HIPAA, Researchers and the IRB Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator
Dec 20, 2015
HIPAA, Researchers and the IRB
Alan Homans, IRB Chair and
Nancy Stalnaker, IRB Administrator
Introduction
• This is a preliminary overview – much more This is a preliminary overview – much more information to comeinformation to come
• Be kind – we do NOT have all the answers – Be kind – we do NOT have all the answers – but we do want to hear the questionsbut we do want to hear the questions
• Be patient – the final Privacy Rule was first Be patient – the final Privacy Rule was first available on August 14, 2002 – we are available on August 14, 2002 – we are working furiously!working furiously!
• Don’t blame us – we didn’t write it!Don’t blame us – we didn’t write it!
• This is a preliminary overview – much more This is a preliminary overview – much more information to comeinformation to come
• Be kind – we do NOT have all the answers – Be kind – we do NOT have all the answers – but we do want to hear the questionsbut we do want to hear the questions
• Be patient – the final Privacy Rule was first Be patient – the final Privacy Rule was first available on August 14, 2002 – we are available on August 14, 2002 – we are working furiously!working furiously!
• Don’t blame us – we didn’t write it!Don’t blame us – we didn’t write it!
What are the new Privacy Standards? What are the new Privacy Standards?
• Limits the use and release of health informationLimits the use and release of health information
• Gives patients the right to access their medical recordsGives patients the right to access their medical records And to know And to know who elsewho else accessed their health accessed their health
informationinformation Restricts most disclosure of health information to Restricts most disclosure of health information to
the the minimal intended purposeminimal intended purpose• Establishes civil/criminal penalties for improper use or Establishes civil/criminal penalties for improper use or
disclosuredisclosure
• Establishes new requirement for access to records by Establishes new requirement for access to records by researchersresearchers
• Limits the use and release of health informationLimits the use and release of health information
• Gives patients the right to access their medical recordsGives patients the right to access their medical records And to know And to know who elsewho else accessed their health accessed their health
informationinformation Restricts most disclosure of health information to Restricts most disclosure of health information to
the the minimal intended purposeminimal intended purpose• Establishes civil/criminal penalties for improper use or Establishes civil/criminal penalties for improper use or
disclosuredisclosure
• Establishes new requirement for access to records by Establishes new requirement for access to records by researchersresearchers
What Research is Affected?
Privacy rule applies to research that Privacy rule applies to research that uses uses Protected Health Information Protected Health Information (PHI).(PHI). PHI is individually identifiable PHI is individually identifiable health information.health information.
Privacy rule applies to research that Privacy rule applies to research that uses uses Protected Health Information Protected Health Information (PHI).(PHI). PHI is individually identifiable PHI is individually identifiable health information.health information.
What Research is Affected?
Three categories of identifiability:Three categories of identifiability:
1. PHI – Identifiable – rule applies
2. De-Identified Information - rule does not apply
3. Limited Data Set – a middle option - limited parts of the rule apply
Three categories of identifiability:Three categories of identifiability:
1. PHI – Identifiable – rule applies
2. De-Identified Information - rule does not apply
3. Limited Data Set – a middle option - limited parts of the rule apply
What Research is Affected?
• ““De-IdentifiedDe-Identified” – there are ” – there are 18 specific identifiers18 specific identifiers which must be removed to be considered de-which must be removed to be considered de-identified – thus not covered by rule.identified – thus not covered by rule.
• Limited Data SetLimited Data Set – Not fully “de-identified” – can – Not fully “de-identified” – can retain certain dates, geographic info and unique retain certain dates, geographic info and unique identifying numbers . Most privacy rule identifying numbers . Most privacy rule requirements do not apply, the minimum requirements do not apply, the minimum necessary standard does apply and a data use necessary standard does apply and a data use agreement is required.agreement is required.
• ““De-IdentifiedDe-Identified” – there are ” – there are 18 specific identifiers18 specific identifiers which must be removed to be considered de-which must be removed to be considered de-identified – thus not covered by rule.identified – thus not covered by rule.
