| Documents below are provided as Adobe Acrobat files. If you do not have the Acrobat Reader please take a moment to download it. |
|
Select the document below.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
The HIPAA Privacy Rule establishes the conditions under which protected
health information may be used or disclosed by covered entities for research
purposes. Research is defined in
the Privacy Rule as, “a systematic investigation, including research
development, testing, and evaluation, designed to develop or contribute to
generalizable knowledge.” A
covered entity may always use or disclose for research purposes health
information which has been de-identified without regard to the provisions below.
The Privacy Rule also defines the means by which individuals will be
informed of uses and disclosures of their medical information for research
purposes, and their rights to access information about them held by covered
entities. Where research is
concerned, the Privacy Rule protects the privacy of individually identifiable
health information, while at the same time ensuring that researchers continue to
have access to medical information necessary to conduct vital research.
Currently, most research involving human subjects operates under the
Common Rule which has some provisions that are similar to, but separate from,
the Privacy Rule’s provisions for research.
These human subject protection regulations include protections to help
ensure the privacy of subjects and the confidentiality of information.
The Privacy Rule builds upon these existing Federal protections.
More importantly, the Privacy Rule creates equal standards of privacy
protection for research governed by the existing Federal human subject
regulations and research that is not.
How the Rule Works
In the course of conducting research, researchers may obtain, create,
use, and/or disclose individually identifiable health information.
Under the Privacy Rule, covered entities are permitted to use and
disclose protected health information for research with individual
authorization, or without individual authorization under limited circumstances
set forth in the Privacy Rule.
Research Use/Disclosure Without Authorization.
To use or disclose protected health information without authorization by
the research participant, a covered entity must obtain one of the following:
·
Documented institutional Review Board (IRB).
Documentation that an alternation or waiver of research participants’
authorization for use/disclosure of information about them for research purposes
has been approved by an IRB. This
provision of the Privacy Rule might be used, for example, to conduct records
research, when researchers are unable to use de-identified information, and the
research could not practicably be conducted if research participants’
authorization were required.
A covered
entity may use or disclose protected health information for research purposes
pursuant to a waiver of authorization by an IRB, provided it has obtained
documentation of all of the following:
Ø Identification of the IRB and the date on which the alteration or waiver of authorization was approved.
Ø A statement that the IRB has determined that the alteration or waiver of authorization, in whole or in part, satisfies the three criteria in the Rule;
Ø A brief description of the protected health information for which use or access has been determined to be necessary by the IRB;
Ø A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures; and
Ø
The signature of the chair or other member, as designated by the
chair, of the IRB, as applicable.
The following
three criteria must be satisfied for an IRB to approve a waiver of authorization
under the Privacy Rule:
Ø The use or disclosure of protected health information involves no more than minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
o An adequate plan to protect the identifiers from improper use and disclosure;
o An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
o Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart.
Ø The research could not practicably be conducted without the waiver or alteration; and
Ø
The research could not practicably be conducted without access to
and use of the protected health information.
·
Preparatory to Research.
Representations from the researcher, either in writing or orally, that
the use or disclosure of the protected health information is solely to prepare a
research protocol or for similar purposes preparatory to research, that the
researcher will not remove any protected health information from the covered
entity, and representation that protected health information for which access is
sought is necessary for the research purpose.
This provision might be used, for example, to design a research study to
assess the feasibility of conducting a study.
·
Research on Protected Health Information of Decedents.
Representations from the researcher, either in writing or orally, that
the use of disclosure being sought is solely for research on the protected
health information of decedents, that the protected health information being
sought is necessary for the research, and, at the request of the covered entity,
documentation of the death of the individuals about whom information is being
sought.
·
Limited Data Sets with a Data Use Agreement.
A data use agreement entered into by both the covered entity and the
researcher, pursuant to which the covered entity may disclose a limited data set
to the researcher for research, public health, or health care operations.
A limited data set excludes specified direct identifiers of the
individual or of relatives, employers, or household members of the individual. The data use agreement must:
Ø Establish the permitted uses and disclosures of the limited data set by the recipient, consistent with the purposes of the research, and which may not include any use or disclosure that would violate the Rule if done by the covered entity;
Ø Limit who can use or receive the data; and
Ø Require the recipient to agree to the following:
o Not to use or disclose the information other than as permitted by the data use agreement or as otherwise required by law;
o Use appropriate safeguards to prevent the use or disclosure of the information other than as provided for in the data use agreement;
o Report to the covered entity any use or disclosure of the information not provided for by the data use agreement of which the recipient becomes aware;
o Ensure that any agents, including a subcontractor, to whom the recipient provides the limited data set agrees to the same restrictions and conditions that apply to the recipient with respect to the limited data set; and
o Not to identify the information or contact the individual.
Accounting
for Research Disclosures. In
general, the Privacy Rule gives individuals the right to receive an accounting
of certain disclosures of protected health information made by a covered entity.
This accounting must include disclosures of protected health information
that occurred during the six years prior to the individual’s request for an
accounting, or since the applicable compliance data (whichever is sooner), and
must include specified information regarding each disclosure.
A more general accounting is permitted for subsequent multiple
disclosures to the same person or entity for a single purpose.
Among the types of disclosures that are exempt from this accounting
requirement are:
·
Research disclosures made pursuant to an individual’s
authorization;
·
Disclosures of the limited data set to researchers with a data use
agreement .
In addition, for disclosure of protected health
information for research purposes without the individual’s authorization and
that involve at least 50 records, the Privacy Rule allows for a simplified
accounting of such disclosures by covered entities. Under this simplified accounting provision, covered entities
may provide individuals with a list of all protocols for which the patient’s
protected health information may have been disclosed as well as the
researcher’s name and contact information.
Transition Provisions.
Under the Privacy Rule, a covered entity may use and disclose protected
health information that was created or received for research, either before or
after the compliance date, if the covered entity obtained any one of the
following prior to the compliance date:
·
An authorization or other express legal permission from an
individual to use or disclose protected health information for the research;
·
The informed consent of the individual to participate in the
research; or
·
A waiver of informed consent by an IRB in accordance with the
Common Rule.
The Privacy Rule allows covered entities to rely on such express legal permission, informed consent, or IRB approved waiver of informed consent, which they create or receive before the applicable compliance date, to use and disclose protected health information for specific research studies, as well as for future unspecified research that may be included in such permission.
If you have questions regarding HIPAA, you may go to http://answers.hhs.gov/cgi-bin/hhs.cfg/php/enduser/std_alp.php, then select “Privacy of Health Information/HIPAA from the Category drop down list and click the Search Button.
These documents can now be filled out on your computer. Please complete and forward to the committee chair.