1 hipaa enhancements to irb submissions john m. falletta, md chairman, institutional review board...
TRANSCRIPT
1
HIPAA Enhancements HIPAA Enhancements to IRB Submissionsto IRB Submissions
John M. Falletta, MDJohn M. Falletta, MDChairman, Institutional Review BoardChairman, Institutional Review Board
Duke University Health SystemDuke University Health SystemDurham, NCDurham, NC
2
HIPAAHIPAA
Health Insurance Portability and Health Insurance Portability and Accountability Act Accountability Act
Protected Health Information (PHI)Protected Health Information (PHI)
Individually identifiable health Individually identifiable health informationinformation
3
Treatment, Payment, or Operations (TPO) Treatment, Payment, or Operations (TPO)
Education and Quality Improvement are Education and Quality Improvement are OperationsOperations
4
HIPAA and ResearchHIPAA and Research
HIPAA mandates that a privacy board HIPAA mandates that a privacy board ensure institutional compliance with ensure institutional compliance with HIPAA. For research involving HIPAA. For research involving humans receiving care at DUHS, this humans receiving care at DUHS, this function is fulfilled by the IRB.function is fulfilled by the IRB.
5
Definition of "Research”Definition of "Research”
A systematic investigation designed to A systematic investigation designed to develop or contribute to generalizable develop or contribute to generalizable knowledge. 45 CFR 46.102 (d)knowledge. 45 CFR 46.102 (d)
6
Definition of "Human Subject”Definition of "Human Subject”
A living individual about whom anA living individual about whom an
investigator...conducting research obtainsinvestigator...conducting research obtains
(1) data through intervention or interaction(1) data through intervention or interaction
with the individual, or (2) identifiablewith the individual, or (2) identifiable
private information. 45 CFR 46.102(f)private information. 45 CFR 46.102(f)
7
Definition of "Human Subject”Definition of "Human Subject”Operational Change due to HIPAAOperational Change due to HIPAA
An living individual about whom anAn living individual about whom an
investigator...conducting research obtainsinvestigator...conducting research obtains
(1) data through intervention or interaction(1) data through intervention or interaction
with the individual, or (2) identifiablewith the individual, or (2) identifiable
private information. private information.
8
Research Using Decedent PHIResearch Using Decedent PHI
No longer “exempt from IRB review”No longer “exempt from IRB review”
Now covered as any other PHINow covered as any other PHI
IRB must be notified of research plansIRB must be notified of research plans
- Implementation requires - Implementation requires response response
- IRB may require evidence of - IRB may require evidence of death of the subject death of the subject
9
Items to Exclude for Items to Exclude for DeidentificationDeidentification
• NamesNames
• AddressAddress
• Zip code *Zip code *
• Dates except yearDates except year
• Telephone numbersTelephone numbers
• Fax numbersFax numbers
• Electronic mail addressesElectronic mail addresses
• Social security numbersSocial security numbers
• Medical Record NumbersMedical Record Numbers
• Health plan beneficiary Health plan beneficiary numbersnumbers
• Account numbersAccount numbers
10
Items to Exclude for Items to Exclude for DeidentificationDeidentification (cont.) (cont.)
• Certificate/license Certificate/license numbernumber
• Vehicle identifiers and Vehicle identifiers and serial numbersserial numbers
• Web Universal Web Universal Resource Locators Resource Locators (URLs) (URLs)
• Internet Protocol (IP) Internet Protocol (IP) address numbersaddress numbers
• Biometric identifiersBiometric identifiers
• Full face photographic Full face photographic imagesimages
• Any other unique Any other unique identifying number, identifying number, characteristic or codecharacteristic or code
11
AnonymizationAnonymizationversusversus
HIPAA DeidentificationHIPAA DeidentificationThe only setting where approval of IRB anonymization (unlinking) does not also confer approval of HIPAA deidentification is when the anonymized (unlinked) data contain dates (more specific than the year) of events, or full ZIP code or age of a subject over 90.
12
HIPAA DeidentificationHIPAA Deidentificationversusversus
AnonymizationAnonymizationThe only setting where approval of HIPAA deidentification does not also confer approval of IRB anonymization (unlinking) is where a code with a key linking back to the subject is retained with the deidentified data without special provisions approved by the IRB.
13
ProtocolProtocolMethods for Subject AccrualMethods for Subject Accrual
–Identifying Potential SubjectsIdentifying Potential Subjects
–RecruitmentRecruitment
Methods for ProtectingMethods for Protecting
–Privacy of SubjectPrivacy of Subject
–Confidentiality of DataConfidentiality of Data
Consent FormConsent Form
14
Methods for Subject AccrualMethods for Subject Accrual
Identifying Potential SubjectsIdentifying Potential Subjects
(Reviews Preparatory to Research, (Reviews Preparatory to Research, Pre-Screening, Case Finding)Pre-Screening, Case Finding)
Notification of IRB via letter or protocol Notification of IRB via letter or protocol description description
Request IRB waiver or alteration of Request IRB waiver or alteration of consentconsent
15
Methods for Subject AccrualMethods for Subject Accrual (cont.) (cont.)
