Tulane Human Research Protection Program (“HRPP”) Present By: Wade Wootan Date: March 2010 Objectives Review applicable federal regulations affecting privacy of research information Health Insurance Portability & Accountability Act Privacy Regulations (HIPAA Privacy or HIPAA) Human subject protection regulations for Department of Health & Human Services (DHHS) and the Food and Drug Administration (FDA) Who must comply? What information is protected? What uses & disclosures are permitted? Tulane HIPAA Policies, Procedures & Guidance Research policies for HIPAA See Section 16 of Tulane’s HRPP Standard Operating Policies (SOPs) found at http://tulane.edu/asvpr/irb/policies.cfm HIPAA authorization form found on IRBNet TUMG HIPAA policies & forms found at http://tulane.edu/counsel/upco/privacy-policies.cfm HIPAA Privacy Rule Purpose and Background Acknowledges that, in course of conducting research, researchers may create, use, and/or disclose individually identifiable health information (IIHI) Confers certain rights on patients/subjects, including rights to access and amend their health information and obtain a record of when and why their protected health information (PHI) was shared with Recognizes that research community others has legitimate needs to use, access and disclose certain information to Establishes conditions under which carry out a wide range of health covered entities (CE) can provide research. researchers access to and use of PHI Establishes minimum standards for protecting the privacy of IIHI when necessary to conduct research. If a treatment relationship exists, HIPAA Privacy is intended neither to limit access to nor quality of health care It also establishes penalties for covered entities that fail to comply, including money fines and/or imprisonment. Step-by-step analysis Use & Disclosure of Research Information: Who must comply? • Covered entities • Hybrid entities What information is protected? • IIHI • PHI • De-Identified What uses & disclosures are allowed? • Treatment, payment & healthcare operations (TPO) • Authorization • IRB waiver of authorization • Limited Data Set • Preparatory for research • Research of decedents • Required by law • “Grandfathered” research • Sensitive info. Minimum necessary disclosed? • Accounting requirements for non-routine disclosures To whom does the Privacy Rule apply? HIPAA Privacy Rule applies only to: Covered entities (CE)(i.e., health care providers, health plans & health clearinghouses) Who electronically transmit any health information that DHHS has adopted standards (eg, transaction & code sets , coordination of benefits, authorizations, etc) Tulane elected to be a hybrid entity for HIPAA compliance purposes. This limits application of the Privacy Rule to only health care operations (i.e., areas that create, use and/or disclose IIHI & electronically bill Federal payors). The following components were designated by Tulane as health care operations covered by the Privacy Rule: Tulane’s IRB serves as a Privacy Board for HIPAA compliance purposes as it applies to research This is in addition to the IRBs role to safeguard the confidentiality rights of subjects involved in research under DHHS & FDA requirements For healthcare, Tulane’s Privacy Officer is Glenda Folse and Security Officer is Leo Tran TUMG, its physicians, and clinicians TU employees & departments providing management, admin, financial, legal and operational services to TUMG and use IIHI As a matter of policy, Tulane’s HRPP standard operating policies (SOPs) apply HIPAA to human subjects research (See SOPs at section 16) [see also “Designation of Healthcare Components & Hybrid Entities (TU P&P GC-101] Comparison—Privacy Rights Under HIPAA & Confidentiality Rights Under DHHS Regulations Issue FDA Protection of Human HIPAA Privacy Rule DHHS Protection of (45 CFR Part 160 & Human Subjects (45 CFR Subjects (21 CFR Parts 50 and 56) 164(A) & (E)) Part 46) Purpose Establish Federal floor of privacy protections for most IIHI by establishing conditions for its use/disclosure by covered entities --Protect rights & welfare of human subjects involved in research conducted or supported by DHHS --Not specifically a privacy regulation --Protect rights, safety & welfare of subjects involved in clinical investigations regulated by FDA --Not specifically a privacy regulation Scope Applies to HIPAAdefined CEs, regardless of source of funding Applies to human subjects research conducted or supported by DHHS --Applies to research involving products regulated by FDA --Federal funding not necessary for FDA regs to apply --If Federally funded, both DHHS & FDA regs apply What health information is protected by the Privacy Rule? The Privacy Rule applies to protected health information (PHI) created or maintained by a CE (and a CEs business associates) What is PHI? What is IIHI