HIPAA and Human Subjects Research

IRB Member CEMay 2014

Slideshow by Sean Horkheimer

What is HIPAA?

• HIPAA is the Health Insurance Portability and Accountability Act.

• HIPAA is a set of federal laws that regulates, among other things, the disclosure of protected health information (“PHI”) about patients treated by most health care providers and organizations in the United States.

• HIPAA regulates how PHI is maintained and how it is gathered by researchers.

• HIPAA’s laws apply to research done at MCW/FH

What is Protected Health Information (“PHI”)?

• Information that is:– Created or received by a health care provider,

health plan, or health care clearinghouse.– Relates to an individual’s past, present, or future

physical or mental health condition, or health care treatment

– That either identifies an individual or includes enough personal identifiers that the individual could be reasonably determined.

What are personal identifiers?

• Examples include:– Name– Age– Gender– Social Security number– Date of birth– Address (physical or electronic mail)– Phone number– Names of relatives or employers

HIPAA in the SmartFormWhat about a recruitment HIPAA waiver?

• For when study teams need to review records to identify potential subjects for recruitment. When 16.1 & 16.1.1 are selected “Yes”

This HIPAA section will identify how the study team will use PHI. The sections that follow will answer all the necessary points for consideration.

HIPAA in the SmartForm, cont’d

What to consider when approving a HIPAA waiver for screening?

• The following three criteria must be satisfied for an IRB or Privacy Board to approve a waiver of authorization: 1. The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:

– an adequate plan to protect the identifiers from improper use and disclosure; – an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of

the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and

– adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;

2. The research could not practicably be conducted without the waiver or alteration; and

3. The research could not practicably be conducted without access to and use of the protected health information.

What does the IRB do with regard to HIPAA during their review of the submission?

• Review the study SmartForm for sections that address HIPAA.

• Review the study protocol.• Review the informed consent:– Do the SmartForm, protocol, and ICF all describe

the same PHI collected and protections?– Does the ICF include all of the necessary

information based on the ICF template?

What needs to be in the HIPAA authorization in the consent form?

• HIPAA required elements are included in Section E• What health information will be collected and used for

the study?• Who will see the health information?• What are the risks of sharing this health information?• How long will the information be kept? (10 years or

longer)• How to cancel permission to share health information.• Circumstances that may affect access to clinical records.

(Ex: which drug given in blinded study).

Other Possibilities: Limited Data Sets

• These are data sets accessed or obtained by an investigator after they have completed a Limited Data Set Agreement with the holder of the data.– Is the data set is indicated in the SmartForm?– Is the Limited Data Set Agreement completed and

uploaded?

Other Possibilities: Use of Decedents

• Research that involves the review of records of only deceased individuals, and no living subjects are contacted or have their information accessed.

• No Authorization or waiver of Authorization by an IRB or Privacy Board is needed for use or disclosure of PHI for research only on the PHI of deceased persons, if these conditions are met:– the PHI is necessary for the research and is being sought

solely for research on the PHI of decedents – documentation of the deaths of the study subjects can be

made

The End

• Questions?