Section XII:

Safeguarding Confidentiality and Records

WPP #: XII-3

Title 3:

Health Insurance Portability and Accountability Act (HIPAA) Information and the Conduct of Research

Effective Date:

9-25-13

Revision History:

06-07-04; 6-21-06; 8-15-13

Policy Statement

Research involving access or use of protected health information is subject to compliance with Health Insurance Portability and Accountability Act (HIPAA) regulations. The VCU IRB is designated as a Privacy Board to ensure regulatory compliance requirements are met in the conduct of human participant research. All research activities involving Protected Health Information (PHI) must implement an appropriate pathway for the use or access as directed in the federal Privacy Rule (45 CFR 160 and 164).

Background

HIPAA, which took effect on April 14, 2003, was developed by the Office of Civil Rights, and became the first-ever federal privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers. These standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed. They represent a uniform, federal floor of privacy protections for consumers across the country, specifically protecting medical records and other individually identifiable health information, whether it is on paper, in computers or communicated orally. The Privacy Rule is codified in 45 CFR 160 and 164.

Key Points

  • HIPAA Regulations protect a subset of individually identifiable information, known as Protected Health Information (PHI) from inappropriate disclosure.
  • HIPAA Regulations only protect individually identifiable health information that is held or maintained by covered entities or their business associates that create, use or receive such information in a health care context.
  • The HIPAA regulations specifically address the use of protected health information for research purposes.

Definitions

VCU Affiliated Covered Entity (VCU ACE): VCU and VCUHS are jointly covered by HIPAA regulations under what is termed the VCU Affiliated Covered Entity (VCU ACE). All of the units included in the VCU ACE may have access to Protected Health Information through the conduct of standard business operations. The VCU ACE includes the following units:

  • VCU Health System (VCUHS) and all satellite clinics
  • School of Medicine
  • School of Pharmacy
  • School of Nursing
  • School of Dentistry
  • VCU Employee Health
  • VCU Telecommunications
  • VCU Audit & General Management
  • VCU Police Services
  • VCU Office of General Counsel
  • VCU Office of Research and Innovation

Protected Health Information (PHI): All individually identifiable health information that is obtained or maintained within the VCU Affiliated Covered Entity is considered protected health information. Health information is identifiable if any of the following 18 identifiers are maintained with the health information:

Names Electronic mail addresses Certificate/license numbers
Geographic subdivisions smaller than state, except 3 initial zip code digits Social security numbers Vehicle identifiers and serial numbers, including license plate numbers
All elements of dates (except year) and all ages over 89 (e.g., birth date, procedure date, admission date) Medical Record numbers Device identifiers and serial numbers
Telephone numbers Health plan beneficiary numbers Web Universal Resource Locators (URLs)
Fax numbers Account numbers Internet Protocol (IP) address numbers
Biometric identifiers, including finger and voice prints Full face photographs and any comparable images Any other unique identifying number, characteristic or code

Procedures and Guidance

In order to utilize PHI in connection with research, researchers must access PHI through one of the following pathways:

  • Signed, written authorization from research participants;
  • Waiver of the authorization from the VCU IRB or Western IRB;
  • Partial waiver of authorization for recruitment from the VCU IRB or Western IRB;
  • Limited data set in conjunction with a data use agreement;
  • Review preparatory to research for research feasibility;
  • De-Identified data; or
  • Research on decedent's information.

Signed Authorization

  1. Signed authorization is the standard mechanism for accessing or using PHI in research. The Authorization describes risks to privacy and explains how, why and to whom PHI may be used or disclosed. When signing an authorization, research participants are directly authorizing the use of their PHI for research purposes. Generally, whenever informed consent is obtained, signed Authorization should be obtained. Researchers may choose to either:
    1. Combine the Authorization and the Informed Consent into a single document; or
    2. Utilize separate Informed Consent and Authorization documents.

    Templates for both options are available on the IRB website (see references below).

