1
HIPAA, Researchers and the HIPAA, Researchers and the IRB: Part TwoIRB: Part Two
Alan Homans, IRB Chair and
Nancy Stalnaker, IRB Administrator
2
Introduction
AGAIN…AGAIN…
• Don’t kill the messenger – Don’t kill the messenger – wewe didn’t write didn’t write this rule!this rule!
• Be kind – we do NOT have all the answers – Be kind – we do NOT have all the answers – but we do want to hear the questions - we but we do want to hear the questions - we will will continue to work towards answering will will continue to work towards answering them.them.
AGAIN…AGAIN…
• Don’t kill the messenger – Don’t kill the messenger – wewe didn’t write didn’t write this rule!this rule!
• Be kind – we do NOT have all the answers – Be kind – we do NOT have all the answers – but we do want to hear the questions - we but we do want to hear the questions - we will will continue to work towards answering will will continue to work towards answering them.them.
3
What Research is Affected?
Privacy rule applies to research that Privacy rule applies to research that uses uses Protected Health Information Protected Health Information (PHI).(PHI). PHI is individually identifiable PHI is individually identifiable health information received from a health information received from a covered entity.covered entity.
Privacy rule applies to research that Privacy rule applies to research that uses uses Protected Health Information Protected Health Information (PHI).(PHI). PHI is individually identifiable PHI is individually identifiable health information received from a health information received from a covered entity.covered entity.
4
What Research is Affected?
Three categories of identifiability:Three categories of identifiability:
1. PHI – Identifiable – rule applies
2. De-Identified Information - rule does not apply
3. Limited Data Set – a middle option - limited parts of the rule apply
Three categories of identifiability:Three categories of identifiability:
1. PHI – Identifiable – rule applies
2. De-Identified Information - rule does not apply
3. Limited Data Set – a middle option - limited parts of the rule apply
5
What Research is Affected?
• ““De-IdentifiedDe-Identified” – there are ” – there are 18 specific identifiers18 specific identifiers which must be removed to be considered de-which must be removed to be considered de-identified – thus not covered by rule.identified – thus not covered by rule.
• Limited Data SetLimited Data Set – Not fully “de-identified” – can – Not fully “de-identified” – can retain certain dates, geographic info and unique retain certain dates, geographic info and unique identifying numbers . Most privacy rule identifying numbers . Most privacy rule requirements do not apply, the minimum requirements do not apply, the minimum necessary standard does apply and a data use necessary standard does apply and a data use agreement is required.agreement is required.
• ““De-IdentifiedDe-Identified” – there are ” – there are 18 specific identifiers18 specific identifiers which must be removed to be considered de-which must be removed to be considered de-identified – thus not covered by rule.identified – thus not covered by rule.
• Limited Data SetLimited Data Set – Not fully “de-identified” – can – Not fully “de-identified” – can retain certain dates, geographic info and unique retain certain dates, geographic info and unique identifying numbers . Most privacy rule identifying numbers . Most privacy rule requirements do not apply, the minimum requirements do not apply, the minimum necessary standard does apply and a data use necessary standard does apply and a data use agreement is required.agreement is required.
6
18 Items Which 18 Items Which MustMust BeBe RemovedRemoved to Be to Be “De-identified”“De-identified”
18 Items Which 18 Items Which MustMust BeBe RemovedRemoved to Be to Be “De-identified”“De-identified”
1.1. NamesNames2.2. ALLALL geographic subdivisions geographic subdivisions smaller than the statesmaller than the state3.3. All elements of dates All elements of dates smaller than a year smaller than a year (i.e. birth (i.e. birth
date, admission, discharge, death, etc.)date, admission, discharge, death, etc.)4.4. Phone numbersPhone numbers5.5. Fax numbers Fax numbers 6.6. E-mail addressesE-mail addresses7.7. SS numbersSS numbers8.8. Medical record numberMedical record number9.9. Health plan beneficiaryHealth plan beneficiary
1.1. NamesNames2.2. ALLALL geographic subdivisions geographic subdivisions smaller than the statesmaller than the state3.3. All elements of dates All elements of dates smaller than a year smaller than a year (i.e. birth (i.e. birth
date, admission, discharge, death, etc.)date, admission, discharge, death, etc.)4.4. Phone numbersPhone numbers5.5. Fax numbers Fax numbers 6.6. E-mail addressesE-mail addresses7.7. SS numbersSS numbers8.8. Medical record numberMedical record number9.9. Health plan beneficiaryHealth plan beneficiary
7
10.10. Any other account numbers Any other account numbers 11.11. Certificate/license numbersCertificate/license numbers12.12. Vehicle identifiersVehicle identifiers13.13. Device identification numbersDevice identification numbers14.14. WEB URL'sWEB URL's15.15. Internet IP address numbersInternet IP address numbers16.16. Biometric identifiers (fingerprint, voice prints, retina Biometric identifiers (fingerprint, voice prints, retina