• Limited Data SetLimited Data Set – Not fully “de-identified” – can – Not fully “de-identified” – can retain certain dates, geographic info and unique retain certain dates, geographic info and unique identifying numbers . Most privacy rule identifying numbers . Most privacy rule requirements do not apply, the minimum requirements do not apply, the minimum necessary standard does apply and a data use necessary standard does apply and a data use agreement is required.agreement is required.
18 Items Which 18 Items Which MustMust BeBe RemovedRemoved to Be to Be “De-identified”“De-identified”
18 Items Which 18 Items Which MustMust BeBe RemovedRemoved to Be to Be “De-identified”“De-identified”
1.1. NamesNames2.2. ALLALL geographic subdivisions geographic subdivisions smaller than the statesmaller than the state3.3. All elements of dates All elements of dates smaller than a year smaller than a year (i.e. birth birth
date, admission, discharge, death, etc.)date, admission, discharge, death, etc.)4.4. Phone numbersPhone numbers5.5. Fax numbers Fax numbers 6.6. E-mail addressesE-mail addresses7.7. SS numbersSS numbers8.8. Medical record numberMedical record number9.9. Health plan beneficiaryHealth plan beneficiary
1.1. NamesNames2.2. ALLALL geographic subdivisions geographic subdivisions smaller than the statesmaller than the state3.3. All elements of dates All elements of dates smaller than a year smaller than a year (i.e. birth birth
date, admission, discharge, death, etc.)date, admission, discharge, death, etc.)4.4. Phone numbersPhone numbers5.5. Fax numbers Fax numbers 6.6. E-mail addressesE-mail addresses7.7. SS numbersSS numbers8.8. Medical record numberMedical record number9.9. Health plan beneficiaryHealth plan beneficiary
10.10. Any other account numbers Any other account numbers 11.11. Certificate/license numbersCertificate/license numbers12.12. Vehicle identifiersVehicle identifiers13.13. Device identification numbersDevice identification numbers14.14. WEB URL'sWEB URL's15.15. Internet IP address numbersInternet IP address numbers16.16. Biometric identifiers (fingerprint, voice prints, retina Biometric identifiers (fingerprint, voice prints, retina
scan, etc)scan, etc)17.17. Full face photographs or comparable imagesFull face photographs or comparable images18.18. Any other unique number, characteristic or code.Any other unique number, characteristic or code.
10.10. Any other account numbers Any other account numbers 11.11. Certificate/license numbersCertificate/license numbers12.12. Vehicle identifiersVehicle identifiers13.13. Device identification numbersDevice identification numbers14.14. WEB URL'sWEB URL's15.15. Internet IP address numbersInternet IP address numbers16.16. Biometric identifiers (fingerprint, voice prints, retina Biometric identifiers (fingerprint, voice prints, retina
scan, etc)scan, etc)17.17. Full face photographs or comparable imagesFull face photographs or comparable images18.18. Any other unique number, characteristic or code.Any other unique number, characteristic or code.
18 Items Which Must Be Removed to Be 18 Items Which Must Be Removed to Be “De-identified” (continued)“De-identified” (continued)
How to obtain PHI for research?How to obtain PHI for research?How to obtain PHI for research?How to obtain PHI for research?
1.1. AuthorizationAuthorization
2.2. Waiver of AuthorizationWaiver of Authorization
1.1. AuthorizationAuthorization
2.2. Waiver of AuthorizationWaiver of Authorization
How to obtain authorization for use of PHI?