  2. HIPAA regulations require that authorization documents contain specific elements and statements. VCU researchers can ensure all of the requirements are being met by utilizing one of the template options. The required elements of Authorization are:
    1. Specific description of the PHI to be used or disclosed.
    2. Names or other specific identification of the person(s) or class of persons authorized to release the PHI (e.g., the covered entity).
    3. Names or other specific identification of the person(s) or class of persons to whom the PHI will be released to (e.g., PI).
    4. The purpose for using the PHI (e.g., purpose of the research).
    5. Expiration date or event for when use is no longer authorized (for research this may be “end of the study” or “none” in cases where a research registry will be maintained).
    6. Statement of the individual’s right to revoke the authorization and how to do so, as well as any exceptions to the right to revoke.
    7. Statement indicating whether treatment, payment, enrollment, or eligibility of benefits can be conditioned on authorization, including research-related treatment and consequences of refusing to sign the authorization.
    8. Statement of the potential risk that PHI will be re-disclosed by the researcher, and indicating that the disclosed PHI may no longer be protected under the Privacy Rule.
    9. Signature and date of the individual. If a legally authorized representative signs, the authorization must include a description of the representative’s authority to act for the individual.
  3. When combining authorization with informed consent and the consent includes optional activities, such as a research registry for future use, the HIPAA authorization must make it clear that the subject is not required to provide authorization for both the primary research activity and the registry.

  4. Submission for Approval:
    1. As applicable, investigators should submit an Informed Consent document containing authorization elements OR a separate Authorization document with applications to the IRB.
  5. Approvals:
    1. The VCU IRB will determine whether signed Authorization is the appropriate HIPAA pathway.
    2. When Authorization is combined with the Informed Consent, the IRB will approve the entire document.
    3. When the Authorization is a separate document, the IRB will ensure the document has been submitted but will not review the content of the Authorization. The investigator is responsible for ensuring the authorization contains all required elements.
    4. The approved HIPAA pathway(s) will be documented in the IRB approved smart form in RAMS-IRB.

Waiver of Authorization

  1. A Waiver of Authorization is a mechanism to use or disclose PHI for research purposes when obtaining a signed Authorization is not feasible. A Privacy Board or an IRB designated as a Privacy Board must approve a Waiver of Authorization. The VCU IRB and Western IRB have authority to approve Waivers of Authorization. Generally, a Waiver of Authorization is approvable if a Waiver of Informed Consent is approvable.

  2. Submission for Approval:
    1. In the research application to the IRB, Investigators should provide protocol-specific justification of the following to the IRB:
      1. The use or disclosure of the PHI involves no more than minimal risk (an expedited review) to the privacy of individuals based on, at least, the presence of the following:
        1. An adequate plan to protect health information identifiers from improper use and disclosure.
        2. An adequate plan to destroy identifiers at the earliest opportunity consistent with the conduct of the research.
        3. Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of the PHI would be permitted under the Privacy Rule.
      2. The research could not practicably be conducted without the waiver of authorization.
      3. The research could not practicably be conducted without the PHI.
  3. Approval:
    1. The IRB may approve a Waiver of Authorization through either full board review or expedited review if all of the criteria in #2 above are adequately addressed in the research application and the conditions are satisfied.
    2. The approved HIPAA pathway(s) will be documented in the IRB approved smart form in RAMS-IRB.

Partial Waiver of Authorization for Recruitment

  1. A Partial Waiver of Authorization is required by VCU when researchers wish to identify a pool of potential research participants for recruitment purposes by searching medical records within the VCU ACE. The intent of the Partial Waiver of Authorization is to allow researchers to access individual’s PHI for recruitment. With a Partial Waiver of Authorization for Recruitment, if an individual decides to enroll in a study, full signed Authorization should be sought from the individual prior to beginning study procedures. The signed Authorization indicates permission for further use of PHI for the conduct of the study. When it is not practicable to obtain a signature on an Authorization document (e.g., when a study has an approved waiver of documentation of consent), then a partial waiver of the authorization (to waive the signature) should also be sought (see below).

  2. Submission for Approval:
    1. In the research application, investigators should provide protocol-specific justification of the following to the IRB:
      1. The use or disclosure of the PHI involves no more than minimal risk (an expedited review) to the privacy of individuals based on, at least, the presence of the following:
        1. An adequate plan to protect health information identifiers from improper use and disclosure.
        2. An adequate plan to destroy identifiers at the earliest opportunity consistent with the conduct of the research.
        3. Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of the PHI would be permitted under the Privacy Rule.
      2. The research could not practicably be conducted without the partial waiver of authorization.
      3. The research could not practicably be conducted without the PHI.
    2. When utilizing a Partial Waiver of Authorization for recruitment, a signed Authorization will generally be necessary at the time of enrollment in the study unless full Authorization is waived or the signature is waived. Investigators should provide an Authorization form to the IRB (either combined with the informed consent form or a standalone document) that will be given to potential participants at the time of enrollment.
  3. Approval:
    1. The IRB may approve a Partial Waiver of Authorization through either full board review or expedited review if all of the criteria in #2 above are adequately addressed in the research application and the conditions are satisfied.
    2. The approved HIPAA pathway(s) will be documented in the IRB approved smart form in RAMS-IRB.

