University Policies

Page tree

Versions Compared

Old Version 3

changes.mady.by.user Unknown User (kanchia1)

Saved on

compared with

New Version 4

changes.mady.by.user Unknown User (kanchia1)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Patient Authorization 
    1. Researchers may request information inside a patient's medical file if the individual has granted written permission for its release to the researcher by means of a signed authorization form.
    2. The Research Authorization required under the HIPAA Privacy Rule is a written patient authorization that must specify:
      1. Who can use or disclose PHI
      2. To whom PHI may be disclosed
      3. What PHI may be used or disclosed
      4. The purposes of the used or disclosed PHI
      5. The duration of the authorization (expiration date or event
  2. Preparatory to Research
    1. The Privacy Rule applies to the use of protected health information (PHI) in those activities preparatory to research that are necessary to prepare a research protocol for a grant application or IRB review or for similar purposes.
    2. Preparatory to research activities are defined as:
      1. the development of research questions;
      2. the determination of study feasibility (in terms of the available number and eligibility of potential study participants);
      3. the development of eligibility (inclusion and exclusion) criteria; and
      4. the determination of eligibility for study participation of individual potential subjects. The Office of Civil Right guidance permits a researcher to identify prospective research participants for purposes of seeking their authorization to use or disclose protected health information (PHI) for a research study. The PHI used to identify prospective research participants could include contact information, diagnosis or condition, and other information necessary to determine study eligibility. Although OCR considers the use and disclosure of PHI to determine study eligibility a preparatory to research activity, the actual process used to recruit subjects remains a research activity and requires IRB approval. A researcher may use PHI for preparatory to research activities, only if before such use, the researcher makes certain representations about the use of PHI by submitting "Preparatory to Research Representation" form.This form and the procedures to follow to obtain permission wherein a researcher uses/reviews PHI for the purpose of developing a research protocol; formulating a research hypothesis; or to screen for study eligibility is available in the following link: http://www.rowan.edu/som/hsp/guidance/index.html.
  3. IRB or privacy board approval:
    A hospital or health plan can allow a researcher access to patient medical information upon receipt of documentation that an Institutional Review Board (IRB), or a privacy board, has granted the researcher a waiver of the requirement to obtain individual authorization. The IRB or Privacy board, a committee formally designated by an institution to review research involving human subjects, can grant a waiver if it determines that the research project cannot proceed without the data, according to HHS. 
  4. De-identified data: 
    The HIPAA privacy rule allows researchers access to patient health information that has been de-identified through removal of 18 identifiers. Under this condition the IRB (Privacy Board)may approve the use/disclosure of data/information without an individual's authorization if it determines that health information is not individually identifiable. To meet this condition, all of the 18 elements of identifiers must be removed before the data is released to the researcher. 
  5. Limited data set: 
    1. HIPAA's Privacy Rule makes provisions for a "limited data set," authorized only for public health, research, and health care operations purposes. A limited data set could include the following potentially identifying information:
      1. admission and discharge, and service dates;
      2. dates of birth and, if applicable date of death;
      3. age, including age 90 or over and
      4. five digit zip code or any other geographic subdivision, such as state, county, city, precinct and their equivalent geocodes except street addresses.
    2. The disclosure of the limited data set requires the use of a "data use agreement", which establishes the permitted uses and disclosure of such information consistent with the purposes of research, public health and healthcare operations. It limits who can receive and use data and requires the recipient to not re-identify the data or contact the individuals. 
  6. Research on protected health information of decedents: 
    Representations from the researcher, either in writing or orally, that the use or disclosure being sought is solely for research on the protected health information of decedents, that the protected health information being sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is being sought. See 45 CFR 164.512(1)(iii). 

...