• To use or disclose To use or disclose PHIPHI
• Driven by Privacy Driven by Privacy RuleRule
• Reviewed by IRB or Reviewed by IRB or Privacy Board (our Privacy Board (our IRB will serve as the IRB will serve as the Privacy Board)Privacy Board)
• To use or disclose To use or disclose PHIPHI
• Driven by Privacy Driven by Privacy RuleRule
• Reviewed by IRB or Reviewed by IRB or Privacy Board (our Privacy Board (our IRB will serve as the IRB will serve as the Privacy Board)Privacy Board)
• To participate in the To participate in the research based on research based on the risks and benefits the risks and benefits
• Driven by the Driven by the Common RuleCommon Rule
• Reviewed by IRBReviewed by IRB
• To participate in the To participate in the research based on research based on the risks and benefits the risks and benefits
• Driven by the Driven by the Common RuleCommon Rule
• Reviewed by IRBReviewed by IRB
Informed Consent AuthorizationAuthorization
How to obtain authorization IIHow to obtain authorization IIHow to obtain authorization IIHow to obtain authorization II
• Required elements in an authorizationRequired elements in an authorization
SpecificSpecific and and meaningfulmeaningful description of description of what information will be used or disclosedwhat information will be used or disclosed
WhoWho may use or disclose may use or disclose To whom the PHI will be disclosedTo whom the PHI will be disclosed Why Why the use or disclosure is being made the use or disclosure is being made
(each purpose) Notice that authorization (each purpose) Notice that authorization may be revoked; may be revoked;
Notice that the information may be Notice that the information may be disclosed to others not subject to the disclosed to others not subject to the Privacy RulePrivacy Rule
How to obtain authorization IIIHow to obtain authorization IIIHow to obtain authorization IIIHow to obtain authorization III
• Required elements in an authorizationRequired elements in an authorization Statement of Statement of how longhow long the use or disclosure the use or disclosure
will continue (no expiration date is allowed will continue (no expiration date is allowed for research purposes - but this must be for research purposes - but this must be explicitly stated in the authorization form)explicitly stated in the authorization form)
Notice that the covered entity may or may Notice that the covered entity may or may not condition treatment or payment on the not condition treatment or payment on the individual’s signatureindividual’s signature
Individual’s Individual’s signature and datesignature and date
• Required elements in an authorizationRequired elements in an authorization Statement of Statement of how longhow long the use or disclosure the use or disclosure
will continue (no expiration date is allowed will continue (no expiration date is allowed for research purposes - but this must be for research purposes - but this must be explicitly stated in the authorization form)explicitly stated in the authorization form)
Notice that the covered entity may or may Notice that the covered entity may or may not condition treatment or payment on the not condition treatment or payment on the individual’s signatureindividual’s signature
Individual’s Individual’s signature and datesignature and date
How to obtain Authorization?
Authorization language will Authorization language will be provided as a template by be provided as a template by the IRB, to be incorporated the IRB, to be incorporated into the informed consent into the informed consent document.document.
Authorization language will Authorization language will be provided as a template by be provided as a template by the IRB, to be incorporated the IRB, to be incorporated into the informed consent into the informed consent document.document.
How to obtain Waiver of Authorization?
How to obtain Waiver of Authorization?
In research, authorization is In research, authorization is notnot required required if it meets the criteria for waiver outlined if it meets the criteria for waiver outlined in the privacy rule.in the privacy rule.
In research, authorization is In research, authorization is notnot required required if it meets the criteria for waiver outlined if it meets the criteria for waiver outlined in the privacy rule.in the privacy rule.
• No more than minimal riskNo more than minimal risk
• Not adversely affect rights Not adversely affect rights and welfare of subjectsand welfare of subjects
• Research cannot be done Research cannot be done without waiverwithout waiver
• When appropriate, When appropriate, information will be information will be provided to subjects of provided to subjects of researchresearch
• No more than minimal riskNo more than minimal risk
• Not adversely affect rights Not adversely affect rights and welfare of subjectsand welfare of subjects
• Research cannot be done Research cannot be done without waiverwithout waiver
• When appropriate, When appropriate, information will be information will be provided to subjects of provided to subjects of researchresearch
• No more than minimal risk to No more than minimal risk to privacyprivacy, based on, at least:, based on, at least: Plan to protect identifiersPlan to protect identifiers Plan to destroy identifiers Plan to destroy identifiers
ASAPASAP Written assurance that PHI Written assurance that PHI
will not be used/disclosed will not be used/disclosed with few exceptionswith few exceptions
• Research Research cannot be donecannot be done without waiver, andwithout waiver, and
• Research cannot be done Research cannot be done without this PHIwithout this PHI
• No more than minimal risk to No more than minimal risk to privacyprivacy, based on, at least:, based on, at least: Plan to protect identifiersPlan to protect identifiers Plan to destroy identifiers Plan to destroy identifiers
ASAPASAP Written assurance that PHI Written assurance that PHI
will not be used/disclosed will not be used/disclosed with few exceptionswith few exceptions
• Research Research cannot be donecannot be done without waiver, andwithout waiver, and
• Research cannot be done Research cannot be done without this PHIwithout this PHI
COMMON RULE PRIVACY RULE
CRITERIA FOR CRITERIA FOR WAIVER OF AUTHORIZATIONWAIVER OF AUTHORIZATION
CRITERIA FOR CRITERIA FOR WAIVER OF AUTHORIZATIONWAIVER OF AUTHORIZATION
TRANSITION TO PRIVACY RULETRANSITION TO PRIVACY RULETRANSITION TO PRIVACY RULETRANSITION TO PRIVACY RULE
• Compliance date: April 14, 2003Compliance date: April 14, 2003
• Informed consents and waivers Informed consents and waivers
What’s grandfathered?What’s grandfathered?When are new forms required?When are new forms required?
