Transcript Title

CUNY Research and HIPAA
after August 2002 Privacy Rule
CUNY Research Training Session
March 27, 2003
Presented by
Mark Barnes
CUNY Training Topics
• Overview of the HIPAA Privacy Regulations
• Who is a “Covered Entity” Under HIPAA and Who is Not
• Overview of CUNY Researcher’s Obligations if Research Involves a
Covered Entity’s “Protected Health Information”
• The HIPAA Challenge for Researchers
• HIPAA Authorization for Research
• New HIPAA forms and IRB procedures for Research Without
Authorization
• Impact of HIPAA on Exempt Research
• Impact of HIPAA on Database/Repository Research
• Accounting for Disclosures and Transition Rules
• CUNY HIPAA contacts: Richard Malina ([email protected]) and
Jane Davis ([email protected])
2
9122071
Overview of HIPAA Privacy
Regulations
• HIPAA = Health Insurance Portability and
Accountability Act of 1996
• HIPAA required Congress to enact comprehensive
health information privacy law by August 21, 1999; if
Congress failed to act by that date, U.S. Department of
Health and Human Services (HHS) was required to
issue regulations addressing privacy of health
information
• Proposed regulations published November 3, 1999 (64
Fed. Reg. 59918); HHS received approximately
53,000 comments
3
9122071
Overview of HIPAA Privacy
Regulations (cont.)
• “Final” regulations published December 28, 2000 (65
Fed. Reg. 82462)
• Comment period was reopened and additional
comments were received until March 30, 2001
• NPRM issued 3/27/02 to modify some essential
provisions, including those relating to research. New
30-day comment period, ended April 26, 2002
• Final Rule issued August 14, 2002; compliance by
April 14, 2003
• Civil and criminal penalties for violations
4
9122071
Who is a “Covered Entity” Under
HIPAA?
• Health plans, health care clearinghouses, and health
care providers that transmit health information
electronically in a HIPAA transaction (e.g., billing)

A Covered Entity and its employees, agents and professional
staff may not use/disclose health/mental health information for
research without authorization or waiver of authorization
(limited exceptions)
 CUNY is not a Covered Entity, but CUNY researchers may
obtain or use health/mental information from, or within, or as
agents or employees of, a Covered Entity
5
9122071
Who is a “Covered Entity” Under
HIPAA? (cont.)
• Examples:
 CUNY Faculty
member with clinical
appointment at hospital or private clinical
practice that is HIPAA-covered
 CUNY student who works as intern or trainee at
hospital or psychology practice or in social
service agency setting that is HIPAA-covered
• Each must comply with HIPAA with respect
to his/her activities in the Covered Entity
setting, including research
6
9122071
Overview of CUNY Researcher’s
Obligations if Research Involves a CE’s
PHI
• Even though CUNY itself is not a Covered Entity,
CUNY research must comply with HIPAA when:
 CUNY Investigator accesses,
obtains, or uses a CE’s
patient/client information for research
 CUNY Investigator creates health-related information
at CE’s site, enrolls a CE’s patients/clients in a study, or
collaborates with a HIPAA-covered co-investigator
• Revised CUNY IRB application form now
includes questions to elicit whether Covered
Entities are involved in CUNY research
7
9122071
The HIPAA Challenge for
Researchers
• The HIPAA Privacy Regulations establish a
stringent and complex new regime that
governs all uses and disclosures of
“protected health information” (PHI)
8
9122071
The HIPAA Challenge for
Researchers (cont.)
• “Protected Health Information” (PHI) is any
health information that:
 Is
created by or received by a Covered Entity or
an employer; and
 Relates to the past, present, or future (e.g.,
genetic predisposition) physical or mental
health or condition of an individual; the
provision of health care to an individual; or the
past, present, or future payment for the
provision of health care to an individual; and
9
9122071
The HIPAA Challenge for
Researchers (cont.)
• “Protected Health Information” (PHI) is any
health information that (cont.):
 Identifies
the individual or with respect to
which there is a reasonable basis to believe the
information can be used to identify the
individual; and
 Is electronically maintained or transmitted, or
in oral or written form
10
9122071
The HIPAA Challenge for
Researchers (cont.)
•
Basic Rule = No Use or Disclosure of PHI
Except:
1. For treatment, payment and health care
operations (“TPO”)


Good faith effort to obtain patient
acknowledgement of receipt of notice of privacy
practices required
Research is not TPO
11
9122071
The HIPAA Challenge for
Researchers (cont.)
