Saint Francis Care, Hartford Connecticut - ADVANCED TECHNOLOGY, ACCOMPLISHED PHYSICIANS, AMAZING RESULTS

About Us
For Patients & Families
Professional Education & Research

Advanced Life Support Training
Allied Health Programs
BEACON
Clinical Pastoral Training
Conferences & Symposia
Health Sciences Library
The Hoffman Heart Institute School Of Cardiac Ultrasound
Institutional Review Board (IRB)
Nursing Education
Residencies & Fellowships
The Saint Francis Academy

Programs & Services
Health Information
Physician Directory
Online Nursery
Classes & Events
Jobs
Volunteering/ Women's Auxiliary

HIPAA and Research
 		Back
 Tissue Banking Tissue Banking

HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA), also called the Federal Privacy Rule, as it applies to Research requires that we maintain the privacy of the Protected Health Information (PHI) that is created, accessed or shared in the course of Research activity. Protected Health Information (PHI) is individually identifiable information transmitted or maintained in any form (electronic means, on paper, or through oral communication) that relates to the past, present or future physical or mental health or conditions that can reasonably be used to identify an individual. The use and disclosure of PHI requires review and approval by the Institutional Review Board (Privacy Board) to ensure compliance with HIPAA regulations. "Use" of PHI is the sharing of PHI within the institution (i.e., from nurse to doctor). "Disclosure" of PHI is the sharing of PHI outside of the institution (i.e., from principal investigator to study sponsor).

The "Notice of Privacy Practices" is a written document, given to all patients and research subjects in the hospital, that describes the Institutional policy on how medical information is used and disclosed and how patients can access their records. It is required that all individuals entering the hospital for treatment or research be given this Notice. All patients screened through admitting will receive the Notice at that time. If a research subject does not enter the hospital through admitting, the Notice of Privacy Practices must be given to them by the Investigator. A copy of the signature page, acknowledging receipt of the Notice, should be kept in the subject's research file.

The compliance date for HIPAA is April 14, 2003. The regulation requires that an authorization for the use and disclosure of PHI, or a waiver of authorization, accompany any request for access to PHI for research purposes:

HIPAA Authorization

As an investigator, you have two choices:

  • You can use the Informed Consent template currently available on the IRB website to create a Consent Form, which has a HIPAA authorization form incorporated into the "Confidentiality" section. It is acceptable to use this combined Consent/Authorization form

OR

  • You may use a separate HIPAA Authorization form in addition to a Consent Form which does not have HIPAA authorization language incorporated into it.

The difference between these two documents: the Consent Form is the subject's consent to participate in research. The HIPAA Authorization is the subject's permission to use and disclose their Protected Health Information (PHI). If you use the combined Consent/Authorization, a single signature and date from the subject is sufficient. If you use separate forms, a signature and date on each form is required. The subject must be given a copy of the signed and dated form(s).

Request for Waiver of Individual Authorization

Several criteria must be met for approval of a research project which involves accessing or using an individual's protected health information (PHI) without the express authorization of the individual. The Principal Investigator is required to complete and submit a Waiver of Individual Authorization for Disclosure of Protected Health Information Questionnaire with the IRB application. Requests are reviewed by the IRB Chair, and approved waivers are documented, in writing. A copy is sent to the Principal Investigator, the Director of Medical Records, and the Privacy Officer.

Three Categories of Information

The HIPAA regulations categorize information in the following way:

1) Identifiable information (PHI, to which the Rule applies)
2) De-identified information (to which the Rule does not apply)
3) Limited Data Set (a middle option, to which limited parts of the Rule apply)

De-identified and limited data set information are used primarily for record review. Please see the 18 HIPAA De-Identification Criteria which, according to HIPAA regulations, renders the information impossible to identify an individual by. De-identified information is not considered PHI, and is therefore exempt from HIPAA regulations.

Please see the 16 exclusion criteria for a Limited Data Set. The recipient investigator must apply to the IRB with a "Data Use Agreement" in order to access this level of information. A limited data set allows for the retention of dates (e.g., date of birth, admission and discharge dates), some geographic information (city, state and zip code but not street address), and other unique codes or characteristics that are not expressly excluded.

Minimum Necessary Standard

The Minimum Necessary Standard is a HIPAA regulation requiring that when protected health information is used or disclosed, only the information that is needed for the immediate use or disclosure should be made available by the health care provider. This standard does not apply to uses and disclosures for treatment purposes. For Research purposes, a minimum necessary standard must be justified in the HIPAA Authorization, which requires a description of the specific PHI to be created, used or disclosed, or in a Waiver of Authorization request, which requires a description of the specific PHI to which access is being sought.

Preparatory to Research

The rule permits the use and disclosure of protected health information for research without requiring individual authorization if the research is conducted in such a manner that only de-identified PHI is recorded by the researchers and the PHI is not removed from the premises of the Institution. For such uses and disclosures, the rule requires that the IRB obtain from the researcher a signed Data Collection for Reviews Preparatory to Research agreement that the use or disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research, no PHI is to be removed from the Institution, and the PHI for which use or access is sought is necessary for the research purposes.

Decedent's Information

It was previously not necessary to obtain IRB approval to access records of deceased research subjects. Under HIPAA, it will be required that an investigator sign an agreement for Research on Decedent's Information prior to obtaining decedent information, indicating that the use or disclosure sought is solely for research on the protected health information of decedents, that at the request of the institution, documentation of the death of such individuals will be provided, and that the protected health information for which use or disclosure is sought is necessary for research purposes.
Privacy Policy  |  Policies and Ownership
Saint Francis Care
114 Woodland Street
Hartford, Connecticut 06105
(860) 714-4000

   
Topic Menu

IRB Home Page
IRB Meeting Dates
Conflicts of Interest in Research
HIPAA and Research
Components of IRB Review
Categories of Review
Contact the IRB
Data Safety and Monitoring for Interventional Protocols
Training of Investigators
Authorization To Release Medical Information for Research Purposes
Application Procedure
Notification of Decisions
Responsibilities of the Research Investigator and Study Coordinator
Informed Consent
Waiver of Informed Consent
Administering the Consent Agreement
Amendments in Protocol and Consent Form
Reporting Adverse Events
Progress Reports and Requests for Reapproval
IRB Audits of Protocols
Closure of Protocols
Institutional Policy
home site map directions contact us
Search Site: