Tulane Human Research Protection Program
(“HRPP”)
Present By: Wade Wootan
Date: March 2010
Objectives
 Review applicable federal regulations affecting
privacy of research information
 Health Insurance Portability & Accountability Act
Privacy Regulations (HIPAA Privacy or HIPAA)
 Human subject protection regulations for Department
of Health & Human Services (DHHS) and the Food and
Drug Administration (FDA)
 Who must comply?
 What information is protected?
 What uses & disclosures are permitted?
Tulane HIPAA Policies, Procedures
& Guidance
 Research policies for HIPAA
 See Section 16 of Tulane’s HRPP Standard Operating Policies
(SOPs) found at http://tulane.edu/asvpr/irb/policies.cfm
 HIPAA authorization form found on IRBNet
 TUMG HIPAA policies & forms found at
http://tulane.edu/counsel/upco/privacy-policies.cfm
HIPAA Privacy Rule
Purpose and Background
 Acknowledges that, in course of
conducting research, researchers
may create, use, and/or disclose
individually identifiable health
information (IIHI)
 Confers certain rights on
patients/subjects, including rights to
access and amend their health
information and obtain a record of
when and why their protected health
information (PHI) was shared with
 Recognizes that research community
others
has legitimate needs to use, access
and disclose certain information to  Establishes conditions under which
carry out a wide range of health
covered entities (CE) can provide
research.
researchers access to and use of PHI
 Establishes minimum standards
for protecting the privacy of IIHI
when necessary to conduct research.
 If a treatment relationship exists, HIPAA Privacy is
intended neither to limit access to nor quality of
health care
 It also establishes penalties for covered entities
that fail to comply, including money fines and/or
imprisonment.
Step-by-step analysis
Use & Disclosure of Research Information:
Who must
comply?
• Covered entities
• Hybrid entities
What
information is
protected?
• IIHI
• PHI
• De-Identified
What uses &
disclosures are
allowed?
• Treatment, payment &
healthcare operations (TPO)
• Authorization
• IRB waiver of authorization
• Limited Data Set
• Preparatory for research
• Research of decedents
• Required by law
• “Grandfathered” research
• Sensitive info.
Minimum
necessary
disclosed?
• Accounting requirements for
non-routine disclosures
To whom does the Privacy Rule apply?
 HIPAA Privacy Rule applies only to:


Covered entities (CE)(i.e., health care providers, health plans &
health clearinghouses)
Who electronically transmit any health information that
DHHS has adopted standards (eg, transaction & code sets ,
coordination of benefits, authorizations, etc)
 Tulane elected to be a hybrid entity for HIPAA
compliance purposes. This limits application of the
Privacy Rule to only health care operations (i.e., areas
that create, use and/or disclose IIHI & electronically
bill Federal payors). The following components were
designated by Tulane as health care operations
covered by the Privacy Rule:


 Tulane’s IRB serves as a Privacy
Board for HIPAA compliance
purposes as it applies to research
 This is in addition to the IRBs
role to safeguard the
confidentiality rights of
subjects involved in research
under DHHS & FDA
requirements
 For healthcare, Tulane’s Privacy
Officer is Glenda Folse and
Security Officer is Leo Tran
TUMG, its physicians, and clinicians
TU employees & departments providing management, admin,
financial, legal and operational services to TUMG and use IIHI
 As a matter of policy, Tulane’s HRPP standard
operating policies (SOPs) apply HIPAA to
human subjects research (See SOPs at section 16)
[see also “Designation of Healthcare Components & Hybrid Entities (TU P&P GC-101]
Comparison—Privacy Rights Under HIPAA &
Confidentiality Rights Under DHHS Regulations
Issue
FDA Protection of Human
HIPAA Privacy Rule DHHS Protection of
(45 CFR Part 160 &
Human Subjects (45 CFR Subjects (21 CFR Parts 50 and 56)
164(A) & (E))
Part 46)
Purpose
Establish Federal floor
of privacy protections
for most IIHI by
establishing conditions
for its use/disclosure by
covered entities
--Protect rights & welfare of
human subjects involved in
research conducted or
supported by DHHS
--Not specifically a privacy
regulation
--Protect rights, safety & welfare of
subjects involved in clinical
investigations regulated by FDA
--Not specifically a privacy
regulation
Scope
Applies to HIPAAdefined CEs, regardless
of source of funding
Applies to human subjects
research conducted or
supported by DHHS
--Applies to research involving
products regulated by FDA
--Federal funding not necessary for
FDA regs to apply
--If Federally funded, both DHHS
& FDA regs apply
What health information is protected by the
Privacy Rule?
The Privacy Rule applies to protected health information (PHI) created or
maintained by a CE (and a CEs business associates)
What is PHI?
What is IIHI
 Individually identifiable health
information (IIHI)
AND
 Transmitted or maintained in any form
or medium (i.e, oral, paper or electronic)
 Information that relates to past, present
or future physical or mental health or
condition; healthcare; or payment for
healthcare
AND
 Identifies an individual or can
reasonably can be used to identify
AND
 Created or received by a covered entity
(healthcare provider, health plan, or
clearinghouse)
Note: IIHI can include PHI created in
research
18 Types of IIHI
Look for the existence of any one of the following:
More obvious identifiers
1. Names
2. Address
3. SSN
4. phone
5. Fax
6. e-mail
7. full face photo
Less obvious identifiers
8. any dates
9. MRN
10. health plan #
11. account #’s
12. license #
13. VIN
14. device #
15. URL’s
16. IP address
17. finger/voice print
18. Any other unique identifying
numbers, characteristics or codes
Comparison—Definition of Individually
Identifiable Information
Issue
HIPAA Privacy
Rule
DHHS Protection of
Human Subjects
FDA Protection of
Human Subjects
Identifiable
Information
--Defines PHI as
individually
identifiable health
information (IIHI)
transmitted or
maintained in any
form or medium by a
CE (or its BA)
--See list of 18 types of
IIHI
--Private information must be
individually identifiable for
obtaining it to constitute
“research involving human
subjects”
--”Individually identifiable”
means the identity of subject is
or may be reasonably
ascertained by investigator or
associated with information
No definition of
individually
identifiable
information
What is not covered under HIPAA?
 De-identified health information (i.e, no
IIHI) & thus not protected by HIPAA
 Studies that do not involve health
information or healthcare (e.g.
anthropology)
 IIHI held by anyone other than a CE (eg,
an independent researcher)
De-Identifying PHI
 CEs may use/disclose health information that is de-Identified.
 Before disclosing, confirm de-ID through either:
 By removing all 18 IIHI identifiers

The CE does not have actual knowledge that info could be used alone or in combination with
other documents to identify an individual who is a subject of the info
OR
 Statistical verification of de-ID;


A person with appropriate knowledge of and experience with generally accepted statistical and
scientific principles and methods for rendering info not individually identifiable determines
that risk is very small that info could be used, alone or in combination with other reasonably
available information, by an anticipated recipient to identify an individual who is a subject of
the info
Document the methods and results of the analysis justifying determination
164.514(b)
De-Identifying PHI
Statistical Verification of De-ID
 DHHS guidance to generally accepted statistical and
scientific principles and methods:
 Statistical Policy Working Paper 22 - Report on Statistical Disclosure
Limitation Methodology (http://www.fcsm.gov/workingpapers/wp22.html) (prepared by the Subcommittee on Disclosure
Limitation Methodology, Federal Committee on Statistical Methodology,
Office of Management and Budget) and
 Checklist on Disclosure Potential of Proposed Data Releases (
http://www.fcsm.gov/committees/cdac) (prepared by the Confidentiality
and Data Access Committee, Federal Committee on Statistical
Methodology, Office of Management and Budget).
DHHS commentary to 45 CFR 164.514(b)
De-Identifying PHI
Re-Identification
 Question: Can a code be used to re-ID
information that previously was de-ID?
 Answer: Yes.
 A CE may assign a code or other means of record identification
to allow de-identified information to be re-identified by the CE,
provided that:


The code or other means of record identification is not derived from or
related to info about the individual and is not otherwise capable of being
translated so as to identify the individual; and
The CE does not use or disclose the code or other means of record
identification for any other purpose, and does not disclose the mechanism
for re-identification.
164.514(c) Re-Identification
De-Identification
Coded data
 Privacy Rule allows a CE to code data and then disclose it as
“de-identified”
 The code is secured and not distributed with the data
 Codes cannot be derived from IIHI (e.g. last 4 digits of SSN)
 Common Rule considers coded data with agreement/policy
that PI can’t access code to not involve human subjects
 When PI codes data it is not de-identified but it may be
Common Rule exempt if PI does not hold the code
De-Identified vs Anonymous
 De-identified health information is not PHI
and, thus, is not protected by Privacy Rule
 “Anonymous” is a DHHS/IRB term.
 Identity of the subject may not readily be
ascertained
 Anonymous can refer to fact that identifying
information was never collected
 If collected, anonymous data may or may not be
de-identified
How PHI can be used or disclosed?
 Use = Internal sharing, exam,  If the Privacy Rule applies, then a CE can
analysis of PHI within a CE
 Disclosure = external release,
transfer or divulging of PHI by
a CE
use/disclose PHI for:
 TPO: treatment, payment and healthcare
operations (TPO), even without subject
permission
 Research:







With individual HIPAA authorization [45
CFR 164.508]
IRB approved waiver or alteration of
authorization [164.512(i)(1)(i)]
Limited data sets with Data Use Agreement
[164.514]
Preparatory to Research [164.512(i)(1)(ii)]
Research of Decedents [164.512(i)(1)(iii)]
“Grandfathered” Research
Required by Law [164.512]
HIPAA Authorization for Research Use & Disclosures
Required Elements
 A HIPAA Authorization is individual’s signed permission that contains:
 Specific information to be used/disclosed
 By whom and to whom (may be classes of persons)
 Purpose of use/disclosure

Be specific – cannot authorize future unspecified research
 How long the authorization is valid (“end of study” or “forever” are okay if




justified by research)
Potential risks of re-disclosure (eg, if data shared with non-HIPAA covered
entity)
Signed & dated
Do not condition treatment on signing authorization
Right of individual to revoke authorization (pro-actively)
 Authorization may be combined with study informed consent.
 Tulane does not allow combination of HIPAA authorization with any other
consent/documents to avoid subject confusion
Comparison—Research permissions
Issue
HIPAA Privacy
Rule
DHHS Human Subjects Regs
FDA Human
Subjects Regs
Permission
for Research
Authorization
Informed Consent (IC)
IC
IRB/ Privacy
Officer
Duties
--CE must obtain
authorization for
research use/
disclosure of PHI
unless HIPAA
exception exists
--Neither IRB nor
Privacy Officer
reviews
authorization form
--IRB must ensure that IC is sought
from & documented for each
prospective subject per DHHS regs.
--If DHHS regs. met, IRB may waive
either obtaining IC or documented
IC.
--IRB must review/ approve HIPAA
authorization form if combined
with IC
--Privacy Officer has no authority
--Same as
DHHS
requirements
IRB-approved waiver of HIPAA authorization
 When de-identification is impractical or is not
feasible for researchers to obtain signed
authorizations for all PHI the researcher needs
to obtain, the Privacy Rule permits obtaining
IRB approval for waiver or alterations of the
authorization requirement regarding uses &
disclosures
Section 164.512(i); see also Use & Disclosure of PHI for
Research (TU P&P GC-012)
IRB-approved waiver of authorization (cont.)
 IRB must determine
 Minimal risk to privacy
 Research couldn’t be conducted without access and without
waiver
 Written assurance PHI won’t be re-disclosed or re-used
except as required/permitted by law
 Limited to minimum necessary
 IRB need only review request to waive or alter
authorization (vs actual authorization)
 IRB waiver of authorization documented in IRB
approval letter
Partial waivers of Authorization & alterations
to Authorization approved by IRB
 Recruitment may require access to PHI but no
patient contact
 Phone eligibility screens where no written
authorization possible
 Can waive authorization for these initial research
processes and then subjects consented later
 No provisions for waiving documentation only
Q&A: Tissue banks & old tissue samples
 Question: We have a freezer full of old tissue blocks that have built up over the
years and we want to use them for our new research. Is this human subjects
research & is a HIPAA authorization needed?
 Answer:
 It depends if human subjects research exists. Look to investigator intent:

Systematic investigation
On a living individual about whom the investigation is being conducted
About whom the investigator conducting research obtains

Data through intervention or interaction with the individual; or

Individually identifiable private information

That is designed

To develop or contribute to “generalizable knowledge”