Individually identifiable health information (IIHI) AND Transmitted or maintained in any form or medium (i.e, oral, paper or electronic) Information that relates to past, present or future physical or mental health or condition; healthcare; or payment for healthcare AND Identifies an individual or can reasonably can be used to identify AND Created or received by a covered entity (healthcare provider, health plan, or clearinghouse) Note: IIHI can include PHI created in research 18 Types of IIHI Look for the existence of any one of the following: More obvious identifiers 1. Names 2. Address 3. SSN 4. phone 5. Fax 6. e-mail 7. full face photo Less obvious identifiers 8. any dates 9. MRN 10. health plan # 11. account #’s 12. license # 13. VIN 14. device # 15. URL’s 16. IP address 17. finger/voice print 18. Any other unique identifying numbers, characteristics or codes Comparison—Definition of Individually Identifiable Information Issue HIPAA Privacy Rule DHHS Protection of Human Subjects FDA Protection of Human Subjects Identifiable Information --Defines PHI as individually identifiable health information (IIHI) transmitted or maintained in any form or medium by a CE (or its BA) --See list of 18 types of IIHI --Private information must be individually identifiable for obtaining it to constitute “research involving human subjects” --”Individually identifiable” means the identity of subject is or may be reasonably ascertained by investigator or associated with information No definition of individually identifiable information What is not covered under HIPAA? De-identified health information (i.e, no IIHI) & thus not protected by HIPAA Studies that do not involve health information or healthcare (e.g. anthropology) IIHI held by anyone other than a CE (eg, an independent researcher) De-Identifying PHI CEs may use/disclose health information that is de-Identified. Before disclosing, confirm de-ID through either: By removing all 18 IIHI identifiers The CE does not have actual knowledge that info could be used alone or in combination with other documents to identify an individual who is a subject of the info OR Statistical verification of de-ID; A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering info not individually identifiable determines that risk is very small that info could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the info Document the methods and results of the analysis justifying determination 164.514(b) De-Identifying PHI Statistical Verification of De-ID DHHS guidance to generally accepted statistical and scientific principles and methods: Statistical Policy Working Paper 22 - Report on Statistical Disclosure Limitation Methodology (http://www.fcsm.gov/workingpapers/wp22.html) (prepared by the Subcommittee on Disclosure Limitation Methodology, Federal Committee on Statistical Methodology, Office of Management and Budget) and Checklist on Disclosure Potential of Proposed Data Releases ( http://www.fcsm.gov/committees/cdac) (prepared by the Confidentiality and Data Access Committee, Federal Committee on Statistical Methodology, Office of Management and Budget). DHHS commentary to 45 CFR 164.514(b) De-Identifying PHI Re-Identification Question: Can a code be used to re-ID information that previously was de-ID? Answer: Yes. A CE may assign a code or other means of record identification to allow de-identified information to be re-identified by the CE, provided that: The code or other means of record identification is not derived from or related to info about the individual and is not otherwise capable of being translated so as to identify the individual; and The CE does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification. 164.514(c) Re-Identification De-Identification Coded data Privacy Rule allows a CE to code data and then disclose it as “de-identified” The code is secured and not distributed with the data Codes cannot be derived from IIHI (e.g. last 4 digits of SSN) Common Rule considers coded data with agreement/policy that PI can’t access code to not involve human subjects When PI codes data it is not de-identified but it may be Common Rule exempt if PI does not hold the code De-Identified vs Anonymous De-identified health information is not PHI and, thus, is not protected by Privacy Rule “Anonymous” is a DHHS/IRB term. Identity of the subject may not readily be ascertained Anonymous can refer to fact that identifying information was never collected If collected, anonymous data may or may not be de-identified How PHI can be used or disclosed? Use = Internal sharing, exam, If the Privacy Rule applies, then a CE can analysis of PHI within a CE Disclosure = external release, transfer or divulging of PHI by a CE use/disclose PHI for: TPO: treatment, payment and healthcare operations (TPO), even without subject permission Research: With individual