Notification of IRB of plans for identifying Notification of IRB of plans for identifying potential subjectspotential subjects• Letter or pLetter or protocol description to include rotocol description to include specific information needed to prepare specific information needed to prepare research protocol and/or identify research protocol and/or identify potential subjectspotential subjects• Implementation requires responseImplementation requires response
• Limitation - No PHI may be removed Limitation - No PHI may be removed from DUHSfrom DUHS
16
Methods for Subject AccrualMethods for Subject Accrual (cont.) (cont.)
Implication - Notification of IRBImplication - Notification of IRB (cont.) (cont.)
Useful for screening prior to protocol Useful for screening prior to protocol development to determine whether development to determine whether research is feasible.research is feasible.
17
Methods for Subject AccrualMethods for Subject Accrual (cont.) (cont.)
Request IRB Waiver or Alteration of Consent in Request IRB Waiver or Alteration of Consent in order to identify potential subjectsorder to identify potential subjects
• Protocol description justifying waiver or Protocol description justifying waiver or alteration alteration
• Description of PHI neededDescription of PHI needed
• Evidence that risks will be minimalEvidence that risks will be minimal
• Evidence that research is impractical Evidence that research is impractical without waiver for access to PHIwithout waiver for access to PHI
18
Implications - Waiver or Implications - Waiver or Alteration of ConsentAlteration of Consent
• Use to contact individuals who have left Use to contact individuals who have left covered entitycovered entity
• Use if sponsor requires pre-screening logsUse if sponsor requires pre-screening logs• IRB needs to know if sponsor gets PHI from IRB needs to know if sponsor gets PHI from
pre-screeningpre-screening• Identification removal requirement implies Identification removal requirement implies
contract modifications with sponsorcontract modifications with sponsor
19
Note: May use/disclose data as Note: May use/disclose data as described in IRB protocol.described in IRB protocol.
• Other use requires IRB approvalOther use requires IRB approval
• Verbal consent allowed with IRB Verbal consent allowed with IRB approvalapproval
Implications - Waiver or Implications - Waiver or Alteration of ConsentAlteration of Consent (cont.) (cont.)
20
Methods for Subject AccrualMethods for Subject AccrualRecruitmentRecruitment• Ads (content, style and placement/ Ads (content, style and placement/ publication) publication)
• Word of mouthWord of mouth
• Contact potential subjects who know PIContact potential subjects who know PI
– Describe location and procedureDescribe location and procedure
• Contact of potential subjects who are Contact of potential subjects who are “strangers” “strangers” (such as Other People’s (such as Other People’s Patients)Patients)
– Describe location and procedureDescribe location and procedure
21
Procedure for Contacting Other Procedure for Contacting Other People’s PatientsPeople’s Patients
• Obtain permission of the patient’s physicianObtain permission of the patient’s physician• Provide IRB-approved study information Provide IRB-approved study information (brief) to patient’s physician or other (brief) to patient’s physician or other caregiver known to the patientcaregiver known to the patient• Caregiver provides patient with introduction Caregiver provides patient with introduction to to the study and the name of the investigator the study and the name of the investigator (staff (staff member) who will contact the patientmember) who will contact the patient• Investigator (staff member) contacts the Investigator (staff member) contacts the patient about the studypatient about the study
22
Methods for Protecting Privacy Methods for Protecting Privacy of Subjectsof Subjects
Privacy - the right to be left alonePrivacy - the right to be left alone
- the right to control personal - the right to control personal information even after information even after
disclosing it disclosing it
How will you minimize the risk of How will you minimize the risk of invasion of the subject’s privacy?invasion of the subject’s privacy?
23
How will you minimize the risk of How will you minimize the risk of inappropriate disclosure of PHI?inappropriate disclosure of PHI?
Methods for Protecting Methods for Protecting Confidentiality of DataConfidentiality of Data
24
General Requirements for General Requirements for Informed Consent Informed Consent
(45 CFR Part 46.116)(45 CFR Part 46.116)
Legally effective informed consent shall:Legally effective informed consent shall:
1. Be obtained from the subject or the 1. Be obtained from the subject or the subject's legally authorized subject's legally authorized representative;representative;
2. Be in a language understandable to 2. Be in a language understandable to the subject or the representative;the subject or the representative;
25
General Requirements for General Requirements for Informed Consent Informed Consent
(45 CFR Part 46.116)(45 CFR Part 46.116) (cont.) (cont.)
3. Be obtained under circumstances that provide the 3. Be obtained under circumstances that provide the subject with the opportunity to consider whether or subject with the opportunity to consider whether or not to participate, and that minimize coercion not to participate, and that minimize coercion influences;influences;
4. Not include language through which subject is 4. Not include language through which subject is made to waive any of his legal rights or which made to waive any of his legal rights or which releases the investigator, sponsor or institution from releases the investigator, sponsor or institution from liability for negligence.liability for negligence.