  1. What is HIPAA?
    HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA requires many things, including the standardization of electronic patient health, administrative and financial data. It also establishes security and privacy standards for the use and disclosure of "protected health information" (PHI). 
  2. What is PHI?
    HIPAA's privacy provisions are limited to use and disclosure of Protected Health Information, or PHI. PHI is defined as individually identifiable health information that is created or received by a HIPAA covered entity Health information includes any information, whether oral or recorded in any form, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment of health care to an individual.
  3. What are covered entities?
    Covered entities are health plans, health care clearinghouses and health care providers that transmit health information related to insurance coverage electronically. At Rowan University, all transactions occurring at RowanSOM is considered as part of the covered entity.
  4. Does HIPAA rule hinder research?
    There is no reason to believe that the Privacy Rule will hinder medical research. Indeed, patients and health plan members should be more willing to authorize disclosures of their information for research and to participate in research when they know their information is protected. The Privacy Rule both permits important research and, at the same time, it encourages patients to participate in research by providing much needed assurances about the privacy of their health information.
  5. What is the definition of a researcher under HIPAA?
    A researcher is a covered health care provider if he or she furnishes health care services to individuals, including the subjects of research, and transmits any health information in electronic form in connection with a transaction covered by the Transactions Rule. See 45 CFR 160.102, 160.103. For example, a researcher who conducts a clinical trial that involves the delivery of routine health care and transmits health information in electronic form to a third party payer for payment would be a covered health care provider under the Privacy Rule. Researchers who provide health care to the subjects of research or other individuals would be covered health care providers even if they do not themselves electronically transmit information in connection with a HIPAA transaction, but have other entities, such as a hospital or billing service, conduct such electronic transactions on their behalf. For further assistance in determining covered entity status, see the "decision tool" at www.hhs.gov/ocr/hipaa.
  6. What impact does HIPAA has on research protocols?
    Besides the impact of Common Rule on research, HIPAA adds certain additional new requirements to research. Under HIPAA, the use and disclosure of PHI for research purposes requires an authorization from the research subject unless some exception applies. HIPAA also applies to research related activities which were not covered under the Common Rule such as research on decedents HIPAA introduces a concept known as the "minimum necessary" standard. In general, HIPAA requires that only the minimum necessary PHI should be used unless the PHI is used for treatment, or unless the use or disclosure is made subject to a written authorization (including a research authorization). Thus, the minimum necessary standard requires researchers who are engaging in research not pursuant to an authorization to limit their access of PHI to only that needed to accomplish the research initiative and the intended purpose of the use and disclosure of PHI.
  7. What research activities are covered under HIPAA?
    The Privacy Rule applies to the following types of research activities when they involve PHI: 
    1. research using or creating PHI about living individuals;
    2. activities that are preparatory to research;
    3. research on decedents who have been deceased less than 50 years;
    4. recruitment and
    5. research using a limited data set
  8. What research activities are not covered under HIPAA?
    1. Research using de-identified data
    2. Research conducted by an individual who is not part of a covered entity and that does not require access to information held by a HIPAA covered entity
    3. Research on individuals who have been deceased more than 50 years
  9. What are the conditions for using or creating PHI for research on living individuals?
    PHI may not be used unless the following conditions are met: 
    1. subject has provided IRB-approved authorization for research;
    2. IRB has approved waiver of authorization;
    3. the study involves IRB-approved use of de-identified data or limited data set;
    4. researchers may continue to use or disclose PHI obtained or created before April 14, 2003 pursuant to the informed consent document for that research study and
    5. an authorization form or request for a waiver is not required if subjects have executed an informed consent to participate prior to April 14, 2003.
  10. What are some of the elements that must be included in the authorization
    HIPAA generally requires a written authorization from the subject permitting a researcher to use or disclose the subject's PHI for research purposes. The researcher is required to get written authorization from the research participants via a signed Research Authorization Form. The written authorization must articulate:
    1. a specific description of what PHI will be used/disclosed;
    2. the names of persons or organizations that may use or disclose PHI;
    3. the names of persons or organizations to which PHI will be disclosed;
    4. a statement of the purpose of the use/disclosure;
    5. a statement of how long the use or disclosure will continue (no expiration date is permitted for research purposes, however this must be specifically stated in the authorization form and justification must be noted in the protocol);
    6. a statement that the authorization may be revoked. A statement regarding the potential for re-disclosure to others not subject to the Privacy Rule;
    7. a notice that the covered entity may or may not condition treatment or payment on the individual's signature and
    8. the individual's signature and date.
  11. What is a waiver of authorization?
    An IRB may grant a waiver of authorization if the following conditions are met: 