 If human subjects research, then samples repository & IRB approved protocol




regarding use & maintenance of samples
Was there consent/authorization to keep the samples when they were collected?
Was there informed consent/authorization for future activities?
Is the proposed use consistent with any prior consent/authorization?
Otherwise, access requires an IRB waiver for use or disclosure of information
Comparison—Cooperative Research &
Waiver/Alteration of HIPAA Authorization
For multi-site research or research requiring use/disclosure of
PHI created or maintained by multiple CEs or where multiple
IRBs may be involved, review by 1 IRB is okay
HIPAA Privacy Rule DHHS Protection of Human Subjects
FDA Protection of
Human Subjects
--Requests to waiver or
alter authorization
requirement are
reviewed/ approved by
IRB
--A CE may reasonably
rely on IRB decision
Cooperative research/
multi-institution
studies may use joint
review, reliance upon
review of another
qualified IRB, or similar
arrangement aimed at
avoiding duplicative
effort
--Each institution is responsible for safeguarding
rights & welfare of human subjects & complying w/
DHHS protection of human subject regulations
--With DHHS approval, an institution participating
in a cooperative project may enter into a joint review
arrangement, rely upon review of another qualified
IRB or make similar arrangements to avoid
duplicative effort
Comparison—Waivers of Authorization or IC
Requirements
HIPAA Privacy Rule
DHHS Protection of
Human Subjects
FDA Protection of
Human Subjects
Allows waiver or alteration of authorization when IRB or
Privacy Officer/Privacy Board deems following are met:
a. Use/disclosure involves no more than minimal risk to
privacy because the following exist:
1. Adequate plan to protect IIHI from improper use or
disclosure
2. An adequate plan to destroy IIHI at earliest
opportunity absent health or research justification or
legal req. to keep them
3. Adequate written assurances that PHI will not be
used or disclosed to 3rd party except as req’d by law,
for authorized oversight of research of other
permitted uses or disclosures
b. Research could not practicably be conducted without
waiver or alteration; AND
c. Research could not practicably be conducted w/o access
to & use of PHI
Permits IRB to waive some/all
elements of IC, or to waive
need to obtain IC, if IRB finds
& documents :
a. Research involves no more
than minimal risk to
subject
b. Waiver or alteration will
not adversely affect rights
or welfare of subjects
c. Research could not
practically be carried out
w/o waiver or alteration
d. When appropriate,
subjects will be given
pertinent info after
participation
--Permits FDA to waive IRB
review requirement
--Permits IRB to approve
clinical investigation w/o
subjects’ IC in certain
circumstances (see 21 CFR
50.23 & 21 CFR 50.24).
These include:
a. Immediate use of test
article is, in
investigator’s opinion,
needed to preserve life
of subject & in
sufficient time exists to
get IC
b. Emergency research
Limited Data Sets
Background
 Privacy Rule permits disclosure of limited
data sets (“almost” identified) by a CE and
researcher to another researcher for research,
public health or healthcare operations
 Receiving researcher must have a signed Data
Use Agreement with CE
 No need for authorization or IRB waiver
 Does not require accounting for disclosures
Limited Data Sets
16 Identifiers (versus 18 IIHI)
For a limited data set to exist, remove the following IIHI:
More obvious identifiers
1. Names
2. Address (except town, city, state &
zip)
3. SSN
4. phone
5. Fax
6. e-mail
7. full face photo
Less obvious identifiers
8. any dates
9. MRN
10. health plan #
11. account #’s
12. license #
13. VIN
14. device #
15. URL’s
16. IP address
17. finger/voice print
18. Any other unique identifying
numbers, characteristics or codes
Limited Data Sets
Data Use Agreements
 Because limited data sets contain IHI (ie, potentially 2
categories), they are PHI and a Data Use Agreement is
required under the Privacy Rule
 A Data Use Agreement is a way for a CE to set
boundaries for the use and disclosure of limited data
sets for researchers for PHI they received
Limited Data Sets
Elements to Include in Data Use Agreements
1.
2.
Establish permitted
3.
use/disclosure of limited data
set by recipient, consistent with
purpose of research; no use/
disclosure by recipient that
would violate Privacy Rule if
done by disclosing CE; and
Limit who can use/disclose PHI
received; and
Recipient stipulates
 Not to use/disclose info other than as