•
Basic Rule = No Use or Disclosure of PHI
Except (cont.):
2. With written patient authorization (which must
specify who can use/disclose the PHI, to whom
the PHI may be disclosed, what PHI may be
used/disclosed, the purpose of the use/disclosure,
and the duration of the authorization, in the form
of an expiration date or an event)
 This is the primary method of HIPAA research
compliance
12
9122071
The HIPAA Challenge for
Researchers (cont.)
•
Basic Rule = No Use or Disclosure of PHI
Except (cont.):
3. When a regulatory exception applies (e.g.,
public health reporting; in emergencies/
disasters, to identify patients or locate family
members)
13
9122071
The HIPAA Challenge for
Researchers (cont.)
•
•
De-identified data (under HIPAA) are not
equivalent to “anonymous” data (under
Common Rule)
De-identified data are not PHI: Cannot have any
of the following 18 HIPAA identifiers
1.
2.
3.
4.
5.
Names
Geographic subdivisions smaller than a State
Dates (except year) directly related to patient
Telephone numbers
Fax numbers
14
9122071
The HIPAA Challenge for
Researchers (cont.)
•
18 HIPAA identifiers (cont.)
6.
7.
8.
9.
10.
11.
12.
13.
E-mail addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers
Device identifiers and serial numbers
15
9122071
The HIPAA Challenge for
Researchers (cont.)
•
18 HIPAA identifiers (cont.)
14. Web URLs
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice
prints
17. Full face photographic images and any comparable
images
18. Any other unique identifying number, characteristic,
or code, except as permitted under HIPAA to reidentify data
16
9122071
HIPAA and Research
• HIPAA Privacy Regulations have many
specialized rules and exceptions, including rules
particularly applicable to research activities
• Under HIPAA “‘research’ means a systematic
investigation, including research development,
testing, and evaluation, designed to develop or
contribute to generalizable knowledge.” 45 C.F.R.
§ 164.501. Same definition as Common Rule, but
note no “exemptions” available under HIPAA
17
9122071
“Exempt” Research must meet
HIPAA Requirements
• If you are conducting research under an IRB exemption,
and the research involves access to, or use of, patient
information (including labeled or coded specimens) from a
covered entity, your research will likely require HIPAA
authorization or waiver of authorization (see 3/12/03
Schaffer memo)
• You must cease enrolling new subjects and collecting data
on and after April 14, 2003 and submit an application for
HIPAA waiver to the CUNY IRB for approval; you may
also need waiver from CE’s IRB or Privacy Board
18
9122071
Research Activities/Clinical Trials
Under HIPAA
• HIPAA requirements for research are
applicable regardless of source of funding
 If
FDA and/or HHS regulations are not
applicable to the research study at issue but the
study involves PHI, the covered entity is still
bound by HIPAA Privacy Regulations
19
9122071
Research Activities/Clinical Trials
Under HIPAA (cont.)
• Research disclosure policies must be included in covered entity’s
“Notice of Privacy Practices”
From
Sample Notice of Privacy Practices:
“Research.
In most cases, we will ask for your written authorization before using your health information or sharing it
with others in order to conduct research. However, under some circumstances, we may use and disclose your
health information without your written authorization. To do this, we are required to obtain approval through
a special process to ensure that research without your written authorization poses minimal risk to your
privacy. Under no circumstances, however, would we allow researchers to use your name or identity publicly.
We may also release your health information without your written authorization to people who are preparing a
future research project, so long as any information identifying you does not leave our facility. In the
unfortunate event of your death, we may share your health information with people who are conducting
research using the information of deceased persons, as long as they agree not to remove from our facility any
information that identifies you.”
20
9122071
HIPAA: Patient Authorization for
Research
• HIPAA will generally require express patient authorization for
use or disclosure of PHI in research activities subject to
several exceptions (discussed below)
• The CUNY IRB has a model HIPAA Authorization Form for
use in research involving PHI (i.e., personal health or mental
health information from a Covered Entity)
• All forms referenced in this presentation are available at
www.cuny.edu on the Faculty and Staff page under “Research
and Funding”
21
9122071
HIPAA: Patient Authorization for
Research (cont.)
