HIPAA Requirements for Patient Oriented Research

UPENN HIPAA Experts

ContactsLauren SteinfeldUniversity Chief Privacy Officer 215-573-3348

laurenst@pobox.upenn.edu

Yvonne HigginsOffice of Regulatory Affairs215-898-0082yhiggins@pobox.upenn.eduwww.upenn.edu/regulatoryaffairs

Debbie GileadChief Privacy OfficerUPHS, HIPPA215-615-0643Gilead@uphs.upenn.edu

HIPAA Resources for Researcherswww.med.upenn.edu/ohr/hipaa

University of Pennsylvania

Background - Background - HIPAA Privacy Rule

• HIPAA: Health Insurance Portability and Accountability Act outlines the Privacy Regulations

• Purpose: to protect privacy of patient records provided to health plans, doctors, hospitals and other health care providers

• Patients: provided with access to their records and more control over how their Protected Health Information (PHI) is used and disclosed

• Research: Includes specific rules surrounding clinical research and the collection and use of PHI for research purposes

• Owner: Developed by DHHS, enforced by OCR (Office of Civil Rights)

• Start date: April 14, 2003

University of Pennsylvania

DefinitionsDefinitions

Individually Identifiable Health Information

• Information about the physical or mental health of an individual

• Created or received by a covered entity

• Relates to individual’s health, health care or payment for care - past, present or future

• Reasonable belief that the information can be used to identify a particular individual

• Applies to defined standard transactions

University of Pennsylvania

Protected Health Information (PHI)

• All individually identifiable health information transmitted or maintained by a covered entity, regardless of form or media

– Include oral communications

– Excludes education records

– Excludes employment records

DefinitionsDefinitions

University of Pennsylvania

Definitions - Definitions - Covered Entity

UPenn School of Medicine

HUP

CPUP (Clinical Practices)

Presbyterian Hospital

Graduate Hospital

Pennsylvania Hospital

Penn Center for Rehab

CCA (Clinical Care Associates)

Others…

Does not include CHOP or VA

University of Pennsylvania

Uses and Disclosures of PHI in ResearchUses and Disclosures of PHI in Research

There are FOUR ways to use PHI in Research:

1) Authorization

2) IRB Waiver of Authorization

3) Limited Data Set

4) De-Identified Data

University of Pennsylvania

The authorization must cover:• Health information collected as part of the study

• Who may use or disclose the information

• Who may receive the information

• Purpose of the use or disclosure

• Duration of authorization (i.e. note expiration date or the fact that authorization does not expire)

• Right to revoke authorization

• Reference to the Notice of Privacy Practices

• Information disclosed outside the covered entity may not be protected by HIPAA

Template can be downloaded from:www.med.upenn.edu/ohrtrain/hipaa

HIPAA AuthorizationHIPAA Authorization

University of Pennsylvania

Authorization approaches: Stand-alone authorization form Authorization incorporated into study informed consent form

Preferred approach: stand-alone form Current standard language not at 6 - 8th grade level Regulations may change, with resultant change to standard

language (i.e. form can be changed without requiring IRB re-approval of ICF)

IRBs are not required to approve authorization language

Stand-alone Template can be downloaded from:www.med.upenn.edu/ohrtrain/hipaa

HIPAA AuthorizationHIPAA Authorization

University of Pennsylvania

Individual Authorization is a one-time individual permission to use or disclose PHI for non-transaction and payment activities (includes research).

The Authorization language requirements are very detailed and must be protocol specific.

No accounting requirement for disclosures obtained with an authorization.

HIPAA AuthorizationHIPAA Authorization

University of Pennsylvania

Uses and Disclosures of PHI in ResearchUses and Disclosures of PHI in Research

There are FOUR ways to use PHI in Research:

1) Authorization

2) IRB Waiver of Authorization

3) Limited Data Set

4) De-Identified Data

University of Pennsylvania

IRB Waiver of AuthorizationIRB Waiver of Authorization

IRB must document review of the following waiver criteria:

– Use or disclosure involves no more than minimal risk to the individuals;

– The research could not be practicably conducted without the waiver, and;

– The research could not be practicably conducted without access to the PHI.

University of Pennsylvania

IRB Waiver of AuthorizationIRB Waiver of Authorization

Accounting Requirements:

• Disclosures made via a waiver must be subject to an accounting process

• Patients have the right to receive an account of disclosures made of their protected health information (PHI)

• PI’s or research staff must record all applicable disclosures of PHI as required

University of Pennsylvania

Accounting for Disclosures

• Date or range of dates of disclosure

• Name of entity to whom the information was disclosed

• The address of entity to whom PHI was disclosed

• Description of the PHI disclosed

• Statement explaining the purpose of the disclosure or a copy of the written request for disclosure if available

University of Pennsylvania

IRB Waiver of AuthorizationIRB Waiver of AuthorizationWhen Do You Need a Waiver?

• Epidemiological Research where it is impractical to get authorization

• Research Chart Reviews (note Protocol Preparation Exception)

• Recruitment only if the subject’s contact information is being disclosed outside of SOM/UPHS. But note the following:

– Any subject recruitment within the SOM/UPHS should follow the HIPAA policy guidelines

– Also, “outside” SOM/UPHS includes the VA, CHOP, and other Schools of the University (except Nursing researchers)

– If the PI has a dual appointment and one appointment is in the SOM that individual is “inside” the covered entity.