scan, etc)scan, etc)17.17. Full face photographs or comparable imagesFull face photographs or comparable images18.18. Any other unique number, characteristic or code.Any other unique number, characteristic or code.19.19. Diagnoses are not included in this listDiagnoses are not included in this list
10.10. Any other account numbers Any other account numbers 11.11. Certificate/license numbersCertificate/license numbers12.12. Vehicle identifiersVehicle identifiers13.13. Device identification numbersDevice identification numbers14.14. WEB URL'sWEB URL's15.15. Internet IP address numbersInternet IP address numbers16.16. Biometric identifiers (fingerprint, voice prints, retina Biometric identifiers (fingerprint, voice prints, retina
scan, etc)scan, etc)17.17. Full face photographs or comparable imagesFull face photographs or comparable images18.18. Any other unique number, characteristic or code.Any other unique number, characteristic or code.19.19. Diagnoses are not included in this listDiagnoses are not included in this list
18 Items Which Must Be Removed to Be 18 Items Which Must Be Removed to Be “De-identified” (continued)“De-identified” (continued)
8
How to obtain PHI for research?How to obtain PHI for research?How to obtain PHI for research?How to obtain PHI for research?
1.1. Authorization from Research Authorization from Research Subject Subject
2.2. Waiver of Authorization Waiver of Authorization
1.1. Authorization from Research Authorization from Research Subject Subject
2.2. Waiver of Authorization Waiver of Authorization
9
Elements of AuthorizationElements of AuthorizationElements of AuthorizationElements of Authorization
• Required elements in an authorizationRequired elements in an authorization
SpecificSpecific and and meaningfulmeaningful description of description of what information will be used or disclosedwhat information will be used or disclosed
WhoWho may use or disclose may use or disclose To whom the PHI will be disclosedTo whom the PHI will be disclosed Why Why the use or disclosure is being made the use or disclosure is being made
(each purpose) Notice that authorization (each purpose) Notice that authorization may be revoked; may be revoked;
Notice that the information may be Notice that the information may be disclosed to others not subject to the disclosed to others not subject to the Privacy RulePrivacy Rule
10
Elements of Authorization IIElements of Authorization IIElements of Authorization IIElements of Authorization II
• Required elements in an authorizationRequired elements in an authorization Statement of Statement of how longhow long the use or disclosure the use or disclosure
will continue (no expiration date is allowed will continue (no expiration date is allowed for research purposes - but this must be for research purposes - but this must be explicitly stated in the authorization form)explicitly stated in the authorization form)
Notice that the covered entity may or may Notice that the covered entity may or may not condition treatment or payment on the not condition treatment or payment on the individual’s signatureindividual’s signature
Individual’s Individual’s signature and datesignature and date
• Required elements in an authorizationRequired elements in an authorization Statement of Statement of how longhow long the use or disclosure the use or disclosure
will continue (no expiration date is allowed will continue (no expiration date is allowed for research purposes - but this must be for research purposes - but this must be explicitly stated in the authorization form)explicitly stated in the authorization form)
Notice that the covered entity may or may Notice that the covered entity may or may not condition treatment or payment on the not condition treatment or payment on the individual’s signatureindividual’s signature
Individual’s Individual’s signature and datesignature and date
11
How to obtain Authorization?
The Draft FAHC Authorization The Draft FAHC Authorization language template is now finished language template is now finished and will be piloted beginning this and will be piloted beginning this week. It is a SEPARATE document week. It is a SEPARATE document to be executed in addition to the to be executed in addition to the Informed Consent Document.Informed Consent Document.
The Draft FAHC Authorization The Draft FAHC Authorization language template is now finished language template is now finished and will be piloted beginning this and will be piloted beginning this week. It is a SEPARATE document week. It is a SEPARATE document to be executed in addition to the to be executed in addition to the Informed Consent Document.Informed Consent Document.
12
How to obtain Authorization
Protocols Approved Prior to 4/14/03:Protocols Approved Prior to 4/14/03:• Surveys were sent to PIs to determine which Surveys were sent to PIs to determine which
approved protocols will require authorization approved protocols will require authorization (PHI + new accruals after 4/14/03).(PHI + new accruals after 4/14/03).
• Forms and processes will be piloted beginning Forms and processes will be piloted beginning this week and adjustments made. this week and adjustments made.