• The CUNY IRB will review both the
authorization and informed consent form
with the protocol submission
• The investigator is primarily responsible for
ensuring that the information in the
authorization form is accurate and complete
22
9122071
HIPAA: Patient Authorization for
Research (cont.)
CUNY IRB
HIPAA RESEARCH AUTHORIZATION
Subject/Client/Patient Name:_______________________ ID Number:_________________
Study:_______________________________________________________________________
IRB Protocol No. ________________
CUNY Institution:______________________
We understand that information about you and your health is personal. We are committed to
protecting the privacy of that information. Federal regulations and our commitment to your
privacy require that we obtain your written authorization before we may use or disclose your
protected health information for the research purposes described below. This form provides
that authorization and helps us make certain that you are properly informed of how this
information will be used or disclosed. Please read the information below carefully before
signing this form.
23
9122071
HIPAA: Patient Authorization for
Research (cont.)
USE AND DISCLOSURE COVERED BY THIS AUTHORIZATION
___________ [CUNY Researcher] must answer these questions completely before providing
this authorization form to you. DO NOT SIGN A BLANK FORM. You or your
personal representative should read the descriptions below before signing this form.
What information will be used or disclosed for the research? The appropriate boxes
should be checked below and the descriptions should be in enough detail so that you
(or any organization that will use or disclose information pursuant to this
authorization) can understand what information may be used or disclosed.
______Any medical, treatment, or research records held by __________ [list covered entity
from whom records are sought] may be used and/or disclosed.
______The following information:
24
9122071
HIPAA: Patient Authorization for
Research (cont.)
Who will disclose, receive, and/or use the information while it is in individually identifiable form?
This research authorization form will authorize the following person(s), class(es) of persons,
and/or organization(s) to disclose, use, and/or receive the information in connection with the
research:







__________ [CUNY Principal Investigator] and his or her research staff, which may include
_____________ [College] students
The following co-investigators [list names and institutions] and members of their research
staffs: __________________________________________________________
Statisticians at the following institutions: ______________________________________
The members and staff of the _____________ [College] Institutional Review Board and
other CUNY officials and staff who oversee research
Government authorities or agencies that oversee research
The members and staff of the Institutional Review Boards at participating research sites
______________________________________________ [list each co-investigator’s site]
Others (as described below):
If not specifically listed above, you also authorize the following persons or institutions that maintain
records about you to disclose the information described above for the purpose of this
research:
25
9122071
HIPAA: Patient Authorization for
Research (cont.)
SPECIFIC UNDERSTANDINGS
By signing this research authorization form, you authorize the use and/or disclosure of your protected health
information as described above. The purpose for the uses and disclosures you are authorizing is to
conduct the research project explained to you during the informed consent process and to ensure that
the information relating to that research is available to all parties who may need it for research
purposes.
Many of the recipients listed in this form have legal or professional obligations to protect the confidentiality of
your information. If, however, your information is disclosed to persons or organizations that are not
required by state or federal law to protect the privacy of the information, such persons or
organizations could reuse or redisclose the information without penalty under those laws. For this
reason, it is the policy of the _____________ [College] IRB that investigators ask all recipients of your
information to agree to treat your information as confidential.
You have a right to refuse to sign this authorization. Your health care, the payment for your health care, and
your health care benefits will not be affected if you do not sign this form.
If you sign this authorization, you will have the right to revoke it at any time. However, your revocation would
not apply to the extent that ____________________ [name covered entity] and the investigators in this
research have already taken action based upon your authorization or need the information to complete
analysis and reports of data for this research. This authorization will never expire unless and until you
revoke it. To revoke this authorization, please write to _________________________ [insert the name
and address of the CUNY Principal Investigator and the responsible person or department at the
covered entity].
A copy of this form will be provided to you after you have signed it.
26
9122071
HIPAA: Patient Authorization for Research
(cont.)
SIGNATURE
I have read this form and all of my questions about this form have been answered. I understand that, if I have
questions about this form in the future, they will also be answered. By signing below, I acknowledge that I
have read and accept all of the above.
_________________________________________
Signature of Subject or Personal Representative
_________________________________________
Print Name of Subject or Personal Representative
_________________________________________
Date
Description of Personal Representative’s Authority
CONTACT INFORMATION
The contact information of the subject or personal representative who signed this form should be filled in below.
