities generally require an individual's Authorization unless otherwise permitted by the Privacy Rule (e.g., with a waiver of Authorization or as a limited data set).
  3. In addition, if the database or repository, which is held or maintained by a covered entity, contains only de-identified health information (which may include a re-identification code) meeting the Privacy Rule's requirements at section 164.514(a)-(c), the Privacy Rule does not apply.

...