1

HIPAA Procedures For Researchers

Vinita Witanachchi, J.D.USF DRC Research Privacy Officer

HIPAA Program Coordinator

John Arnaldi, Ph.D.Coordinator, Education and Training

Division of Research ComplianceUniversity of South Florida

August 2003

2

HIPAA Procedures For Researchers

Certain health information that is individually identifiable is protected from use and disclosure by the segment of the Health Insurance Portability and Accountability Act (HIPAA) known as the Privacy Rule.

This health information is known as Protected Health Information (PHI)

3

What Is PHI?

PHI is all individually identifiable health information, including demographic data and biological specimens, that is created, maintained, or transmitted by a covered entity.

PHI can be in any form, including written, electronic, and verbal.

Examples of PHI include: human tissue, genetic material, medical charts, billing and insurance records.

4

Protected Health Information (PHI)– Is created, maintained, or transmitted by a health care

provider, health plan, or health care clearinghouse

– Relates to past, present, or future:• Physical or mental condition(s)• Provision of care to an individual• Payment for provision of health care to an individual

– And, identifies the individual(or there is a reasonable basis to believe that the information can be used to identify the individual)

5

Who is subject to the Privacy Rule?

Individuals, agencies, and institutions who meet the definition of Covered Entities include:– Health care providers (medical and mental health) who

transmit PHI electronically for any covered HIPAA transactions, e.g., COM, CON

– Researchers who render health care and who are employed by a covered entity

– Community clinic or social service agency– Health insurer, HMO, or health plan– A health care clearinghouse

6

Impact on USF Human Subject Research

-Access to PHIResearcher must understand the permissible routes of access to PHI for research activity

And

-Restrictions on Use and Disclosure of PHResearcher must implement necessary safeguards to protect the PHI

7

Impact on Human Subject Research (cont.)

The Privacy Rule permits a covered entity (USF or its Affiliate Institutions) to use and disclose PHI for research

• When an individual Authorization has been obtained from a research participant, OR

• When a Waiver of Authorization has been obtained.• There are other limited situations where PHI can be

used/disclosed without an Authorization e.g use of PHI on decedents, use of PHI for Reviews Preparatory to Research, limited data sets, etc.

8

Impact on USF Human Subject Research (cont.)

• The purpose of this presentation is to provide researchers who use PHI created, maintained, or owned by USF with the information they need for compliance with the Privacy Rule.

• If the source of the PHI is not USF, please consult the affiliate site Research Privacy Officer for instructions on how to comply with the Privacy Rule at that particular site.

9

Impact on Human Subject Research (cont.)

• USF AuthorizationsThe DRC Research Privacy Officer will review the USF Authorizations. The Authorization template is available on our HIPAA Web Page: http://www.research.usf.edu/cs/hipaa.htm

• Waiver/Alteration ApplicationsThe DRC Privacy Board will review and approve the Waiver/Alteration Applications. This service will be provided to Affiliate Institutions as well.

10

Existing IRB-Approved Studies

The ‘Transition Provision’ in the Privacy Rule permits covered entities (USF) to continue to use and disclose PHI for research, if it has obtained prior to April 14, 2003,

• An IRB approved consent form, or

• An IRB approved waiver of consent, or

• An express legal permission (e.g., a signed authorization)

11

Existing IRB-Approved Studies (cont.)

In an existing study that uses an informed consent, if any participant is enrolled on or after April 14, 2003, then the researcher MUST adhere to the Privacy Rulei.e., an Authorization for each subject that is enrolled after the compliance date must be in place. For those newly enrolled subjects, the IRB-approved consent will not replace the Authorization.

12

New Studies

To use/disclose PHI in research, the researcher must obtain- An Authorization from the individual participantOr- A Waiver/Alteration of Authorization for the study.

An Authorization is the HIPAA equivalent of consent to use and disclose data in research.

13

Enrollment in Existing and New Studies

To use/disclose USF PHI, the researcher must do the following:

1. Identify all existing/planned studies in which human subjects will be enrolled on or after April 14, 2003, and decide whether you will use/disclose PHI of the subject in the course of research.

2. Complete an Authorization form (available on the DRC website).

3. Submit the completed Authorization form to the DRC for review by the DRC Research Privacy Officer.

14

4. Unless revisions are required, the Authorization form will be returned with an approval stamp. (If revisions are required, the researcher will be notified)

5. Present the approved Authorization form to subjects who are consented for the study and obtain their signature and the date.

6. File the signed Authorization form with the subject’s Informed Consent Form.

Enrollment in Existing and New Studies (cont.)

15

7. It is permissible to condition research-related treatment upon whether the potential subject signs the Authorization.

If a potential subject refuses to sign the Authorization, the researcher cannot use that subject’s PHI in the study.

Enrollment in Existing and New Studies (cont.)

16

Submission of Authorization - USF PHI

• New Studies: Authorization form must be submitted to the DRC along with the IRB Application For Initial Review.

• Existing Studies (those with IRB approval before 4-14-03): Authorization form must be submitted to the DRC. The submission may be via hard copy to DRC or e-mail to hippaforms@research.usf.edu

17

Submission of Authorization - Affiliates

New Studies: • Contact the Affiliate site for its procedures. The Affiliate

Authorization must be approved by the Affiliate site. • Submit the IRB Application for Initial Review along with

a copy of the Affiliate-approved Authorization to the DRC to be processed through the IRB.

18

Criteria for Waiver/AlterationTo be eligible for a Waiver/Alteration, your study (new or existing) must meet all of the following criteria:

1. The use or disclosure of the subject’s PHI will involve no more than minimal risk to the privacy of the individual subject based on all of the following:

– An adequate plan to protect the identifiers from improper use or disclosure

– An adequate plan to destroy the identifiers at the earliest opportunity (unless retention of the identifiers is required by law, or justified by research or health reasons), and

– A written assurance that the PHI will not be used/disclosed to a third party except as required by law or for authorized oversight of the research study, or when permitted by a written document.