HIPAA authorization [45 CFR 164.508] IRB approved waiver or alteration of authorization [164.512(i)(1)(i)] Limited data sets with Data Use Agreement [164.514] Preparatory to Research [164.512(i)(1)(ii)] Research of Decedents [164.512(i)(1)(iii)] “Grandfathered” Research Required by Law [164.512] HIPAA Authorization for Research Use & Disclosures Required Elements A HIPAA Authorization is individual’s signed permission that contains: Specific information to be used/disclosed By whom and to whom (may be classes of persons) Purpose of use/disclosure Be specific – cannot authorize future unspecified research How long the authorization is valid (“end of study” or “forever” are okay if justified by research) Potential risks of re-disclosure (eg, if data shared with non-HIPAA covered entity) Signed & dated Do not condition treatment on signing authorization Right of individual to revoke authorization (pro-actively) Authorization may be combined with study informed consent. Tulane does not allow combination of HIPAA authorization with any other consent/documents to avoid subject confusion Comparison—Research permissions Issue HIPAA Privacy Rule DHHS Human Subjects Regs FDA Human Subjects Regs Permission for Research Authorization Informed Consent (IC) IC IRB/ Privacy Officer Duties --CE must obtain authorization for research use/ disclosure of PHI unless HIPAA exception exists --Neither IRB nor Privacy Officer reviews authorization form --IRB must ensure that IC is sought from & documented for each prospective subject per DHHS regs. --If DHHS regs. met, IRB may waive either obtaining IC or documented IC. --IRB must review/ approve HIPAA authorization form if combined with IC --Privacy Officer has no authority --Same as DHHS requirements IRB-approved waiver of HIPAA authorization When de-identification is impractical or is not feasible for researchers to obtain signed authorizations for all PHI the researcher needs to obtain, the Privacy Rule permits obtaining IRB approval for waiver or alterations of the authorization requirement regarding uses & disclosures Section 164.512(i); see also Use & Disclosure of PHI for Research (TU P&P GC-012) IRB-approved waiver of authorization (cont.) IRB must determine Minimal risk to privacy Research couldn’t be conducted without access and without waiver Written assurance PHI won’t be re-disclosed or re-used except as required/permitted by law Limited to minimum necessary IRB need only review request to waive or alter authorization (vs actual authorization) IRB waiver of authorization documented in IRB approval letter Partial waivers of Authorization & alterations to Authorization approved by IRB Recruitment may require access to PHI but no patient contact Phone eligibility screens where no written authorization possible Can waive authorization for these initial research processes and then subjects consented later No provisions for waiving documentation only Q&A: Tissue banks & old tissue samples Question: We have a freezer full of old tissue blocks that have built up over the years and we want to use them for our new research. Is this human subjects research & is a HIPAA authorization needed? Answer: It depends if human subjects research exists. Look to investigator intent: Systematic investigation On a living individual about whom the investigation is being conducted About whom the investigator conducting research obtains Data through intervention or interaction with the individual; or Individually identifiable private information That is designed To develop or contribute to “generalizable knowledge” If human subjects research, then samples repository & IRB approved protocol regarding use & maintenance of samples Was there consent/authorization to keep the samples when they were collected? Was there informed consent/authorization for future activities? Is the proposed use consistent with any prior consent/authorization? Otherwise, access requires an IRB waiver for use or disclosure of information Comparison—Cooperative Research & Waiver/Alteration of HIPAA Authorization For multi-site research or research requiring use/disclosure of PHI created or maintained by multiple CEs or where multiple IRBs may be involved, review by 1 IRB is okay HIPAA Privacy Rule DHHS Protection of Human Subjects FDA Protection of Human Subjects --Requests to waiver or alter authorization requirement are reviewed/ approved by IRB --A CE may reasonably rely on IRB decision Cooperative research/ multi-institution studies may use joint review, reliance upon review of another qualified IRB, or similar arrangement aimed at avoiding duplicative effort --Each institution is responsible for safeguarding rights & welfare of human subjects & complying w/ DHHS protection of human subject regulations --With DHHS approval, an institution participating in a cooperative project may