Use of Protected Health Information for Research
Policy
University of North Texas Health Science Center at Fort Worth
Applicability: All University of North Texas Health Science
Center (UNTHSC) faculty, staff, and students involved in research
activities.
UNTHSC Privacy Policy. This policy supplements
the requirements of the UNTHSC “Protected Health Information
Privacy Policy.” The purpose of this policy is
to describe the procedure for conducting research involving
Protected Health Information (PHI). The federal “Health
Insurance Portability and Accountability Act” (“HIPAA”)
Privacy Rule directly applies to “covered entities”: health
plans, health care clearinghouses, and health care providers
who transmit health information electronically. Under
HIPAA, UNTHSC is a “covered entity”. Researchers
who obtain Protected Health Information from covered entities
(whether inside or outside of UNTHSC) to conduct research must
comply with the HIPAA rules pertaining to use and disclosure
of PHI for research.
Definitions
∑ Disclosure: the release, transfer, provision of access to, or divulging
in any other manner of information outside the entity holding the information.
.
∑ Protected Health Information (“PHI”): individually
identifiable health information transmitted or maintained in any form or medium,
including oral, written, and electronic communications. Individually identifiable
health information relates to an individual’s past, present or future health
status or condition, furnishing health services to an individual or paying or
administering past, present or future health care benefits to an individual. Information
is considered PHI where the individual is identified or there is a reasonable
basis to believe the information can be used to identify an individual.
∑ Research means a systematic investigation, including research development,
testing, and evaluation, designed to develop or contribute to generalizable knowledge. Activities
which meet this definition constitute research for the purposes of this policy,
whether or not they are conducted or supported under a program that is considered
research for other purposes.
Use and Disclosure of PHI for Research
In the course of conducting research, researchers may obtain,
create, use, and/or disclose individually identifiable health information if
done in accordance with this policy and the HIPAA Privacy Rule. As a general
rule, a researcher must obtain a patient authorization from all participants
in research prior to the internal use or external disclosure of PHI for any research
related purpose that is not otherwise permitted or required under this Policy. However,
patient authorization is not needed under limited circumstances set forth in
the HIPAA Privacy Rule.
(A) Research Use/Disclosure With Individual Authorization.
(1) The Privacy Rule permits covered entities
to use or disclose Protected Health Information for research
purposes when a research participant authorizes the use or
disclosure of information about his or her health information.
(2) The IRB will provide an Authorization template that
complies with HIPAA requirements. The researcher must complete the Authorization
template and submit it to the IRB for prior review and approval.
(3) To use or disclose Protected Health Information with
authorization by the research participant, the covered entity must obtain an
authorization that satisfies the Privacy Rule. The Privacy Rule has a general
set of authorization requirements that apply to all uses and disclosures, including
those for research purposes. The authorization must contain each of the following
items:
(a) A description of the extent to which PHI will be used or
disclosed.
(b) A specific description of the PHI to be disclosed; the
person(s) that will be using or disclosing the PHI; the person(s)
authorized to receive the PHI; the purpose(s) for which the
PHI will be used/disclosed.
(c) A statement as to whether the PHI will be subject to use
by or re-disclosure to entities not covered by the HIPAA Privacy
Rule.
(d) The expiration date or expiration event for use or disclosure
of the PHI.
(e) A statement of the patient’s right to revoke the
authorization.
(e) A statement that treatment, payment, enrollment or eligibility
for benefits cannot be conditioned upon the patient’s
signing the authorization. However, participation in
research may be conditioned on a signed authorization, including
treatment protocols.
(f) A statement that the PHI that is disclosed may potentially
be re-disclosed and may no longer be protected under HIPAA.
(g) The individual’s signature (or that of his/her authorized
representative) and date. The individual must be provided
with a copy of the signed authorization.
(4) Special provisions apply to research authorizations:
(a) Unlike other authorizations, an authorization for a research
purpose may state that the authorization does not expire, that
there is no expiration date or event, or that the authorization
continues until the “end of the research study;” and
(b) An authorization for the use or disclosure of Protected
Health Information for research may be combined with consent
to participate in the research, or with any other legal permission
related to the research study.
(5) Individual’s Access to Research Information
(a) As a general rule, individuals who participate in research
have a right to access their own PHI that is maintained in
a Designated Record Set of a Covered Entity. Designated
Record Sets are those that are used to make treatment, payment
and healthcare operations decisions about individuals. In
general, research data sets are not among the “Designated
Record Sets” of a Covered Entity. However, the
Covered Entity’s Designated Record Sets include the individual’s
medical records, payment records, etc. All data about
an individual that is generated in clinical research and entered
into the individual’s medical or financial records at
the Covered Entity are that individual’s PHI.