19

Criteria for Waiver/Alteration (cont.)

2. The research could not practicably be conducted without the waiver (e.g., it is not feasible to get an individual Authorization; this may be due to not being able to locate them or because they are deceased),

And

3. The research could not practicably be conducted without access to and use of the PHI (the data being sought is essential to the conduct of the study).

20

If you need access to PHI but cannot obtain an Authorization, then you must submit an Application for Waiver/Alteration of Authorization (available on the DRC website) to the DRC for review by the DRC Privacy Board.

• For New studies: When you submit the Application for Waiver/Alteration, please include the IRB Application for Initial Review.

• For Existing studies: Submit the Application for Waiver/Alteration to the DRC via hard copy to DRC ore-mail to hippaforms@research.usf.edu

Criteria for Waiver/Alteration (cont.)

21

Studies Exempt from IRB Oversight

IRB-exempted research that would involve the review of medical charts and the use/disclosure of PHI on or after April 14, 2003, must comply with the HIPAA requirements.

If Waiver criteria apply:• For New IRB-Exempt studies: submit completed

Application for Waiver/Alteration along with the IRB Exemption Certification Request

• For Existing studies: Submit the Application for Waiver/Alteration to the DRC via hard copy to DRC ore-mail to hippaforms@research.usf.edu

22

Research Use/Disclosures That Do Not Require Authorizations or Waivers

1. Review of USF PHI Preparatory to Research:• Complete and submit the Use of Protected Health

Information Preparatory to Research Form to the DRC for review by the DRC Research Privacy Officer.

• A copy of the approved form with the approval stamp will be returned to the researcher. (If changes are needed, the researcher will be notified.)

• If the decision has been made to conduct the research, a copy of the approved form should be maintained with your study documentation.

23

Research Use/Disclosures Not Requiring Authorizations or Waivers (cont.)

2. Use of USF PHI of Decedents for Research Purposes:• Complete and submit the Use of Protected Health

Information on Decedents for Research Purposes Form to the DRC for review by the DRC Research Privacy Officer.

• A copy of the approved form with the approval stamp will be returned to the researcher. (If changes are needed, the researcher will be notified).

• If decision has been made to conduct the research, a copy of the approved form should be maintained with your study documentation.

24

Special Rules Regarding DatabasesCreating and maintaining databases containing PHI is considered research.

• If you will use existing databases containing PHI for research after April 14, 2003, you must obtain Authorizations or Waivers of Authorization before accessing the data.

• If you will create or maintain databases for future analysis, you must comply with HIPAA (i.e., you must obtain Authorizations or Waivers before creating the database) in addition to obtaining IRB approval. Once it has been created, you will need to obtain an Authorization or Waiver of Authorization before accessing data for research purposes.

25

Research Subject Recruitment

• Recruitment for research is subject to the general authorization requirement unless the Researcher has a direct treatment relationship with the patient.

• A Researcher who has a direct treatment relationship with the patient can engage in conversations related to recruitment without having to obtain Authorizations or Waivers of Authorization.

26

Research Subject Recruitment (cont.)

• A Researcher who is not part of the Covered Entity’s workforce could apply for a partial Waiver of Authorization to access PHI for recruitment purposes only.

• A Researcher who is part of the Covered Entity’s workforce can access data via the mechanism of use of PHI preparatory to research. Such data can be used to recruit/screen subjects as long as the researcher does not remove the data from the Covered Entity.

27

Revocation of Authorization

Research subjects can revoke their Authorization in writing at any time. This is subject to an exception known as the ‘Reliance Exception’ (explained in next slide).

• A subject wishing to revoke the Authorization must be given a form for Revocation of Authorization. A template for creating this form is available on our HIPAA Web Page at http://www.research.usf.edu/cs/hipaa.htm.

• If the subject does not sign and return the form, then the researcher may continue to use the PHI and treat the Authorization as valid.

28

Reliance Exception to Revocation

The Reliance Exception allows researchers to use and disclose a subject’s PHI that was obtained before the subject’s revocation in the following ways:– To account for a subject’s withdrawal from the study– To conduct investigations of scientific misconduct– To report adverse events– As necessary to incorporate the information of a

marketing application to FDA

29

Research Subject’s Rights

• Right to an Accounting:Accounting of the following research related disclosures of PHI are required:

• Disclosures as allowed by a Waiver/Alteration of Authorization

• Reviews preparatory to research• Research on PHI of decedents• Disclosures made as allowed by law

30

Research Subject’s Rights (cont.)

The covered entity is not required to account to the subjects for the following types of disclosures:

• Disclosures made to the individual subject.• Disclosures authorized by the subject (i.e., the research

subject has signed an Authorization for this use/disclosure of PHI).

• De-identified data and limited data sets.• Disclosures made prior to 4-14-03.

31

Sanctions for Non-ComplianceSignificant penalties may be imposed against USF and individual researchers.

• Civil Penalties: – Based on patient complaints: $100 per violation with

$25,000 maximum per year• Criminal Penalties:

– Knowingly wrongful disclosures: fines up to $50,000 and/or up to 1 year in prison

– Under false pretenses: fines up to $100,000 and/or up to 5 years in prison

– With intent to sell: fines up to $25,000 and/or up to 10 years in prison

32

Forms and More Information

• Information Guides and all forms are available on the USF Division of Research Compliance website:http://www.research.usf.edu/cs/hipaa.htm

• For more information regarding compliance with HIPAA in research, please contact:Vinita WitanachchiUSF DRC Research Privacy OfficerHIPAA Program CoordinatorPhone: (813) 974-5478