Address:
_______________________________________________________________________________________
_________________________________Telephone:___________________ (daytime)
_________________ (evening) Email Address (optional):____________________________
THE SUBJECT OR HIS OR HER PERSONAL REPRESENTATIVE MUST BE PROVIDED WITH A COPY OF
THIS FORM AFTER IT HAS BEEN SIGNED.
27
9122071
HIPAA: Patient Authorization for
Research (cont.)
• Revocation of Authorization: Cannot
revoke authorization to the extent that
action has been taken “in reliance” on the
authorization
 Example:
no requirement to re-identify and
separate out blinded information based upon
patient’s revocation
28
9122071
HIPAA: Patient Authorization for
Research (cont.)
• “Reliance” defined broadly under August
2002 Rule to include:
 Accounting
for subject’s withdrawal from
study
 Supporting FDA applications
 Reporting adverse events
29
9122071
HIPAA: Patient Authorization for
Research (cont.)
• PHI From Other Covered Entities:
 Research
authorization form should include
broad grant of access so that investigators may
receive PHI from other covered entities who or
which have treated the patient, when that PHI is
required for the research
30
9122071
HIPAA: Patient Authorization for
Research (cont.)
• Disclosing Who Will Receive PHI:
 HIPAA requires
that study sponsors (where applicable)
and/or PIs, research staff (and other sites in cases of
multi-center trials) or related entities all be named in
the authorization form as parties to whom or to which
PHI will be transferred, and by whom or by which that
PHI may be used
 The CUNY authorization form includes a checklist;
investigator must specify others not listed
 If not listed, may be unable to receive or use PHI
31
9122071
Parties to the Research
Diagram of a Multi-Site Research Study:
Who is using, receiving, and/or disclosing the data?
Are the data identifiable? Is any site a Covered Entity?
Sponsor
OHRP
Consulting Statistician
IRB #4
IRB #5
CUNY
Student
RAs
CUNY PI
START
Site #5
Social Service Agency
CUNY-IRB
Site #1
Psychology
Practice
Site #3
Community
Clinic
Site #2
Psychiatric
Hospital
Co-PI/
MD
Site #4
Medical Center
IRB #3
IRB #2
MDs
HIPAA: Patient Authorization for
Research (cont.)
• Separate authorization form required for
use/disclosure of “psychotherapy notes”
 Notes
of treatment conversations maintained separate
from the medical/treatment record
 IRB may not waive authorization for use/disclosure
 General authorization form also may be advisable in
psychotherapy research
• Additional authorization language required by
NYS law for disclosure of HIV-related
information
33
9122071
HIPAA: Patient Authorization for
Research
• CUNY model authorization also includes :
 Possibility
of redisclosure of information
 Right to refuse to sign and consequences
 Right to revoke and limitations on that right
 Expiration provision: authorization does not
expire; subject must revoke in writing
• Authorization is preferably separate from
research informed consent
34
9122071
HIPAA: Patient Authorization for
Research (cont.)
• Important that information presented to subjects in
the informed consent process is consistent with
what they are asked to authorize through the
HIPAA authorization form
• “Confidentiality” section of informed consent
should reference HIPAA authorization
• Use of another Covered Entity’s Authorization:


If CUNY researcher is part of the CE (and thus liable for HIPAA
violations), the researcher must review the CE’s form thoroughly
for the presence of all required elements
If CUNY researcher is not part of the CE, use the CE’s form unless
clearly deficient
35
9122071
Use of PHI in Research Without
Authorization
• Covered entity may use or disclose PHI for
research purposes (and thus may permit
CUNY researcher to use and disclose PHI
for research purposes) without an
individual’s authorization in the following
circumstances:
36
9122071
Use of PHI in Research Without
Authorization (cont.)
1. Purposes preparatory to research (i.e., to assess
feasibility of research or formulate a research
hypothesis), if the investigator (submits form)
makes the following representations:



Use or disclosure sought solely to review PHI as
necessary to prepare a research protocol (or for
similar preparatory purposes)
No PHI will be removed from the covered entity by
the researcher during the review
PHI for which use or access is sought is necessary for
the research purposes
37
9122071
Use of PHI in Research Without
Authorization (cont.)
•
Procedure for Review Preparatory to
Research
 Complete CE’s form containing researcher
representations
 Submit form to CE’s Privacy Officer for approval
 Provide copy of approved application to CE’s data
custodian (e.g., Medical Records)
38
9122071
Use of PHI in Research Without
Authorization (cont.)