26
1. Statement that study involves research; 1. Statement that study involves research; explanation of purpose(s) and expected explanation of purpose(s) and expected duration of participation; description of duration of participation; description of procedures and identification of procedures and identification of experimental procedures.experimental procedures.
2. Description of risks or discomforts to 2. Description of risks or discomforts to
subject.subject.
Basic Elements of Informed Consent Basic Elements of Informed Consent
45 CFR Part 46.116 (A)45 CFR Part 46.116 (A) (cont.)(cont.)
27
Basic Elements of Informed Consent Basic Elements of Informed Consent
45 CFR Part 46.116 (A)45 CFR Part 46.116 (A) (cont.)(cont.)
3. Description of benefits to subject or to 3. Description of benefits to subject or to
others.others.
4. Disclosure of alternative procedures, if 4. Disclosure of alternative procedures, if
appropriate.appropriate.
5. Description of the extent to which 5. Description of the extent to which confidentiality will be maintained.confidentiality will be maintained.
28
Basic Elements of Informed Consent Basic Elements of Informed Consent
45 CFR Part 46.116 (A)45 CFR Part 46.116 (A) (cont.)(cont.)6. For research involving more than 6. For research involving more than minimal risk, explanation as to whether minimal risk, explanation as to whether compensation and medical treatments are compensation and medical treatments are available if injury occurs.available if injury occurs.
7. Explanation of whom to contact if 7. Explanation of whom to contact if questions arise about the research or the questions arise about the research or the subjects' rights or whom to contact if subjects' rights or whom to contact if research-related injury occurs.research-related injury occurs.
29
Basic Elements of Informed Consent Basic Elements of Informed Consent
45 CFR Part 46.116 (A)45 CFR Part 46.116 (A) (cont.)(cont.)8. Statement that participation is voluntary, 8. Statement that participation is voluntary, that refusal to participate involves no that refusal to participate involves no penalty or loss of benefits, and that subject penalty or loss of benefits, and that subject may discontinue at any time.may discontinue at any time.
30
Additional Elements of Informed Additional Elements of Informed Consent 45 CFR Part 46.116 (B)Consent 45 CFR Part 46.116 (B)
When required by the IRB, one or more of When required by the IRB, one or more of the following elements shall be provided to the following elements shall be provided to each subject:each subject:
1. Statement that procedure may involve 1. Statement that procedure may involve unforeseeable risks;unforeseeable risks;
2. Description of circumstances under which 2. Description of circumstances under which subject's participation may be terminated by subject's participation may be terminated by the investigator without subject's consent;the investigator without subject's consent;
31
Additional Elements of Informed Additional Elements of Informed Consent 45 CFR Part 46.116 (B)Consent 45 CFR Part 46.116 (B) (cont.)(cont.)
3. Additional costs to subject resulting from 3. Additional costs to subject resulting from participation in research;participation in research;4. Consequences of subject's decision to withdraw 4. Consequences of subject's decision to withdraw from research;from research;
5. Statement that significant new findings 5. Statement that significant new findings developed during research which may relate to developed during research which may relate to subject's willingness to continue will be provided subject's willingness to continue will be provided to subject;to subject;
6. Approximate number of subjects involved in 6. Approximate number of subjects involved in study.study.
32
Consent FormConsent Form
All of the following information will be All of the following information will be needed in each consent form.needed in each consent form.
33
Consent FormConsent FormFor early withdrawal from the study:For early withdrawal from the study:
If you agree to be in this study, you are free to change your mind. At any time you may withdraw your consent to be in this study and for us to use your data. If you withdraw from the study, you will continue to have access to health care at Duke.
34
Consent FormConsent FormFor early withdrawal from the study For early withdrawal from the study (cont.):(cont.):
If you do decide to withdraw, we ask that you contact Dr. [PI] in writing and let [him/her] know that you are withdrawing from the study. [His/her] mailing address is [address]. At that time we will ask your permission to continue using all information about you that has already been collected as part of the study prior to your withdrawal.
35
Consent FormConsent FormStatement of Consent:Statement of Consent:
You will be given a signed copy of this consent form.
or
“I have been told that I will be given a signed copy of this consent form.”
36
Consent FormConsent FormConfidentiality:Confidentiality:
Study records that identify you will be kept confidential as required by law. You will not be identified by name in the study records. Your records will be assigned a unique code number. The key to the code will be kept in a locked file in Dr. [PI]’s office.
37
Consent FormConsent FormWho will have access to study records and Who will have access to study records and to whom information may be disclosed:to whom information may be disclosed:
Your records may be reviewed in order to meet federal or state regulations. Reviewers may include …, …, … and the Duke University Health System Institutional Review Board.
38
Consent FormConsent FormExpiration date or event for the retention of records:Expiration date or event for the retention of records:
The study results will be retained in your research record for at least six years or until after the study is completed, whichever is longer. At that time either the research information not already in your medical record will be destroyed or information identifying you will be removed from such study results at DUHS. Any research information in your medical record will be kept indefinitely.