The Health Insurance Portability and Accountability Act (HIPAA), also called the Federal Privacy Rule, as it applies to research requires that we maintain the privacy of the Protected Health Information (PHI) that is created, accessed or shared in the course of research activity. PHI is individually identifiable information transmitted or maintained in any form (electronic, paper, or through oral communication) that relates to the past, present or future physical or mental health or conditions that can reasonably be used to identify an individual. The IRB at St. Francis acts as the Privacy Board; there the use and disclosure of PHI requires review and approval to ensure compliance with HIPAA regulations. “Use” of PHI is the sharing of PHI within the Institution (i.e. from nurse to doctor). “Disclosure” is the sharing of PHI outside the Institution (i.e. from principal investigator to study sponsor).
The “Notice of Privacy Practices” is a written document given to all patients and research subjects in the hospital that describes the Institutional policy on how medical information is used and disclosed and how patients can access their records. It is required that all individuals entering the hospital for treatment or research be given this Notice. All patients screened through admitting will receive the Notice at that time. If a research subject does not enter the hospital through admitting, the Notice of Privacy Practices must be given to them by the Investigator. A copy of the signature page, acknowledging receipt of the Notice should be kept in the subject’s research file.
Categories of Information
HIPAA regulations categorize information in the following way:
- Identifiable information (PHI, to which the rule applies)
- Limited Data Set (to which limited parts of the Rule apply)
- De-identified information (to which the Rule does not apply)
Limited data set and de-identified information are used primarily for record review research. There are 18 HIPAA De-Identification Criteria which render the information impossible to identify a particular individual. De-identified information is not considered PHI, therefore it is exempt from HIPAA regulations.
A Limited Data Set has a list of 16 exclusion criteria. The recipient investigator must apply to the IRB with a Data Use Agreement in order to access this level of information. A limited data set allows for retention of dates (e.g. date of birth, admission, discharge), some geographic information (city, state, and zip code but not street address), and other unique codes or characteristics.
Request for Waiver of Individual Authorization
Several criteria must be met for approval of a research project which involves accessing or using an individual’s protected health information (PHI) without the express authorization of the individual. The Principal Investigator is required to complete and submit a Waiver of Individual Authorization for Disclosure of Protected Health Information Questionnaire with the IRB application. Requests are reviewed by the IRB Chair and approval documented in writing. A copy is sent to the Principal Investigator, the Director of Medical Records, and the Privacy Officer.
Minimum Necessary Standard
The Minimum Necessary Standard requires the use of information needed for the immediate use or disclosure be made available to the researcher when PHI is used or disclosed. This standard does not apply to uses and disclosures for treatment purposes. For research purposes, a minimum necessary standard must be justified in the HIPAA authorization, which requires a description of the specific PHI to be created, used, or disclosed, or in a Waiver of Authorization request which requires a description of the specific PHI to which access is being sought.
Preparatory to Research
The Privacy Rule permits the use and disclosure of protected health information for research without requiring individual authorization if the research is conducted in such a manner that only de-identified PHI is recorded by the researchers and the PHI is not removed from the premises of the Institution. For such uses and disclosures, the rule requires that the IRB obtain from the researcher a signed Data Collection for Review Preparatory to Research agreement that state the use or disclosure is sought soley to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research. No PHI is to be removed from the Institution and the PHI for which use or access is sought is necessary for the research purposes.
It is required that an investigator sign an agreement for Research on Decedent’s Information prior to obtaining decedent information, indicating that the use or disclosure sought is solely for research on the PHI of decedents. At the request of the Institution, documentation of the death of such individuals will be provided and that the PHI for which use or disclosure is sought is necessary for research purposes.
HIPAA regulations require that an authorization for the use and disclosure of the PHI, or a waiver of authorization, accompany any request for access to PHI for research purposes. As an investigator, you have two choices:
- Use a consent form which has the HIPAA authorization form incorporated into the “Confidentiality” section. The IRB provides a consent form template which has the combined consent and authorization language.
- Use a separate HIPAA Authorization form in addition to a consent form which does not contain incorporated HIPAA Authorization language.
If a combined consent and authorization form is used, a single signature and date from the subject is sufficient. If separate forms are to be used, a signature and date on each is required. The subject must be given a copy of each form used.