    1. the research could not be practicably conducted without the waiver;
    2. the research could not be practicably conducted without access and use of PHI;
    3. a written assurance to the IRB that the PHI will not be re-used or disclosed except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by the Privacy Rule;
    4. uses and disclosures of PHI will be limited to the minimum necessary standard; disclosure involves no more than minimal privacy risk to the individuals and
    5. reviewed by the IRB with specific approval regarding access to the PHI.
      Researchers can request a waiver of authorization by completing the appropriate section of the eIRB application by answering all of the questions on the application form and submitting to the IRB for approval. The criteria for waiver are very similar to those for waiving informed consent. Investigators will receive from the IRB an authorized Approval/Denial of Waiver of HIPAA Authorization.
  12. What activities may be conducted under preparatory to research?
    1. PHI may be accessed in activities that are "preparatory to research." This type of access is limited to a review of data to assist in formulating a hypothesis, determining the feasibility of conducting the study, determining cell size, or other similar uses that precede the development of an actual protocol. 
    2. While an investigator may review PHI during the course of a review of preparatory to research, he or she may not remove copy or include any PHI in notes. As such, a researcher who is an employee or a member of the covered entity's workforce could use protected health information to contact prospective research subjects. The preparatory to research provision would allow such a researcher to identify prospective research participants for purposes of seeking their authorization to use or disclose protected health information for a research study. In addition, the Rule permits a covered entity to disclose protected health information to the individual who is the subject of the information. See 45 CFR 164.502(a)(1). Therefore, covered health care providers and patients may continue to discuss the option of enrolling in a clinical trial without patient authorization, and without an Institutional Review Board (IRB) or Privacy Board waiver of the authorization. 
    3. However, a researcher who is not a part of the covered entity may not use the preparatory to research provision to contact prospective research subjects. Rather, the outside researcher could obtain contact information through a partial waiver of individual authorization by an IRB or Privacy Board as permitted at 45 CFR164.512(1).
  13. What researchers need to do if research involves decedents health information?
    HIPAA requires that researchers who wish to access PHI of decedents who have been deceased less than 50 years for research purposes first make certain representations to the holder of the PHI. The Health information of individuals who have been deceased for more than 50 years is not subject to the HIPAA requirements. The researcher must first represent that the use or disclosure of PHI is solely for research on the PHI of decedents. Please contact the Privacy Compliance Office for further information or to request a decedent's medical history. 
  14. Using de-identified for research, what should be done?
    De-identified data are data that contains none of the 18 identifiers listed earlier. If all of the identifiers are removed, the information is considered to be no longer individually identifiable, no longer PHI, and no longer subject to HIPAA's requirements. A de-identified data set may be coded with a unique identifier that cannot be traced back to the individual for the purpose of being re-identified by the recipient at a later date. It is important to remember that re-identification will subject the information to HIPAA's requirements.
  15. What is limited data set?
    1. Some studies may need some limited identifiers and thus not meet the strict definition of "de-identified data" but nonetheless hold only minimal potential for identifying participants based on the data set. In such circumstances, HIPAA permits use of a "limited data set" for research purposes. A limited data set is PHI that excludes "direct identifiers" of the individual, relatives of the individual, employers, or household members.
    2. A data set may also be considered de-identified if an expert in statistical and scientific methods determines and documents that the methods used to de-identify or code the data presents a very small risk that the information can be used alone or in combination with other reasonably available information to identify an individual.
    3. A limited data set could include the following potentially identifying information: (1)Admission and discharge, and service dates; (2) dates of birth and, if applicable date of death; (3) age, including age 90 or over and (4) five digit zip code or any other geographic subdivision, such as state, county, city, precinct and their equivalent geocodes except street addresses. 
    4. The disclosure of the limited data set requires the use of a "data use agreement", which establishes the permitted uses and disclosure of such information consistent with the purposes of research, public health and healthcare operations, limits who can receive and use data and requires the recipient to not re-identify the data or contact the individuals.
  16. How do HIPAA regulations cover databanks and repositories?
    First collection or maintenance of PHI in databanks and utilizing data from repositories requires IRB approval. The HIPAA Privacy Rule requires an authorization from the subject about whom information is stored or a HIPAA Waiver of Authorization approved by an IRB for the collection of PHI and prior to conducting subsequent studies.
  17. Is exempt review of a research project allowed?
    Yes, so long as the study does not involve PHI. If the study does not involve risk to subjects, no identifiers are used and PHI is not involved, the study may be approved without the waiver of authorization. If the study involves, review of medical charts, tissue samples, medical and diagnostic images even though identifiers are not present but involves PHI, a waiver of authorization approved by the chair or a member of the IRB is required.
  18. Is expedited review of a research project permitted?
