ARRA INFORMATION

Research Administration Home
Research at UNTHSC Home
Research Administration Staff
Clinical Trials
Laboratory Animal Medicine
Office of Grant and Contract Management
Office for the Protection of Human Subjects
Office of Strategic Research Initiatives
Office of Technology Transfer and Commercialization
Research Committees
Conflict of Interest
Institutional Animal Care and Use
Institutional Biosafety
Institutional Review Board
Research Integrity
Annual Report
COMPLEMENTARY & ALTERNATIVE MEDICINE SHORT-TERM RESEARCH ROTATION
Core Laboratories
Current Intramural Funding Opportunities
Current Training Opportunities
Funding Opportunities
Policies
Research Advisory Committee
Research Advisory Committee Strategic Plan
Research Appreciation Day
University of North Texas Health Science Center’s Annual Research Publication
Upcoming Research Seminars
Contact Us
HIPAA COMPLIANCE INFORMATION
The Health Insurance Portability and Accountability Act of 1986 (HIPAA) and associated privacy regulations were enacted, among other things, to establish federal standards regarding the use and disclosure of protected health information. On August 14, 2002, the Department of Health and Human Services issued a final rule (the "Privacy Rule") establishing standards for privacy of individually identifiable health information with compliance required as of April 14, 2003.

The effect on research will be in the use of “Protected Health Information" (PHI) which is health information that includes identifiers.

Health information includes physical or mental health information whether it is past, present, or future as it is created, collected, or conceived in any medium: electronic, written, or verbal.

The UNTHSC HIPAA Policy mandates that permission is required to use patient information.

To receive permission, INFORMED  CONSENT forms must be submitted to the Office for the Protection of Human Subjects (OPHS) for processing.  If HIPAA issues are not addressed in your informed consent form, an addendum may be attached.
Consent Form Addendum

In Non-Clinical Trial Human Subject Research, informed consent language needs to be customized to each circumstance. Required verbiage is offered for this purpose:
Consent Language - PDF Document   Consent Language -Word Document

To utilize Human Subject data, separate permission forms are required for internal use of patient information and for the transmission of patient data to an outside entity.
Internal.pdf  External.pdf

A waiver request form is the documentation that the covered entity (UNTHSC) obtains from a researcher, which states that the Institutional Review Board has waived or altered the Privacy Rule's requirement that an individual must authorize UNTHSC's use or disclosure of the individual's PHI for research purposes.
Usually, this will not apply to prospective research studies.

HIPAA regulated Patient identifiers include:

• Account Numbers • Name(s) of relative(s)
• Biometric identifiers • Names 
• Certificate/License numbers • Medical Record Number
• Dates • Photographs and comparable images
• Device identifiers • Postal Address
• Email addresses • Social Security Number
• Fax numbers • Telephone numbers
• Health Plan Numbers • Vehicle identifiers including license plate numbers
• IP address numbers • Web URL's
• Any other unique identifying number, characteristic, or code

CODED INFORMATION IS STILL PHI.  Anything that could be used to identify an individual is an identifier, i.e. a linked code number.

PHI can only be used or disclosed in the following circumstances:

- For treatment, payment, or health care operations;
- If the individual authorizes the use or disclosure (clinical research);
- If the use or disclosure is permitted or required by law (public health reporting);
- If the Institutional Review Board grants a waiver of authorization.

The Minimum Necessary Standard

HIPAA regulations give subjects PRIVACY RIGHTS, which means that they have the right to access their PHI, even in research.  It is limited to the PHI in the designated record set.  A “designated data set” is a group of records that a covered entity (UNTHSC) uses to make decisions about individuals, and includes a health care provider’s medical record and billing records, and the health plan’s enrollment, payment, claims adjudication, and case or medical management record systems. The individual would not have right of access to the research records while a clinical trial was in progress as long as that restriction is noted in the informed consent document for the trial.  They must be told that they can access the information at the conclusion of the clinical trial.

