hipaa and research basics for irb tim atkinson director, research and sponsored programs director,...

HIPAA and ResearchHIPAA and Research

Basics for IRBBasics for IRB

Tim AtkinsonTim Atkinson

Director, Research and Sponsored ProgramsDirector, Research and Sponsored Programs

Director, Institutional Review BoardDirector, Institutional Review Board

Research Privacy OfficerResearch Privacy Officer


Historically, the protection of human Historically, the protection of human subjects in research has been subjects in research has been presented as the responsibility of . . . presented as the responsibility of . . .

PIPI

InstitutionInstitution

IRBIRB


Also know as the . . .Also know as the . . .

TRIPODTRIPOD

… … of human subjects protection. of human subjects protection.

Kick one leg out, the whole thing falls Kick one leg out, the whole thing falls down.down.


And OHRP shows up and makes us fix And OHRP shows up and makes us fix the leg to prop it back up . . .the leg to prop it back up . . .


Or they make us get a new stool Or they make us get a new stool entirely . . .entirely . . .


And informed consent has been And informed consent has been somewhat taken for granted….somewhat taken for granted….


. . . as the subject layer of protection. . . . as the subject layer of protection.


The subject is responsible for his or her The subject is responsible for his or her own protection by means of effective own protection by means of effective informed consent. We reveal what will informed consent. We reveal what will happen, and the subject decides yes happen, and the subject decides yes or no to participate.or no to participate.


And now, introducing . . .And now, introducing . . .

SUBJECT AUTHORIZATIONSUBJECT AUTHORIZATION

Yet another opportunity for us to respect Yet another opportunity for us to respect the subjects rights when we use their the subjects rights when we use their information for research. information for research.


► RESEARCH ON THE DECEASED:RESEARCH ON THE DECEASED: ► It is the policy of UAMS that investigators must It is the policy of UAMS that investigators must

certify in writing the following three elements when certify in writing the following three elements when seeking information from RECORDS about the seeking information from RECORDS about the deceased: deceased:

► (1) Seeks use and disclosure of PHI from RECORDS (1) Seeks use and disclosure of PHI from RECORDS just for research on deceased individualsjust for research on deceased individuals

► (2) Will provide proof of death if RECORDS requests (2) Will provide proof of death if RECORDS requests it, and it, and

► (3) That the PHI sought from RECORDS is solely for (3) That the PHI sought from RECORDS is solely for research and nothing else. For these purposes, PIs research and nothing else. For these purposes, PIs will sign a form with these certifications on it. will sign a form with these certifications on it.

HIPAA and ResearchHIPAA and Research► Reviews Prepatory to Resarch :Reviews Prepatory to Resarch :

Investigators must certify in writing the following three elements Investigators must certify in writing the following three elements

► (1) The PI seeks use and disclosure of PHI from RECORDS (1) The PI seeks use and disclosure of PHI from RECORDS solely to review such information as necessary to prepare a solely to review such information as necessary to prepare a research protocol or similar purposes prepatory to researchresearch protocol or similar purposes prepatory to research

► (2) PI shall not remove any PHI from RECORDS in the course (2) PI shall not remove any PHI from RECORDS in the course of review (and will only collect de-identified data), and of review (and will only collect de-identified data), and

► (3) the PHI from RECORDS is necessary for research purposes. (3) the PHI from RECORDS is necessary for research purposes. For these purposes, PI’s must fill out FORM E, as attached, and For these purposes, PI’s must fill out FORM E, as attached, and submit it to UAMS Medical Records before UAMS Medical submit it to UAMS Medical Records before UAMS Medical Records can release the PHI to the ust ainvestigator. Records can release the PHI to the ust ainvestigator. RECORDS mccount for these disclosures. RECORDS mccount for these disclosures.

HIPAA and ResearchHIPAA and Research HIPAA Research Authorization Vs. Informed Consent for HIPAA Research Authorization Vs. Informed Consent for

ResearchResearch► After April 14, 2003, all research projects that use After April 14, 2003, all research projects that use

or create PHI will require subjects to sign the or create PHI will require subjects to sign the usual IRB approved informed consent to usual IRB approved informed consent to participate in a research project form AND an participate in a research project form AND an patient authorization. The IRB will look for the patient authorization. The IRB will look for the usual informed consent AND the additional HIPAA usual informed consent AND the additional HIPAA Research Authorization as criteria for granting Research Authorization as criteria for granting final approval for a research project. After April final approval for a research project. After April 14, 2003, if authorization is not included on 14, 2003, if authorization is not included on projects using or creating PHI, then the IRB will projects using or creating PHI, then the IRB will cite this as a minor revision prior to granting final cite this as a minor revision prior to granting final approval.approval.


Grandfathering HIPAA Research Grandfathering HIPAA Research Authorization Authorization

► Subjects consented prior to April 14, Subjects consented prior to April 14, 2003 under projects already 2003 under projects already approved by the IRB do NOT have to approved by the IRB do NOT have to sign authorization.sign authorization.


To Request a waiver of authorization from the IRB the PI MUST:To Request a waiver of authorization from the IRB the PI MUST:

(1) Provide a brief description of the PHI.(1) Provide a brief description of the PHI.(2) Use the following methods to ensure minimal risk to (2) Use the following methods to ensure minimal risk to privacy of individuals:privacy of individuals:

(a) Describe an adequate plan to protect the identifiers (a) Describe an adequate plan to protect the identifiers from improper use or disclosure.from improper use or disclosure.