• IRB will email PIs having protocols identified IRB will email PIs having protocols identified as needing an authorization with instructions as needing an authorization with instructions and the template, as soon as possible.and the template, as soon as possible.
Protocols Approved Prior to 4/14/03:Protocols Approved Prior to 4/14/03:• Surveys were sent to PIs to determine which Surveys were sent to PIs to determine which
approved protocols will require authorization approved protocols will require authorization (PHI + new accruals after 4/14/03).(PHI + new accruals after 4/14/03).
• Forms and processes will be piloted beginning Forms and processes will be piloted beginning this week and adjustments made. this week and adjustments made.
• IRB will email PIs having protocols identified IRB will email PIs having protocols identified as needing an authorization with instructions as needing an authorization with instructions and the template, as soon as possible.and the template, as soon as possible.
13
How to obtain Authorization?
Review of authorization forms for Review of authorization forms for existing protocols will be done on a existing protocols will be done on a first-come, first-serve basis – if you first-come, first-serve basis – if you know you will be entering new know you will be entering new subjects soon after 4/14/03, get your subjects soon after 4/14/03, get your authorizations as soon as possible.authorizations as soon as possible.
Review of authorization forms for Review of authorization forms for existing protocols will be done on a existing protocols will be done on a first-come, first-serve basis – if you first-come, first-serve basis – if you know you will be entering new know you will be entering new subjects soon after 4/14/03, get your subjects soon after 4/14/03, get your authorizations as soon as possible.authorizations as soon as possible.
14
How to obtain Authorization?
NEW PROTOCOLS:NEW PROTOCOLS:The process for determining which The process for determining which new protocols will require new protocols will require authorization is currently being authorization is currently being developed, including a revision to developed, including a revision to our protocol cover sheet. We will let our protocol cover sheet. We will let you know as soon as this is available. you know as soon as this is available.
NEW PROTOCOLS:NEW PROTOCOLS:The process for determining which The process for determining which new protocols will require new protocols will require authorization is currently being authorization is currently being developed, including a revision to developed, including a revision to our protocol cover sheet. We will let our protocol cover sheet. We will let you know as soon as this is available. you know as soon as this is available.
15
How to obtain Waiver of Authorization?
How to obtain Waiver of Authorization?
In research, authorization is In research, authorization is notnot required if it meets the required if it meets the criteria for waiver outlined in criteria for waiver outlined in the privacy rule.the privacy rule.
In research, authorization is In research, authorization is notnot required if it meets the required if it meets the criteria for waiver outlined in criteria for waiver outlined in the privacy rule.the privacy rule.
16
• No more than minimal riskNo more than minimal risk
• Not adversely affect rights Not adversely affect rights and welfare of subjectsand welfare of subjects
• Research cannot be done Research cannot be done without waiverwithout waiver
• When appropriate, When appropriate, information will be information will be provided to subjects of provided to subjects of researchresearch
• No more than minimal riskNo more than minimal risk
• Not adversely affect rights Not adversely affect rights and welfare of subjectsand welfare of subjects
• Research cannot be done Research cannot be done without waiverwithout waiver
• When appropriate, When appropriate, information will be information will be provided to subjects of provided to subjects of researchresearch
• No more than minimal risk to No more than minimal risk to privacyprivacy, based on, at least:, based on, at least: Plan to protect identifiersPlan to protect identifiers Plan to destroy identifiers Plan to destroy identifiers
ASAPASAP Written assurance that PHI Written assurance that PHI
will not be used/disclosed will not be used/disclosed with few exceptionswith few exceptions
• Research Research cannot be donecannot be done without waiver, andwithout waiver, and
• Research cannot be done Research cannot be done without this PHIwithout this PHI
• No more than minimal risk to No more than minimal risk to privacyprivacy, based on, at least:, based on, at least: Plan to protect identifiersPlan to protect identifiers Plan to destroy identifiers Plan to destroy identifiers
ASAPASAP Written assurance that PHI Written assurance that PHI
will not be used/disclosed will not be used/disclosed with few exceptionswith few exceptions
• Research Research cannot be donecannot be done without waiver, andwithout waiver, and
• Research cannot be done Research cannot be done without this PHIwithout this PHI
COMMON RULE PRIVACY RULE
CRITERIA FOR CRITERIA FOR WAIVER OF AUTHORIZATIONWAIVER OF AUTHORIZATION
CRITERIA FOR CRITERIA FOR WAIVER OF AUTHORIZATIONWAIVER OF AUTHORIZATION
17
How to obtain Waiver of Authorization?