(b) Individuals participating in research protocols that include
treatment (for example, a placebo controlled clinical trial)
may be temporarily denied access to their PHI obtained in connection
with that research protocol, provided that:
(i) The PHI was obtained in the course of the research;
(ii) The individual agreed to the denial of access in the Research
Authorization;
(iii) The research remains in process; and
(iv) The individual’s rights to access such PHI are re-instated
once the research study has concluded.
(6) Individual’s Revocation of Authorization.
(a) As a general rule, an individual may revoke his/her authorization,
in writing to the Principal Investigator, at any time.
(b) The revocation will be applicable to the protocol or protocols
specified by the individual. However, the researcher
may continue to use and disclose, for research integrity and
reporting purposes, any PHI collected about the individual
pursuant to a valid authorization before it was revoked.
(c) The Principal Investigator shall maintain a copy of each
written revocation and shall report them to the IRB at the
time of continuing review.
(B) Research Use/Disclosure Without Authorization. To
use or disclose Protected Health Information without authorization
by the research participant, a covered entity must obtain one
of the following:
(1) Documented IRB or Privacy Board Approval. Documentation
that an alteration or waiver of research participants’ authorization
for use/disclosure of information for research purposes has
been approved by an Institutional Review Board (IRB) or a Privacy
Board. At UNTHSC, any such waiver of authorization must
be approved by the UNTHSC IRB. A covered entity may use
or disclose protected health information for research purposes
pursuant to a waiver of authorization by an IRB, provided it
has obtained documentation of all of the following:
∑ Identification of the IRB and the date on which the alteration or waiver
of authorization was approved;
∑ A statement that the IRB has determined that the alteration or waiver
of authorization, in whole or in part, satisfies the three criteria in the Privacy
Rule;
∑ A brief description of the Protected Health Information for which use
or access has been determined to be necessary by the IRB;
∑ A statement that the alteration or waiver of authorization has been reviewed
and approved under either normal or expedited review procedures; and
∑ The signature of the chair or other member, as designated by the chair
of the IRB.
The following three criteria must be satisfied for an IRB to approve a
waiver of authorization under the Privacy Rule:
(a) The use or disclosure of protected health information involves
no more than a minimal risk to the privacy of individuals,
based on, at least, the presence of the following elements:
o an adequate plan to protect the identifiers from improper
use and disclosure;
o an adequate plan to destroy the identifiers at the earliest
opportunity consistent with conduct of the research, unless
there is a health or research justification for retaining the
identifiers or such retention is otherwise required by law;
and
o adequate written assurances that the protected health information
will not be reused or disclosed to any other person or entity,
except as required by law, for authorized oversight of the
research project, or for other research for which the use or
disclosure of protected health information would be permitted
by this subpart;
(b) The research could not practicably be conducted without
the waiver or alteration; and
(c) The research could not practicably be conducted without
access to and use of the Protected Health Information.
(2) Preparatory to Research. To allow
use of this method, the covered entity must require representations from the
researcher, either in writing or orally, that the use or disclosure of the Protected
Health Information is solely to prepare a research protocol or for similar purposes
preparatory to research, that the researcher will not remove any Protected Health
Information from the covered entity, and representation that Protected Health
Information for which access is sought is necessary for the research purpose.
(3) Research on Protected Health Information
of Decedents. This alternative requires representations
from the researcher, either in writing or orally, that the
use or disclosure being sought is solely for research on the
Protected Health Information of decedents, that the Protected
Health Information being sought is necessary for the research,
and, at the request of the covered entity, documentation of
the death of the individuals about whom information is being
sought.
(4) De-Identified Health Information.
Individual health information that conforms to the HIPAA definition
of “de-identified” is exempt from HIPAA and may be used or disclosed
for research purposes without an authorization or waiver of authorization or
data use agreement. Researchers must provide documentation to the IRB that
the health information has been de-identified by one of the following two methods:
(a) Method 1: Health information is
de-identified if a set of specific identifiers is deleted before
the information is released by the covered entity to the researcher. These
identifiers are the following:
Names
Address (including all geographic subdivisions smaller than
a State, including street address, city, county, precinct,
zip code, and their equivalent geo-codes, except for the initial
three digits of most zip codes)
All elements of dates (except year) for dates directly related
to an individual, including birth date, admission date, discharge
date, and date of death
All ages over 89 and all elements of dates (including year)
indicative of age over 89, except that ages over 89 may be
aggregated into a single category of “age 90 or older”
Telephone number
Fax number
E-mail address
Social security number
Medical record number
Health plan beneficiary number or account number
Certificate/license number
Vehicle identifiers and serial numbers including license plate
numbers
Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric indicators such as fingerprints or voiceprints
Full-face photographic images and any comparable images
Any other uniquely identifying number, characteristic, or code
that could be used to identify the individual
Also, neither the covered entity nor the researcher has a reasonable
basis to believe that the information can be used alone or
in combination with other information to identify an individual.