(b) Describe an adequate plan to destroy the (b) Describe an adequate plan to destroy the identifiers at the earliest opportunity consistent with the identifiers at the earliest opportunity consistent with the conduct of research, unless there is a health or research conduct of research, unless there is a health or research justification for retaining the identifiers or retentions is justification for retaining the identifiers or retentions is required by law.required by law.

(c) Assure the IRB in writing that the PHI will not be re-(c) Assure the IRB in writing that the PHI will not be re-used or disclosed to any other person or entity, except as used or disclosed to any other person or entity, except as required by law, for authorized oversight of the research required by law, for authorized oversight of the research project, or for other research as permitted by the HIPAA project, or for other research as permitted by the HIPAA regulations.regulations.


If the IRB grants the waiver the letter must state:If the IRB grants the waiver the letter must state:► Name of the IRB and the FWA assurance number.Name of the IRB and the FWA assurance number.► Date of actionDate of action► A statement that the IRB determined that the A statement that the IRB determined that the

waiver satisfies all the criteria listed above.waiver satisfies all the criteria listed above.► A brief description of the PHI for which use and A brief description of the PHI for which use and

disclosure has been determined to be necessary disclosure has been determined to be necessary for research by the IRB. (Provided by the PI for research by the IRB. (Provided by the PI above).above).

► The type of review administered under the The type of review administered under the common rule (expedited, full)common rule (expedited, full)

► Signature of the chair or designee.Signature of the chair or designee.


HIPAA Research Authorization NOT HIPAA Research Authorization NOT required when data set is de-required when data set is de-identifiedidentified

Refer to UAMS De-Identification Refer to UAMS De-Identification Policy to determine proper de-Policy to determine proper de-identification methods. Properly de-identification methods. Properly de-identified data would fall outside this identified data would fall outside this policy. policy.


HIPAA Research Authorization is NOT required if the PI or PD HIPAA Research Authorization is NOT required if the PI or PD uses a Limited Data Set and Signs a Limited Data Set uses a Limited Data Set and Signs a Limited Data Set Agreement.Agreement.

The limited data set shall exclude the following identifiers:The limited data set shall exclude the following identifiers:► NameName► Street addressStreet address► Telephone and fax numbersTelephone and fax numbers► Email addressesEmail addresses► Social Security numberSocial Security number► Certifcate/License numberCertifcate/License number► URLS and IP addressesURLS and IP addresses► Full face photos and comparable images Full face photos and comparable images


Limited Data set CAN have:Limited Data set CAN have:

►Admission dateAdmission date►Discharge dateDischarge date►Service datesService dates►Date of deathDate of death►Age (including 90 or over)Age (including 90 or over)►Five digit zip codeFive digit zip code


Research on existing databasesResearch on existing databases

► Existing research databases must already Existing research databases must already have IRB approval. All new uses of have IRB approval. All new uses of existing databases, not yet approved by existing databases, not yet approved by the IRB, must be submitted to the IRB for the IRB, must be submitted to the IRB for approval before the new use is started. approval before the new use is started. The PI should approach the research The PI should approach the research using any of the above methods using any of the above methods described under the previously described described under the previously described procedures.procedures.


Collecting PHI for the sole purpose of creating Collecting PHI for the sole purpose of creating a research database.a research database.

► In order to collect PHI from RECORDS to In order to collect PHI from RECORDS to create a database or to create a database create a database or to create a database using PHI during the course of treatment using PHI during the course of treatment for the purpose of research, the PI must for the purpose of research, the PI must seek patient authorizations or seek a seek patient authorizations or seek a waiver of authorization from the IRB as waiver of authorization from the IRB as previously described. previously described.


Recruitment for Research under HIPAA.Recruitment for Research under HIPAA.

What’s been said:What’s been said:► Researchers, physicians and Researchers, physicians and

investigators may not retrieve investigators may not retrieve names from RECORDS to contact names from RECORDS to contact subjects without subject subjects without subject authorization or waiver of authorization or waiver of authorization as described.authorization as described.


Important NOTES:Important NOTES:

(1)(1) PI is responsible for research PI is responsible for research records (use and disclosure) records (use and disclosure) where no medical record exists.where no medical record exists.

(2)(2) ORSP will be responsible for limited ORSP will be responsible for limited data set agreements in conjunction data set agreements in conjunction with UA legal.with UA legal.


(1)Are you using protected health (1)Are you using protected health information defined by HIPAA?information defined by HIPAA?

No. HIPAA satisfied.No. HIPAA satisfied.

Yes. Goto Next SlideYes. Goto Next Slide


(2)Are you using de-identified subject (2)Are you using de-identified subject data? data?

Yes: HIPAA satisfiedYes: HIPAA satisfied

No: Goto Next SlideNo: Goto Next Slide


(3) Are you using a limited data set as (3) Are you using a limited data set as defined by HIPAA?defined by HIPAA?

Yes: A limited data set agreement is Yes: A limited data set agreement is required prior to final IRB approval. If required prior to final IRB approval. If the limited data set agreement is not the limited data set agreement is not attached to the IRB submission, the IRB attached to the IRB submission, the IRB will cite you one minor revision. HIPAA will cite you one minor revision. HIPAA SatisfiedSatisfied

No: Goto Next SlideNo: Goto Next Slide


(4) Additional HIPAA Subject (4) Additional HIPAA Subject Authorization Required. Please attach Authorization Required. Please attach it in the documents section. The IRB it in the documents section. The IRB will cite you one minor revision this will cite you one minor revision this form is not included during IRB review. form is not included during IRB review. HIPAA satisfied. HIPAA satisfied.

hipaa and research basics for irb tim atkinson director, research and sponsored programs director,...

Documents

research purposes

research projects

research protocol

research project form

records requests

records mccount

disclosure of phi

uams medical records