How to obtain Waiver of Authorization?
The process and forms are currently The process and forms are currently being developed to address the being developed to address the required criteria necessary for the required criteria necessary for the IRB to approve a waiver. We will let IRB to approve a waiver. We will let you know when these are available.you know when these are available.
The process and forms are currently The process and forms are currently being developed to address the being developed to address the required criteria necessary for the required criteria necessary for the IRB to approve a waiver. We will let IRB to approve a waiver. We will let you know when these are available.you know when these are available.
18
TRANSITION TO PRIVACY RULETRANSITION TO PRIVACY RULETRANSITION TO PRIVACY RULETRANSITION TO PRIVACY RULE
• Compliance date: April 14, 2003Compliance date: April 14, 2003• If you have a waiver of consent If you have a waiver of consent
under the common rule prior to under the common rule prior to 4/14/03, you do NOT need to apply 4/14/03, you do NOT need to apply for a waiver under HIPAAfor a waiver under HIPAA
• All new enrollment of subjects on All new enrollment of subjects on research involving PHI falls under research involving PHI falls under HIPAA & requires an authorizationHIPAA & requires an authorization
• Compliance date: April 14, 2003Compliance date: April 14, 2003• If you have a waiver of consent If you have a waiver of consent
under the common rule prior to under the common rule prior to 4/14/03, you do NOT need to apply 4/14/03, you do NOT need to apply for a waiver under HIPAAfor a waiver under HIPAA
• All new enrollment of subjects on All new enrollment of subjects on research involving PHI falls under research involving PHI falls under HIPAA & requires an authorizationHIPAA & requires an authorization
19
Authorization/Waiver RemindersAuthorization/Waiver RemindersAuthorization/Waiver RemindersAuthorization/Waiver Reminders
• If you need to do an authorization, If you need to do an authorization, the IRB will contact you to inform the IRB will contact you to inform you what you need to doyou what you need to do
• If you haven’t completed your If you haven’t completed your survey yet, please do so survey yet, please do so immediately!immediately!
• HIPAA is HIPAA is in additionin addition to current IRB to current IRB human subject requirements - when human subject requirements - when both regulations apply, both both regulations apply, both requirements must be followed.requirements must be followed.
• If you need to do an authorization, If you need to do an authorization, the IRB will contact you to inform the IRB will contact you to inform you what you need to doyou what you need to do
• If you haven’t completed your If you haven’t completed your survey yet, please do so survey yet, please do so immediately!immediately!
• HIPAA is HIPAA is in additionin addition to current IRB to current IRB human subject requirements - when human subject requirements - when both regulations apply, both both regulations apply, both requirements must be followed.requirements must be followed.
20
DATABASES/REGISTRIESDATABASES/REGISTRIES
• HIPAA will add a new level of HIPAA will add a new level of scrutiny to use of all PHIscrutiny to use of all PHI
• UVM and FAHC need to place UVM and FAHC need to place ourselves in the best compliance ourselves in the best compliance position possibleposition possible
• HIPAA will add a new level of HIPAA will add a new level of scrutiny to use of all PHIscrutiny to use of all PHI
• UVM and FAHC need to place UVM and FAHC need to place ourselves in the best compliance ourselves in the best compliance position possibleposition possible
21
DATABASES/REGISTRIESDATABASES/REGISTRIES
• In order to ensure that the development, In order to ensure that the development, maintenance and release of data involving PHI maintenance and release of data involving PHI meets these requirements, we will be surveying meets these requirements, we will be surveying all researchers about existing databases. all researchers about existing databases.
• Processes are being developed for the IRB to Processes are being developed for the IRB to review existing databases and, when review existing databases and, when appropriate, approve waiver of consent and/or appropriate, approve waiver of consent and/or authorization.authorization.
• In order to ensure that the development, In order to ensure that the development, maintenance and release of data involving PHI maintenance and release of data involving PHI meets these requirements, we will be surveying meets these requirements, we will be surveying all researchers about existing databases. all researchers about existing databases.
• Processes are being developed for the IRB to Processes are being developed for the IRB to review existing databases and, when review existing databases and, when appropriate, approve waiver of consent and/or appropriate, approve waiver of consent and/or authorization.authorization.
22
DATABASES/REGISTRIESDATABASES/REGISTRIES
• Model procedures for developing Model procedures for developing and operating databases and and operating databases and registries will be drafted and made registries will be drafted and made available upon completion.available upon completion.
• Model procedures for developing Model procedures for developing and operating databases and and operating databases and registries will be drafted and made registries will be drafted and made available upon completion.available upon completion.