2. Research on decedents’ information, if the
investigator makes the following
representations:

Use or disclosure sought solely for research
on the PHI of decedents
 Documentation, at the request of the covered
entity, of the death of such individuals
 PHI for which use or disclosure is sought is
necessary for the research purposes
39
9122071
Use of PHI in Research Without
Authorization (cont.)
•
Procedure for research on decedents’
information
Complete the CE’s form containing
researcher representations
 Submit completed form to CE’s Privacy
Officer for approval
 Present copy of completed form to CE’s data
source (e.g., Medical Records).

40
9122071
Use of PHI in Research Without
Authorization (cont.)
3.
•
•
•
•
Covered Entities may use or disclose “limited data set”
without authorization or waiver
A “limited data set” under HIPAA is PHI (not considered
de-identified under HIPAA), but uses are restricted to:
 Research
 Operations
 Public health purposes
Limited data sets may include dates of treatment,
addresses (but not specific street address), birth dates
16 HIPAA “direct identifiers” must be removed
Data Use Agreement required
41
9122071
Use of PHI in Research Without
Authorization (cont.)
• If investigators are conducting research that
may be performed using a limited data set,
they should contact the IRB office of the CE
regarding gaining access to the LDS
• The IRB office of the CE will work with the
investigator to execute a Data Use
Agreement
42
9122071
Use of PHI in Research Without
Authorization (cont.)
4. Waiver of an authorization or an alteration
of authorization is approved upon a
signed, documented determination by the
IRB in accordance with criteria required
by HIPAA (discussed below)
• The CUNY IRB will review HIPAA
waiver and alteration requests for CUNY
research using PHI
43
9122071
IRB Approval of Waiver of
Authorization
• Waiver or alteration determination by IRB may be done on
“expedited review” basis (in accordance with Common
Rule and/or FDA requirements for expedited review by an
IRB)
• Expedited review most likely to be used in cases of
research involving retrospective chart reviews; IRBs
should refrain, for first few months of compliance, from
using expedited reviews here
• IRB may partially waive authorization to allow use of PHI
to recruit study subjects (but this would not serve as a
waiver of authorization for the conduct of the study; need
to either get authorization or a second IRB waiver)
44
9122071
IRB Approval of Waiver of
Authorization (cont.)
•
•
IRB written documentation must indicate that
the waiver of patient authorization satisfies the
three criteria set forth in Final Rule
Final Rule Waiver Criteria:
1. Use or disclosure involves no more than minimal risk
to privacy of the subject based on, at least



Adequate plan to protect the information from improper use
and disclosure
Adequate plan to destroy identifiers
Written assurances that the PHI will not be disclosed further
than set forth in the waiver
45
9122071
IRB Approval of Waiver of
Authorization (cont.)
•
Final Rule Waiver Criteria (cont.):
2. The research could not practicably be
conducted without the waiver or alteration
3. The research could not practicably be
conducted without access to and use of the
PHI
46
9122071
IRB Approval of Waiver of
Authorization (cont.)
• 3 waiver criteria track aspects of HHS Common
Rule’s requirements for waiving patient informed
consent
 Minimal
risk
 No adverse effects
 Research not possible without waiver
• In HIPAA, 3 waiver criteria relate only to privacy
(“minimal risk” refers to privacy risk only), not to
all research risk
47
9122071
IRB Approval of Waiver of
Authorization (cont.)
• Procedure for seeking waiver or alteration of
authorization:
 Complete
CUNY waiver application and include with
protocol submission to CUNY IRB
 Present signed documentation of IRB waiver approval
to data source (e.g., Medical Records) to obtain PHI for
the research
 Data source may rely upon CUNY IRB waiver or
require review by its own IRB/PB
48
9122071
IRB Approval of Waiver of
Authorization (cont.)
CUNY Application for Waiver:
Please Complete the Following:
TO: Chair, _____________ [College] IRB
FROM:
__________________________
(Investigator Name)
__________________________
(CUNY Institution/Department)
__________________________
(Investigator's Telephone Number)
DATE:
____________________________
PROJECT: _________________________
PURPOSE OF STUDY: [Give a brief description of the study and attach a copy of the full protocol to this
Request Form.]