enter into a joint review arrangement, rely upon review of another qualified IRB or make similar arrangements to avoid duplicative effort Comparison—Waivers of Authorization or IC Requirements HIPAA Privacy Rule DHHS Protection of Human Subjects FDA Protection of Human Subjects Allows waiver or alteration of authorization when IRB or Privacy Officer/Privacy Board deems following are met: a. Use/disclosure involves no more than minimal risk to privacy because the following exist: 1. Adequate plan to protect IIHI from improper use or disclosure 2. An adequate plan to destroy IIHI at earliest opportunity absent health or research justification or legal req. to keep them 3. Adequate written assurances that PHI will not be used or disclosed to 3rd party except as req’d by law, for authorized oversight of research of other permitted uses or disclosures b. Research could not practicably be conducted without waiver or alteration; AND c. Research could not practicably be conducted w/o access to & use of PHI Permits IRB to waive some/all elements of IC, or to waive need to obtain IC, if IRB finds & documents : a. Research involves no more than minimal risk to subject b. Waiver or alteration will not adversely affect rights or welfare of subjects c. Research could not practically be carried out w/o waiver or alteration d. When appropriate, subjects will be given pertinent info after participation --Permits FDA to waive IRB review requirement --Permits IRB to approve clinical investigation w/o subjects’ IC in certain circumstances (see 21 CFR 50.23 & 21 CFR 50.24). These include: a. Immediate use of test article is, in investigator’s opinion, needed to preserve life of subject & in sufficient time exists to get IC b. Emergency research Limited Data Sets Background Privacy Rule permits disclosure of limited data sets (“almost” identified) by a CE and researcher to another researcher for research, public health or healthcare operations Receiving researcher must have a signed Data Use Agreement with CE No need for authorization or IRB waiver Does not require accounting for disclosures Limited Data Sets 16 Identifiers (versus 18 IIHI) For a limited data set to exist, remove the following IIHI: More obvious identifiers 1. Names 2. Address (except town, city, state & zip) 3. SSN 4. phone 5. Fax 6. e-mail 7. full face photo Less obvious identifiers 8. any dates 9. MRN 10. health plan # 11. account #’s 12. license # 13. VIN 14. device # 15. URL’s 16. IP address 17. finger/voice print 18. Any other unique identifying numbers, characteristics or codes Limited Data Sets Data Use Agreements Because limited data sets contain IHI (ie, potentially 2 categories), they are PHI and a Data Use Agreement is required under the Privacy Rule A Data Use Agreement is a way for a CE to set boundaries for the use and disclosure of limited data sets for researchers for PHI they received Limited Data Sets Elements to Include in Data Use Agreements 1. 2. Establish permitted 3. use/disclosure of limited data set by recipient, consistent with purpose of research; no use/ disclosure by recipient that would violate Privacy Rule if done by disclosing CE; and Limit who can use/disclose PHI received; and Recipient stipulates Not to use/disclose info other than as permitted by data use agreement or as required by law Use safeguards to prevent use/disclosure of info not allowed by data use agreement Report to CE any use/disclosure of info not allowed by data use agreement Ensure that any agent’s/contractors of recipient who receive info agree to data use agreement requirements Not identify the info or contact the subjects When to use Data Use Agreements? Use Data Use Agreements if limited data set recipient/researcher: Is an employee or workforce member of another covered entity Is another covered entity “Internal” data use scenario where recipient is TU employee or not part of TUMG [See TU Data Use Agreement Policy (GC-018)] Preparatory to Research An investigator may use/disclose PHI to prepare a research protocol, design a study, assess study feasibility, grant prep, etc Investigator must certify (orally/writing) that: Use/disclosure of PHI is solely preparatory to research, PHI will not be removed from CE, and PHI sought is necessary for research Research of Decedents An investigator may use/disclose PHI of decedent for research Investigator must certify that: Use/disclosure of PHI is solely to research PHI on decedent, PHI sought is necessary, & Proof of death (if CE requests proof of death) “Grandfathered” Research Under the Privacy Rule’s transition provisions, a CE may use/disclose PHI for research purposes if one of the following was obtained before the 4/14/2003 HIPAA Privacy compliance deadline: Individual authorization or other express legal permission to use/disclose PHI for research; Subject provided IC to