    The Common Rule applies if PHI is not included, involves minimal risk and identifiers are included. Such studies require participant's consent. If PHI is included, involves minimal risk, involves healthy or non-healthy participants, identifiers are included subjects consent and authorization is required. A special request for waiver of consent and authorization can be made so long as the criteria under this FAQ #9 have met. In both cases described above, IRB review and approval is required
  19. What rights participants have to access research records or results?
    With few exceptions, the Privacy Rule gives patients the right to inspect and obtain a copy of health information about themselves that is maintained by a covered entity or its business associate in a "designated record set." It is unlikely that a researcher would be maintaining a designated record set, any research records or results that are actually maintained by the covered entity as part of a designated record set would be accessible to research participants unless one of the Privacy Rule's permitted exceptions applies. One of the exceptions of the privacy rule permits the individual's access rights in these cases to be suspended while the clinical trial is in progress, provided the research participant agreed to this denial of access when consenting to participate in the clinical trial. In addition, the health care provider/researcher must inform the research participant that the right to access protected health information will be reinstated at the conclusion of the clinical trial.
  20. Are the HIPAA Privacy Rule's requirements regarding patient access in harmony with the Clinical Laboratory Improvements Amendments of 1988 (CLIA)?
    Yes. The Privacy Rule does not require clinical laboratories that are also covered health care providers to provide an individual access to information if CLIA prohibits them from doing so. CLIA permits clinical laboratories to provide clinical laboratory test records and reports only to "authorized persons," as defined primarily by State law. In addition, for certain research laboratories that are exempt from the CLIA regulations, the Privacy Rule does not require such research laboratories, if they are also a covered health care provider, to provide individuals with access to protected health information because doing so may result in the research laboratory losing its CLIA exemption.
  21. If a research subject revokes his or her authorization to have protected health information used or disclosed for research, can the researcher continue using the protected health information already obtained prior to the time the individual revoked his or her authorization?
    Covered entities may continue to use and disclose protected health information that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study.
  22. Can the researcher continue to disclose adverse event reports that contain protected health information to the Department of Health and Human Services (HHS) Office for Human Research Protections?
    Yes. The Office for Human Research Protections is a public health authority under the HIPAA Privacy Rule. Therefore, covered entities can continue to disclose protected health information to report adverse events to the Office for Human Research Protections either with patient authorization as provided at 45 CFR 164.508, or without patient authorization for public health activities as permitted at 45 CFR 164.512(b).
  23. Are there restrictions for recruiting study participants under HIPAA?
    Under HIPAA, the use of PHI to recruit an individual to participate in a research study must comply with HIPAA's general requirement that the use must be pursuant to an authorization or some exception, such as a waiver of HIPAA authorization. Although recruitment procedures usually only require access to a limited amount of health information, recruitment nonetheless is considered to be accessing PHI and therefore must comply with HIPAA requirements. Treating providers may not disclose PHI to a third party (including a "researcher" within the same covered entity) for purposes of recruitment in a research study without first obtaining authorization from the individual.
  24. What should researchers do, if there is a breach of PHI?
    Research subjects have a right to be notified in cases where their PHI has been inappropriately accessed, used or disclosed in violation of the Privacy Rule. Potential breaches include lost paper records, lost smartphones or laptops containing PHI, misdirected mail, email or faxes etc. Notify the Privacy Officer immediately of all events that might have potential breaches.
  25. How long should record be maintained?
    HIPAA related documentation must be maintained in accordance with record retention policy of the university. This requirement applies to accounting for disclosures records, authorizations, data use agreements and any other HIPAA forms. In some cases, FDA regulations for record keeping must be followed in accordance to agreement with the sponsor.
  26. What privacy and security measures should be followed?
    HIPAA requires that we maintain the privacy of PHI by limiting its uses and disclosures and that we take reasonable steps to ensure that the PHI is secure. Most often, breaches in privacy can be traced to lax security so the two issues are intimately related. 
    1. Everyone must complete RowanSOMs privacy training.
    2. If you are a researcher, you must also complete privacy training to specific HIPAA and medical research.
    3. Everyone must use "strong" passwords and must comply with Rowan IT's password security standards
    4. Must immediately report incidents that may involve the loss of, improper disclosure of, or improper access to PHI or ePHI (for example, the loss or theft of paper PHI; the loss or theft of computer, smartphone, or thumb drive storing ePHI; or an electronic intrusion into a computer storing ePHI). Reports should be made to the HIPAA Privacy Officer.
    5. Must not create, store, access, transmit or receive ePHI on personally owned computers. Faculty and staff who require remote access to on campus workstations or systems (e.g., IDX) that hold ePHI must use a University-provided, fully managed and encrypted device.
    6. Destroy or delete paper PHI or ePHI when no longer needed or when retiring computers, smartphones or other mobile devices such as thumb drives.

...