DESCRIPTION OF PROTECTED HEALTH INFORMATION THAT IS NEEDED FOR THIS STUDY:
.
49
9122071
IRB Approval of Waiver of
Authorization (cont.)
WHO ARE THE INDIVIDUALS OR ENTITIES COVERED UNDER HIPAA THAT WILL BE CREATING,
MAINTAINING, USING OR PROVIDING THE PROTECTED HEALTH INFORMATION?:
WHO WILL HAVE ACCESS TO THE PROTECTED HEALTH INFORMATION?: [Describe each person and
organization by name or category. Examples include the research sponsor, the investigator, the research staff,
and all research monitors.]
DESCRIBE THE RISKS TO PRIVACY INVOLVED IN THIS STUDY:
What identifiers will be observed, collected and stored? [Please indicate on Attachment 2 which identifiers will be
observed, collected and stored, and which identifiers will not be needed for your research.]
Who will have access to identified information?
How will access to study data be controlled?
Who will monitor access to study data?
Where will identified information be stored?
.
9122071
50
IRB Approval of Waiver of
Authorization (cont.)
PLAN FOR DESTROYING IDENTIFIERS: [Describe how, by whom and when identifiers will be
destroyed.]
IF ALTERATION OF CUNY’S STANDARD HIPAA AUTHORIZATION FORM (INSTEAD OF A
WAIVER) IS REQUESTED, EXPLAIN HOW THE FORM OF AUTHORIZATION WOULD BE
ALTERED AND ATTACH THE FORM OF AUTHORIZATION THAT YOU WOULD
PROPOSE TO USE:
EXPLAIN WHY THE STUDY PRESENTS NO MORE THAN A "MINIMAL RISK" TO PRIVACY:
IMPRACTICABILITY OF OBTAINING AUTHORIZATION: [Describe why it would be
impracticable to obtain each subject’s authorization for use and/or disclosure of his or her data or
to obtain authorization by using CUNY’s standard HIPAA Authorization form.]
IMPRACTICABILITY OF THE RESEARCH WITHOUT PHI: [Describe why the research could not
practicably be carried out without the use of PHI.]
.
51
9122071
IRB Approval of Waiver of
Authorization (cont.)
***************************************
INVESTIGATOR'S ASSURANCES:
I will not use the protected health information (“PHI”) for which I have requested this Waiver or
Alteration of HIPAA Authorization other than as described in this application form, or disclose the PHI
to any person or entity other than those listed above, except as required by law, for authorized oversight
of this research study, or as specifically approved for use in another study by an IRB. I also assure the
IRB that the PHI for which I have requested this waiver or alteration is the minimum amount of PHI
necessary for the research purpose described in this application.
____________________________
Signature of Investigator
____________________________
Date
.
CUNY IRB Action:
Waiver/Alteration Request Approved
Waiver/Alteration Request Denied
Approval Deferred Pending the Following Actions:
52
9122071
Recruitment of Study Subjects
Using PHI from Covered Entities
• Reviewing PHI to Identify Subjects
 Treating providers may review their own
patients’/clients’ records to decide whether
patients/clients would be eligible for a certain
research study
 Investigators who are not members of a
patient’s/client’s treatment team must apply to
the IRB for limited waiver of authorization in
order to review PHI to identify potential
research subjects and record the potential
subjects’ name and contact information
53
9122071
Recruitment of Study Subjects
Using PHI from Covered Entities
(cont.)
• Reviewing PHI to Identify Subjects (cont.)
 If investigator is conducting “review
preparatory to research” (permitted without
authorization) and would like to record the
contact information of potential research
subjects identified during the review, the
investigator should apply to the IRB for a
limited waiver of authorization prior to
conducting the review preparatory to research
54
9122071
Recruitment of Study Subjects
Using PHI from Covered Entities
(cont.)
• Contacting Potential Research Subjects
 Treating providers
may always have a conversation with
their own patients/clients regarding enrolling in research
involving treatment
 Investigators who are not part of the patient/client’s
treatment team must:
 Obtain a partial waiver of authorization from the IRB to recruit
subjects (if not previously done) or
 Enlist the patient/client’s treating provider to contact the
patient/client about enrolling in the study
 If
treating provider agrees to assist in recruitment process,
proposed recruitment letter (to be signed by treating
provider) must be included in submission to IRB; required
by Common Rule
55
9122071
Databases and Tissue Banks
• Many Covered Entities and researchers maintain
databases into which PHI is placed, processed,
stored
• Databases may be created not for specific research
projects, but as resources for future unspecified
research
• Tissue banks and other specimen repositories may
be similarly created and maintained
56
9122071
Databases and Tissue Banks (cont.)