University of Pennsylvania

IRB Waiver of AuthorizationIRB Waiver of Authorization

When Don’t You Need a Waiver?

• Protocol Preparation (refer to HIPAA exceptions slide)

• Recruitment “inside” the SOM/UPHS covered entity

• Research Using an Authorization - but note:

– A waiver may be required in addition to the authorization if PHI collected prior to authorization is disclosed outside of UPHS/SOM.

• Research Using De-identified Data

University of Pennsylvania

IRB Waiver of AuthorizationIRB Waiver of Authorization

How do you apply for a Waiver?

• Complete the Request for Waiver of IRB Authorization Form:

www.upenn.edu/regulatoryaffairs/human/forms.html www.med.upenn.edu/ohrtrain/hipaa

• Submit a complete protocol & grant application if the waiver is to be part of a funded proposal.

University of Pennsylvania

Uses and Disclosures of PHI in ResearchUses and Disclosures of PHI in Research

There are FOUR ways to use PHI in Research:

1) Authorization

2) IRB Waiver of Authorization

3) Limited Data Set

4) De-Identified Data

University of Pennsylvania

The limited data set is PHI without facial or direct identifiers

• Only applies to research, public health and health care operations

• Research conducted as part of an IRB approved protocol

• Information may be used or disclosed without individual authorization

• “Data Use Agreement” required for disclosure

Limited Data SetLimited Data Set

University of Pennsylvania

Facial identifiers• name• street address • telephone and fax numbers• e-mail address• social security number• certificate/license numbers• vehicle identifiers and serial numbers• URLs and IP addresses• full face photos and any other comparable images• medical record numbers (prescription numbers), health plan

beneficiary numbers, and other account numbers• device identifiers and serial numbers• biometric identifiers, including finger and voice prints

Limited Data SetLimited Data Set

University of Pennsylvania

When do I need a Data Use Agreement?

• When the following conditions are met:• Disclosure of data in a "limited data set" • Disclosure is for research purposes • Individual authorization is not obtained • As part of an IRB-approved protocol

• Who signs off on the Data Use Agreement?The UPenn Office of Research Services handles this agreement on behalf of the Trustees of the University of Pennsylvania.

University of Pennsylvania

Uses and Disclosures of PHI in ResearchUses and Disclosures of PHI in Research

There are FOUR ways to use PHI in Research:

1) Authorization

2) IRB Waiver of Authorization

3) Limited Data Set

4) De-Identified Data

University of Pennsylvania

De-Identified DataDe-Identified Data

• UPHS/SOM may use or disclose de-identified data for research purposes provided its done as part of an IRB approved protocol

• De-identified data is not covered by HIPAA and may be disclosed for research purposes

• A code may be applied to the data that would allow re-identification of data but only within the covered entity

University of Pennsylvania

Individually identifiable health information from which identifiers are removed for the individual, relatives, employers, or household members:

De-Identified DataDe-Identified Data

1. Names

2. Street address, city county, precinct, zip code & equivalent geocodes

3. All elements of dates (except year) for dates directly related to an individual and all ages over 89

4. Telephone numbers

5. Fax numbers

6. Electronic mail addresses

7. Social security numbers

8. Medical record numbers

9. Health plan ID numbers

10. Account numbers

11. Certificate/license numbers

12. Vehicle identifiers and serial numbers, including license plate numbers

13. Device identifiers/serial numbers

14. Web addresses (URLs)

15. Internet IP addresses

16. Biometric identifiers, incl. finger and voice prints

17. Full face photographic images and any comparable images

18. Any other unique identifying number, characteristic, or code

University of Pennsylvania

• Use of PHI for Case Finding / Research Preparation

• Use of Decedent Information in Research

Must ensure the following• That the use or disclosure is sought solely to prepare a

research protocol

• Documentation of the death of the individual

• The PHI will not be removed from the covered entity

• The PHI used or accessed is necessary for the research purposes

HIPAA ExceptionsHIPAA Exceptions

University of Pennsylvania

Special RulesSpecial Rules

• Research commenced prior to 2003Research commenced prior to 2003– Obtain at time of annual continuing IRB reviewObtain at time of annual continuing IRB review

• Research using databases, repositories and Research using databases, repositories and banksbanks

– to include initial info into database authorization is to include initial info into database authorization is requiredrequired

– To utilize this data for research purposes the PI must To utilize this data for research purposes the PI must obtain a waiver of authorization from the IRBobtain a waiver of authorization from the IRB

– PI may review the info in the database without approval PI may review the info in the database without approval if it is preparatory for researchif it is preparatory for research

University of Pennsylvania

Special Rule - Subject RecruitmentSpecial Rule - Subject RecruitmentRequired contact methods (in order of preference):

– By a physician or other Health Care Professional who has taken care of a patient

– By the UPENN School of Medicine using a cover letter signed by a Physician who has taken care of the patient, and using text approved by the UPENN IRB

– By the researcher using a script or cover letter using text approved by the UPENN IRB

Direct recruitment by a researcher who has not taken care of the patient will require UPENN IRB approval and will only be permitted when both of the other two alternatives are impractical