Partial Waiver of Authorization / Waiver of Authorization Elements

  1. A Partial Waiver of Authorization is required when researchers wish to use an Authorization form that does not include all of the required elements. When utilizing this pathway, Authorization is obtained from each research participant. However, the Authorization may include simplified language or fewer elements than the standard Authorization. For example, this option may be utilized to waive the signature on the Authorization form in situations where signed consent is also waived by the IRB. This option could also be used for research projects where the research participants have language barriers or low literacy levels.

  2. Submission for Approval:
    1. In the research application, investigators should describe to the IRB which Authorization elements will be waived or altered. The IRB application must also include protocol-specific justification of the following:
      1. The use or disclosure of the PHI involves no more than minimal risk (an expedited review) to the privacy of individuals based on, at least, the presence of the following:
        1. An adequate plan to protect health information identifiers from improper use and disclosure.
        2. An adequate plan to destroy identifiers at the earliest opportunity consistent with the conduct of the research.
        3. Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of the PHI would be permitted under the Privacy Rule.
      2. The research could not practicably be conducted without the partial waiver of authorization.
      3. The research could not practicably be conducted without the PHI.
    2. When utilizing a Partial Waiver of Authorization, research participants must still be provided with the information for the Authorization or an Authorization document. Investigators should submit an Authorization form/language to the IRB (either combined with the informed consent form or a standalone document) that will be given or read to potential participants at the time of enrollment.
  3. Approval:
    1. The IRB may approve a Partial Waiver of Authorization through either full board or expedited review process if all of the criteria in #2 above are adequately addressed in the research application and the conditions are satisfied.
    2. The approved HIPAA pathway(s) will be documented in the IRB approved smart form in RAMS-IRB.

Limited Data Set and Data Use Agreement

  1. A Limited Data Set and Data Use Agreement allow for the use of PHI without obtaining signed authorization or a waiver of authorization. A Limited Data Set may apply when the limited identifiers in (a) and/or (b) below are the only identifiers recorded in the research data. Limited Data Sets exclude 16 of the 18 HIPAA identifiers, but allow for inclusion of the following:
    1. Geographic information above the street level (e.g., city, state, zip code)
    2. All dates or elements of dates (e.g., birth date, procedure date, admission date)

    Whenever research will utilize PHI and only record the identifiers listed in (a) and/or (b) above, researchers are encouraged to utilize the Limited Data Set pathway.

    Use of a Limited Data Set requires that the investigator enter into a Data Use Agreement with the institution that is releasing the PHI. A Data Use Agreement provides assurances to the institution releasing the PHI that the PHI will only be used for a specific research purpose.

    A Data Use Agreement is needed even when VCU investigators access Limited Data Sets from within the VCU ACE.

    A Data Use Agreement must include the following provisions:

    1. Specific permitted uses and disclosures of the limited data set by the recipient consistent with the purpose for which it was disclosed.
    2. Identify who is permitted to use or receive the limited data set.
    3. Stipulations that the recipient will:
      1. Not use or disclose the information other than permitted by the agreement or otherwise required by law.
      2. Use appropriate safeguards to prevent the use or disclosure of the information, except as identified in the agreement, and require the recipient to report to the covered entity any uses or disclosures in violation of the agreement.
      3. Hold any agent of the recipient (including subcontractors) to the standards, restrictions, and conditions stated in the agreement.
      4. Not identify the information or contact the individuals.
  2. Submission for Approval:
    1. Indicate in the IRB application materials that a Limited Data Set will be utilized.
    2. Submit a Data Use Agreement with the IRB application. A template agreement is available on the IRB website. The investigator should complete any protocol specific segments prior to submitting.
  3. Approval:
    1. The IRB will review the applicability of a limited data set, ensuring that no unallowable identifiers will be used.
    2. The approved HIPAA pathway(s) will be documented in the IRB approved smart form in RAMS-IRB.
    3. The Data Use Agreement will be signed by an authorized signatory and a copy returned to the investigator with study approval documents.