• Is patient authorization or IRB waiver required for
these activities?
 Health
care operations?
 Research?
• HIPAA: HHS opines that the development of
such databases/banks is research for HIPAA
purposes and requires authorizations or waivers
• Common Rule: Should also therefore have IRB
approval, because definitions of “research” in
HIPAA and Common Rule are coterminous
57
9122071
Databases and Tissue Banks (cont.)
• CUNY researchers creating databases of PHI or
specimen banks/tissue repositories with PHI attached
must cease compiling PHI on and after April 14, 2003
until they submit a protocol to the CUNY IRB
specifying conditions under which data/specimens are
accepted to the database/bank and shared with thirdparties; research may resume once approval is granted
• Protocol must include CUNY authorization form or
application for IRB waiver of authorization
58
9122071
Databases and Tissue Banks (cont.)
• If database/bank is not maintained by the covered
entity (e.g., covered entity is disclosing information to
non-covered database/bank off-site), then
authorization must indicate potential for PHI to be redisclosed without penalty under HIPA
59
9122071
Databases and Tissue Banks (cont.)
• Per 3/12/03 memorandum from Vice Chancellor Schaffer
(http://www.rfcuny.org/ResCompliance/HIPAA_Memo.html),
CUNY investigators should review existing databases and
tissue banks to determine whether PHI collection is
ongoing and HIPAA compliance is necessary
• Databases/tissue banks maintained by a CE may not
require authorization if one purpose is “operations”
• If CUNY investigators wish to conduct specific research
on information or samples stored in a database or tissue
bank, they must obtain IRB approval of research protocol
and authorization or waiver from IRB
60
9122071
Accounting for Research Disclosures
• HIPAA generally requires Covered Entities
to “account” for disclosures of PHI at the
request of the patient/client
• Final Rule waives accounting for all
disclosures made pursuant to a patient
authorization (this includes research
authorizations)
61
9122071
Accounting for Research Disclosures
(cont.)
• If a Covered Entity discloses PHI for research
purposes pursuant to a waiver of authorization or
for another purpose where authorization is not
required (e.g. review preparatory to research,
research on decedents’ PHI) the Covered Entity
must account for each disclosure
• Accounting will include CUNY investigator’s
name, contact information, purpose of disclosure,
and date
62
9122071
Transition Issues
HIPAA Transition Provisions
• Certain research that began prior to HIPAA’s
compliance date is “grandfathered” and does not
require authorization from subjects who were
enrolled prior to April 14, 2003 if:



Subjects gave express legal permission for use/disclosure of
health information
Subjects gave general informed consent
IRB waived informed consent requirement
63
9122071
Transition Issues
 For
studies approved prior to April 14, 2003 but
continuing to enroll subjects on and after after April 14,
2003, HIPAA authorization is required for new subjects
 All studies approved and commencing enrollment of
subjects on and after April 14, 2003 must comply with
HIPAA in all respects
 If grandfathered subject is re-consented for any reason
on and after April 14, 2003, investigator must obtain
authorization as well as new consent
 If investigator begins to consent subjects in a study that
received IRB waiver of informed consent prior to April
14, 2003, authorization must be obtained
64
9122071
Transition Issues
• As discussed previously, prior to April 14, 2003:
 Exempt
protocols must receive HIPAA
authorization/waiver (or suspend activity until
authorization/waiver is obtained)
 Research database/repository compilation will need
IRB-approved protocol, informed consent (or IRB
waiver) and HIPAA authorization (or IRB waiver)
• Research not meeting these requirements must be
suspended on April 14, 2003, pending compliance
65
9122071
Practical Compliance Issues for Implementing
HIPAA in the Research Context
• Some parties to the research will not be covered by
HIPAA, but CUNY is concerned about their handling of
research subject data
• CUNY IRB has a model “Subject Information
Confidentiality Agreement” to protect subjects’
information that has been disclosed to non-covered
investigators and others involved in the research
• Investigator should have this form signed by each nonCUNY person or entity to which research subjects’
personal data are disclosed
66
9122071
Practical Compliance Issues for Implementing
HIPAA in the Research Context (cont.)