Limit PHI to the minimum amount necessary to accomplish the intended purpose.  Collect only health information essential to the study and record as few identifiers as possible.

RESEARCHER RESPONSIBILITIES

ACCESS TO PHI
- Understand permissible route of access
- Use Authorization forms and Data Use Agreements

RESTRICTIONS ON USE/DISCLOSUREE OF PHI
- Implement necessary safeguards - (data protection and database registering)

MINIMUM NECESSARY STANDARD
- Limit the amount of PHI

PATIENT RIGHTS: ACCOUNTING AND ACCESS TO RECORDS

- Log all uses and disclosures of PHI that are performed for preparatory research, decedent research, or   under a waiver
- Subject may ask where their information has been sent, who has seen it, and for what purpose.
- Applies only to preparatory research, decedent research, and studies conducted under a waiver (you do      not have to account for uses /disclosures made pursuant to an Authorization or a Data Use Agreement)

FOUR WAYS TO ACCESS PHI FOR RESEARCH PURPOSES

- Get authorization from subjects
- Use de-identified data
- Obtain a waiver of authorization
- Use a Limited Data Set with a Data Use Agreement

OBTAIN AUTHORIZATION

- Authorization is combined with the consent document or attached to as a continuation of the document
- Directions and links are included within the text
- Delete directions and links when finished
  The guidelines that apply to whom may give and obtain Authorization are the same as those for consent.


USING DE-IDENTIFIED INFORMATION

Two Ways to De-Identify

- Remove all HIPAA identifiers
- Statistical Certification: get a statistician to certify that de-identification methods have resulted in a “very   small” risk that the information could be used to identify the individual

USING A LIMITED DATA SET FOR RESEARCH

Data may be used or disclosed as a “limited data set” with a data use agreement

- A limited data set allows the inclusion of some identifiers
- A data use agreement specifies why the PHI will be used, who will use it, limits further disclosure or use,   and requires recipient to enter into a similar agreement with agents or subcontractors
- There are no accounting requirements associated with using a Limited Data Set

LIMITED DATA SET ELEMENTS
Excluded  Included
Account number Zip Codes
Addresses Geocodes
Biometric identifiers Date of birth
Certification/license number Other date information
Device identification/serial number Any other codes not specified at left
Email address  
Fax numbers  
Full face photograph; any comparable image  
Health Plan Beneficiary number  
IP address number  
Names  
Medical record number  
Social Security number  
Telephone numbers  
Vehicle identification/serial number  
Web URL's  

USING PHI FOR PREPARATORY RESEARCH

- An investigator may access health information to prepare a research protocol if the researcher certifies:  
- Review is necessary to prepare a research protocol
- No health information will be removed by the researcher during the review
- Minimum Necessary Standard applies
- Accounting Procedure applies

USING PHI FOR DECEDENT RESEARCH

Researcher may review health information of deceased persons without authorization, if the researcher certifies that:

- Review is solely for research purposes
- Information that is sought is necessary to conduct the research
- Minimum Necessary Standard applies
- Accounting Procedure applies

APPLICATION NOTES

A HIPAA authorization must be detailed and include a specific description of the use of PHI and specific identification of persons to whom PHI will be disclosed.  When developing an Authorization, THINK AHEAD.  If a use or disclosure is not in the Authorization, it can’t be done without getting a second Authorization.

Office for the Protection of Human Subjects (OPHS) Main Page

 
 
UNIVERSITY OF NORTH TEXAS HEALTH SCIENCE CENTER at Fort Worth
Center for BioHealth
 3500 Camp Bowie Blvd, Fort Worth, TX 76107-2644
 Phone: (817) 735-5484 Fax: (817) 735-0254
 This page maintained by Brad Anderson.
 For technical problems E-mail the webmaster.
 This page was last updated: 09/09/2009

University of North Texas Health Science Center Homepage Research Office Home Page University of North Texas Health Science Center Homepage