Review Preparatory to Research

  1. The Review Preparatory to Research serves as a mechanism to access PHI for the purpose of determining study feasibility (e.g., determining if an adequate number of patients exist to conduct the study) without obtaining signed authorization or waiver of authorization. In order to allow a Review Preparatory to Research, the investigator must assure the following:
    1. The use or disclosure is requested solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research,
    2. The PHI will not be removed from the covered entity in the course of review, and
    3. The PHI for which use or access is requested is necessary for the research.
  2. Submission for Approval:
    1. Submit the Review Preparatory to Research form either as part of an IRB application or to the Office of Research Subjects Protection independently if a study is not yet ready for IRB review.
  3. Approval:
    1. The Review Preparatory to Research form will be reviewed administratively by ORSP.
    2. The investigator will be notified of the approval.

HIPAA De-identified Data

  1. Health information that has none of the 18 HIPAA identifiers associated with it is considered de-identified health information. A code link to identifiers may not be retained when utilizing the de-identified pathway. De-identified data is not subject to HIPAA regulations.

    The use of de-identified health information would most often apply in secondary data studies (e.g., medical chart reviews) or other studies when the investigator does not record any identifiers into the research data and retains no link to identifiable information.

  2. Submission for Approval:
    1. Identify in IRB application materials that PHI will be used for the research, but select the de-identified data pathway.
  3. Approval:
    1. The IRB will verify that no identifiers will be recorded with research data and the de-identified data pathway is appropriate for the study.
    2. The approved HIPAA pathway(s) will be documented in the IRB approved smart form in RAMS-IRB.

Research on Decedents’ PHI

  1. Research using PHI only of deceased individuals may be conducted without obtaining Authorization from next of kin or a waiver of authorization. The institution must, however, obtain assurance from the investigator that:
    1. The use of the PHI is solely for research on the PHI of decedents,
    2. The PHI is necessary for the research, and
    3. Documentation, at the request of the institution, of the death of the individuals whose PHI will be used.
  2. Submission for Approval:
    1. When research involves PHI from decedents only, submit the Research on Decedents form to the Office of Research Subjects Protection. No IRB research application is required because decedents are not considered a “human participant” by the federal regulations.
    2. When research involves PHI from decedents and living individuals, submit an IRB research application. The Research on Decedents form is not required.
  3. Approval:
    1. The submitted form will be reviewed and approved administratively.
    2. The investigator will be notified of the approval.

Accounting for Disclosures (Unauthorized Disclosures)

Principal investigators are responsible for maintaining records of any disclosures of PHI in the following situations:

  1. Research requiring a signed Authorization: When PHI is disclosed to any individuals or entities not identified in a HIPAA Authorization.
  2. Research approved for a Waiver of Authorization: When PHI is disclosed to individuals or entities outside of the research team or mandated legal reporting requirements.

When the disclosure involves the PHI of fewer than 50 research participants, the investigator is responsible for documenting and retaining the following information pertaining to each disclosure:

  1. Names/lists of research participants whose PHI was disclosed
  2. Dates of disclosures
  3. To whom disclosure was made
  4. Brief description of what was disclosed
  5. Brief description of why disclosed

When the disclosure involves the PHI of more than 50 research participants, documentation for each individual research participant is not required. However, the investigator is responsible for documenting and retaining the following information pertaining to each disclosure:

  1. Name of protocol
  2. Types of PHI disclosed
  3. Dates of disclosure
  4. Contact information for recipients to whom PHI was disclosed
  5. Statement that specific individual’s PHI may / may not have been disclosed

The above information must be retained for a minimum of 6 years past study closure.

Minimum Necessary

HIPAA regulations require that investigators access and use only the minimum PHI necessary to conduct the research. Principal investigators should consider exactly what PHI is required for each study and only request what is absolutely necessary.

Document Retention

HIPAA regulations require that study documents pertaining to HIPAA covered research be maintained for a minimum of 6 years past the date of study closure with the IRB.

Breach of PHI

In situations where PHI is disclosed or possibly disclosed to unauthorized individuals or entities (e.g., unencrypted USB drive is stolen or lost), the event must be reported to the IRB as an Unanticipated Problem (Prompt Report). The possible breach must also be reported to the Privacy Office. Reporting such an event is critically important, as the institution has certain legal obligations that must be fulfilled in the event of a breach of PHI.

References

VCU HIPPA and Research Website
VCU HIPAA Forms and Templates
Office of Civil Rights HIPPA Website
Federal Privacy Rule (CFR 45 160 and 164)
NIH Privacy Rule Information for Researchers
Research Data Ownership, Retention, Access and Security