THE CITY UNIVERSITY OF NEW YORK
SUBJECT INFORMATION CONFIDENTIALITY AGREEMENT
Name:____________________________________
Position:__________________________________
I recognize that, in the course of my participation as an investigator, co-investigator, or an agent or
contractor of an investigator conducting CUNY human subjects research, I may gain access to
subject information, including information about health, mental health, medical care, or
payment for health care, that must under law must be treated as confidential and disclosed only
under limited conditions. I agree that:
I will keep confidential all information to which I gain access that is or can be identified to a particular
subject (described in this agreement as “information”).
I will access and use information only in connection with a research protocol that has received CUNY
Institutional Review Board approval, or for reviews preparatory to research for which I have
received authority to conduct from the entity or individual maintaining the information.
67
9122071
Practical Compliance Issues for Implementing
HIPAA in the Research Context (cont.)
I will not redisclose information except to the extent required by applicable laws, including but not
limited to federal laws governing drug and alcohol treatment programs and state laws
governing HIV information, or as permitted under the terms of a research subject's written
authorization or an IRB’s waiver of the authorization requirement.
I will not discuss information in public places or outside of work.
I will access information only concerning subjects for whom IRB approval has been given, and will
not access information for other individuals, except during a review preparatory to research
with the approval of the entity or individual maintaining the information.
I will take all reasonable and necessary precautions to ensure that the access and handling of
information are conducted in ways that protect subject confidentiality to the greatest degree
possible. This includes maintaining such information in secured and locked locations.
I understand that it is my obligation and responsibility to maintain the confidentiality of all subjects’
information. Improper disclosure or misuse of such information, whether intentional or due to
neglect on my part, may be a breach of privacy and/or confidentiality and a violation of federal
regulations, which could result in the loss of my continued access to subjects’ information or
other penalties for myself or my institution.
Signature:__________________________
Date:______________________________
68
9122071
Practical Compliance Issues for Implementing
HIPAA in the Research Context (cont.)
• Investigators should contact the IRB office with any
questions about the following HIPAA-related issues:







Deciding what is a research use of PHI versus an internal health
care operations use; QA vs. research
Access to decedent’s PHI (investigator representations required)
Access to PHI for reviews preparatory to research (investigator
representations required)
Validating that information has been adequately de-identified for
use and disclosure without authorization
Reviewing and approving limited data sets
Executing data use agreement (to have access to limited data set)
Approving required elements are included in research
authorization form
69
9122071
Planning HIPAA-Compliant
Research
• Points to consider:



Is PHI from a HIPAA-covered entity necessary for the research? If
so, need either authorization or IRB waiver of authorization.
Will the research require a waiver of authorization to access
existing PHI? If so, application to IRB or PB required.
Who must access the PHI to perform the research?
 All entities/categories of persons must be listed in authorization.
 Secondary analyses and unanticipated data sharing require new
authorization or waiver

May I look at a CE’s records to recruit patients/clients?
 If treating provider, yes.
 If not treating provider, must obtain IRB partial waiver and follow
CUNY recruitment policies
70
9122071
CUNY Case Studies
• CUNY researcher studying implantable
hearing device and testing subjects at
CUNY
• Obtains info from the treating provider
about implant settings (unique for each
patient) and results of provider’s
audiological exam
 Does
this research involve PHI? (A: yes)
 What does HIPAA require? (A: authorization)
71
9122071
CUNY Case Studies
• CUNY graduate student reviewing nursing
home charts to prepare a research protocol
• Research will involve chart review; no
consent to be obtained
 Does
this research involve PHI? (A: yes)
 What does HIPAA require? (A: representations
to the nursing home for a review preparatory to
research, IRB waiver of authorization for the
research)
72
9122071
CUNY Case Studies
• CUNY researcher conducts cancer study involving
medical chart review and recruitment of patients
for collection of original psychological data
• Patient names replaced (by investigator) with
linking codes
 What
does HIPAA require?
 A: representations to the provider to conduct a
review preparatory to research, partial IRB waiver
of authorization for recruitment (consistent with
CUNY IRB policies), and HIPAA authorization
obtained with informed consent
73
9122071
CUNY Research and HIPAA
after August 2002 Privacy Rule
CUNY Research Training Session
March 27, 2003
Presented by
Mark Barnes