participate in research; or IRB waiver of IC Required by Law Privacy Rules permits use/disclosure of PHI required by law (Federal or State), even if no express individual permission exists. Examples include a CE disclosing PHI (as legally required): To cancer registries (or other registries) To public health authorities re. preventing or controlling disease, injury or disability or public health surveillance, investigations and interventions To a person subject to FDA jurisdiction (eg, a sponsor) re. FDA-regulated product/ activity for which that person has responsibility re. QA, safety or effectiveness of FDA-regulated product/ activity Includes adverse event reporting; FDA-product tracking; post-market surveillance; & enabling product recalls, repairs, replacements, etc To health oversight agencies (eg, Federal, State, accreditation, etc) Certificates of Confidentiality (CoC) Background CoCs are issued by NIH, FDA & CDC to protect identifiable information on IRB-approved research from forced disclosure Protect against subpoena, court order or request from any Federal, State or local proceeding (ie, civil, criminal, administrative, legislative, etc) Allow investigators & others with access to research records to not disclosure information that could ID research subjects if the disclosure could have adverse consequences for subjects (eg, subject’s financial standing, employability, insurability, reputation, etc) [42 USC 241(d) (with DHHS authority delegated to respective Federal agencies)] Certificates of Confidentiality (CoC) Adverse Consequences Examples of research with potential adverse consequences for subjects: Collecting genetic information Collecting information on psychological well-being of subjects Collecting information on sexual attitudes, preferences or practices Collecting data on substance abuse or other illegal risk behaviors Studies where subjects may be involved in litigation related to exposures under study (eg, breast implants, environmental or occupational exposures) Certificates of Confidentiality (CoC) Potential Recipients Issued for single, well-defined research projects CoCs granted to Institutions based on PI’s application May be issued for cooperative multi-site projects Must have a coordinating center or “lead” institution responsible for ensuring that all institutions conform to application assurances Lead institution can apply on behalf of all associated institutions Certificates of Confidentiality (CoC) Assurances Lead institution is responsible for ensuring that all institutions conform to application assurances & agree to: Protect against compelled disclosure and support/defend authority of CoC against legal challenges Comply with Federal regs re. human subject protection No represent the CoC as an endorsement of the study by Federal Government or use/coerce participation Inform subjects re. existence of CoC, its protections & limitations Certificates of Confidentiality (CoC) Limits of Protection CoC protects data maintained during any time the CoC is in effect Protects that data in perptuity Does not eliminate need to disclosure to Government for study audits & investigations Does not protect against disclosures reportable by law: Child/elder abuse Threat of harm to self/others Communicable diseases CoC does not eliminate need for data security, which is essential to protection of research subjects’ privacy Researchers should safeguard research data & findings from unauthorized use & disclosures Projects Not Eligible for CoC Not research Not collecting personally identifiable information No IRB review/approval Collecting information that, if disclosed, would not significantly harm or damage subject Minimum Necessary Privacy Rule limits the non-routine use, disclosure, or requesting of PHI to the minimum amount of info necessary to accomplish the purpose of the use or disclosure. Non-routine disclosures do not include the following : De-identified information Limited data set information Made pursuant to a HIPAA authorization For TPO If required by law [See Minimum Necessary Standard (TU GC-005)] Accounting for Non-Routine Disclosures HIPAA requires accounting for: Non-routine disclosures AND Disclosures of PHI involving 50 or more subjects on a study. The accounting may provide: Name of protocol or other research activity; Description of research protocol or other research activity, including the purpose of research and criteria for selecting particular records; Brief description of type of PHI disclosed; Date or period of time during which such disclosures occurred, or may have occurred; Name, address, and phone of research sponsored and of researcher to whom the information was disclosed; and Statement that the PHI of the individual may or may not have been disclosed for a particular protocol or other research activity. 164.528(b) Recap