• Compliance date: April 14, 2003Compliance date: April 14, 2003
• Informed consents and waivers Informed consents and waivers
What’s grandfathered?What’s grandfathered?When are new forms required?When are new forms required?
4/14/03
HIPAA DAY!!
If:If: All informed consents signed All informed consents signed before HIPAA-daybefore HIPAA-day
HIPAA DAY!!
Planned enrollment of subjects
Planned long-term assessment period
IRB approval
Informed consents GRANDFATHERED
4/14/03
HIPAA DAY!!IRB approval
Planned enrollment of subjects
Planned long-term assessment period
If: Informed consents signed If: Informed consents signed before and after HIPAA-daybefore and after HIPAA-day
Grand-fathered
Addendum needed
If: All informed consents signed If: All informed consents signed after HIPAA-dayafter HIPAA-day
4/14/03
HIPAA DAY!!
Planned enrollment of subjects
Planned long-term assessment period
New forms or addendum needed
IRB approval
4/14/03
HIPAA DAY!!
If: Waiver of informed consentIf: Waiver of informed consent approved before HIPAA-dayapproved before HIPAA-day
HIPAA DAY!!IRB approval
Waiver GRANDFATHERED
If: Waiver of consent If: Waiver of consent approved after HIPAA-dayapproved after HIPAA-day
4/14/03
HIPAA DAY!!
New waiver needed
IRB Approval
REMINDERSREMINDERSREMINDERSREMINDERS
• When the authorization language is When the authorization language is finalized, the IRB will contact you to finalized, the IRB will contact you to inform you what you need to doinform you what you need to do
• HIPAA is HIPAA is in additionin addition to current IRB to current IRB human subject requirements - when human subject requirements - when both regulations apply, both both regulations apply, both requirements must be followedrequirements must be followed
• When the authorization language is When the authorization language is finalized, the IRB will contact you to finalized, the IRB will contact you to inform you what you need to doinform you what you need to do
• HIPAA is HIPAA is in additionin addition to current IRB to current IRB human subject requirements - when human subject requirements - when both regulations apply, both both regulations apply, both requirements must be followedrequirements must be followed
REMINDERSREMINDERS
Message Message Messenger Messenger
AcknowledgementAcknowledgement
Some of the material used in this presentation Some of the material used in this presentation was developed by P. Pearl O'Rourke, M.D., was developed by P. Pearl O'Rourke, M.D., Director of Human Research Affairs at Partners Director of Human Research Affairs at Partners HealthCare Systems, in Boston, MA and we are HealthCare Systems, in Boston, MA and we are grateful to her for her willingness to share this grateful to her for her willingness to share this information with us. information with us.
Some of the material used in this presentation Some of the material used in this presentation was developed by P. Pearl O'Rourke, M.D., was developed by P. Pearl O'Rourke, M.D., Director of Human Research Affairs at Partners Director of Human Research Affairs at Partners HealthCare Systems, in Boston, MA and we are HealthCare Systems, in Boston, MA and we are grateful to her for her willingness to share this grateful to her for her willingness to share this information with us. information with us.