(b) Method 2: The second method of de-identifying under
HIPAA allows a person with appropriate knowledge and experience
to apply generally acceptable statistical and scientific principles
and methods for rendering information not individually identifiable
to make a determination that there is a very small risk that
the information could be used by others to identify a subject
of the information, and documents the methods and results of
the analysis that justify such determination.
(5) Limited Data Sets with a Data Use
Agreement. This alternative involves a data use agreement
entered into by both the covered entity and the researcher,
pursuant to which the covered entity may disclose a limited
data set to the researcher. A limited data set excludes
specified direct identifiers of the individual or of relatives,
employers, or household members of the individual. The
data use agreement must:
∑ Establish the permitted uses and disclosures of the limited data set
by the recipient, consistent with the purposes of the research, and which may
not include any use or disclosure that would violate the Rule if done by the
covered entity;
∑ Limit who can use or receive the data; and
∑ Require the recipient to agree to the following:
o Not to use or disclose the information other than as permitted
by the data use agreement or as otherwise required by law;
o Use appropriate safeguards to prevent the use or disclosure
of the information other than as provided for in the data use
agreement;
o Report to the covered entity any use or disclosure of the
information not provided for by the data use agreement of which
the recipient becomes aware;
o Ensure that any agents, including a subcontractor, to whom
the recipient provides the limited data set agrees to the same
restrictions and conditions that apply to the recipient with
respect to the limited data set; and
o Not to identify the information or contact the individual.
Under the limited data set approach, the following identifiers
of the individual, relatives, employers, and household members
of the individual must be removed before the data is released
by the covered entity to the researcher:
Names
Postal address information other than city,
State, and zip code
Telephone and fax numbers
E-mail address, URLs and IP addresses
Social security number
Medical record numbers, health plan beneficiary numbers and
other account numbers
Device identifiers and serial numbers
Certificate/license numbers
Vehicle identifiers and serial numbers,
including license plates
Full face photos and other comparable images
Biometric identifiers including fingerprints and voiceprints
The IRB has templates for Internal and External Data
Use Agreements.
(c) (B
(C) Publications or Public Presentations
PHI from research may not be included in presentations or publications
of any type unless explicitly permitted by either the individual’s authorization
or the IRB’s waiver of authorization and in accord with the terms and conditions
of all existing agreements governing how that individual’s information
may be used including: the terms and conditions of IRB approval of the research
protocol, the authorization or waiver of authorization, the informed consent
or waiver of informed consent, any data use agreement that has been executed,
etc.
(D) Transition Provisions.
For Research involving PHI and carried out according to a protocol reviewed
and approved by the IRB prior to April 14, 2003:
a. A research study may continue to use or disclose the PHI
created or received prior to April 14, 2003 without HIPAA documentation.
b. A research study operating under a waiver of informed consent
approved by the IRB prior to April 14, 203, may continue to
create, receive, use, and disclose PHI for the study after
April 14, 2003, without an IRB Waiver of Authorization unless
the research study subsequently seeks informed consent, in
which case an authorization would be required together with
the informed consent.
c. If the protocol approved by the IRB before April 14, 2003,
required the obtaining of an informed consent, then with respect
to any individual who has executed informed consent before
April 14, 2003, no additional authorization is required to
create, receive, use and disclose that individual’s PHI
for the approved study.
d. For any research participant for which informed consent
is required, any informed consent or reconsent on or after April 14, 2003, must
include an authorization for use or disclosure of the subject’s PHI. If
the research has been previously approved but will be enrolling participants
on or after April 14, 2003, the researcher must submit a protocol revision to
the IRB in order to include an individual authorization with any informed consent
obtained on or after April 14, 2003.
(E) Texas Medical Privacy Act.
Enactment of the Texas Medical Privacy Act (added by
Acts 2001, 77th Leg.) added Chapter 181 (“Medical Records Privacy”)
to the Texas Health and Safety Code. Chapter 181 greatly expands the list
of entities that will be affected by the HIPAA privacy regulations. Although
the HIPAA Privacy Rule narrowly defines “covered entity,” Chapter
181 defines “covered entity” to include “any person who…comes
into possession of protected health information.” The compliance
date for Chapter 181 is September 1, 2003.
|
|
|