permitted by data use agreement or as
required by law
Use safeguards to prevent use/disclosure of
info not allowed by data use agreement
Report to CE any use/disclosure of info not
allowed by data use agreement
Ensure that any agent’s/contractors of
recipient who receive info agree to data use
agreement requirements
Not identify the info or contact the subjects
When to use Data Use Agreements?
 Use Data Use Agreements if limited data set
recipient/researcher:
 Is an employee or workforce member of another covered
entity
 Is another covered entity
 “Internal” data use scenario where recipient is TU
employee or not part of TUMG
[See TU Data Use Agreement Policy (GC-018)]
Preparatory to Research
 An investigator may use/disclose PHI to prepare a
research protocol, design a study, assess study
feasibility, grant prep, etc
 Investigator must certify (orally/writing) that:
 Use/disclosure of PHI is solely preparatory to research,
 PHI will not be removed from CE, and
 PHI sought is necessary for research
Research of Decedents
 An investigator may use/disclose PHI of decedent for
research
 Investigator must certify that:
 Use/disclosure of PHI is solely to research PHI on
decedent,
 PHI sought is necessary, &
 Proof of death (if CE requests proof of death)
“Grandfathered” Research
 Under the Privacy Rule’s transition provisions, a
CE may use/disclose PHI for research purposes if
one of the following was obtained before the
4/14/2003 HIPAA Privacy compliance deadline:
 Individual authorization or other express legal
permission to use/disclose PHI for research;
 Subject provided IC to participate in research; or
 IRB waiver of IC
Required by Law
 Privacy Rules permits use/disclosure of PHI required by law (Federal or
State), even if no express individual permission exists. Examples include
a CE disclosing PHI (as legally required):
 To cancer registries (or other registries)
 To public health authorities re. preventing or controlling disease, injury or
disability or public health surveillance, investigations and interventions
 To a person subject to FDA jurisdiction (eg, a sponsor) re. FDA-regulated
product/ activity for which that person has responsibility re. QA, safety or
effectiveness of FDA-regulated product/ activity

Includes adverse event reporting; FDA-product tracking; post-market surveillance;
& enabling product recalls, repairs, replacements, etc
 To health oversight agencies (eg, Federal, State, accreditation, etc)
Certificates of Confidentiality (CoC)
Background
 CoCs are issued by NIH, FDA
& CDC to protect identifiable
information on IRB-approved
research from forced
disclosure
 Protect against subpoena,
court order or request from
any Federal, State or local
proceeding (ie, civil, criminal,
administrative, legislative, etc)
 Allow investigators & others with
access to research records to not
disclosure information that could
ID research subjects if the
disclosure could have adverse
consequences for subjects (eg,
subject’s financial standing,
employability, insurability,
reputation, etc)
[42 USC 241(d) (with DHHS authority
delegated to respective Federal agencies)]
Certificates of Confidentiality (CoC)
Adverse Consequences
 Examples of research with potential adverse consequences
for subjects:
 Collecting genetic information
 Collecting information on psychological well-being of subjects
 Collecting information on sexual attitudes, preferences or practices
 Collecting data on substance abuse or other illegal risk behaviors
 Studies where subjects may be involved in litigation related to
exposures under study (eg, breast implants, environmental or
occupational exposures)
Certificates of Confidentiality (CoC)
Potential Recipients
 Issued for single, well-defined research projects
 CoCs granted to Institutions based on PI’s application
 May be issued for cooperative multi-site projects
 Must have a coordinating center or “lead” institution responsible for
ensuring that all institutions conform to application assurances
 Lead institution can apply on behalf of all associated institutions
Certificates of Confidentiality (CoC)
Assurances
 Lead institution is responsible for ensuring that all
institutions conform to application assurances & agree to:
 Protect against compelled disclosure and support/defend authority
of CoC against legal challenges
 Comply with Federal regs re. human subject protection
 No represent the CoC as an endorsement of the study by Federal
Government or use/coerce participation
 Inform subjects re. existence of CoC, its protections & limitations
Certificates of Confidentiality (CoC)
Limits of Protection
 CoC protects data maintained
during any time the CoC is in effect
 Protects that data in perptuity
 Does not eliminate need to
disclosure to Government for study
audits & investigations
 Does not protect against disclosures
reportable by law:
 Child/elder abuse
 Threat of harm to self/others
 Communicable diseases
 CoC does not eliminate need for
data security, which is essential to
protection of research subjects’
privacy
 Researchers should safeguard
research data & findings from
unauthorized use & disclosures
Projects Not Eligible for CoC
 Not research
 Not collecting personally identifiable information
 No IRB review/approval
 Collecting information that, if disclosed, would not
significantly harm or damage subject
Minimum Necessary
 Privacy Rule limits the non-routine use, disclosure, or
requesting of PHI to the minimum amount of info
necessary to accomplish the purpose of the use or
disclosure.
 Non-routine disclosures do not include the following :





De-identified information
Limited data set information
Made pursuant to a HIPAA authorization
For TPO
If required by law
[See Minimum Necessary Standard (TU GC-005)]
Accounting for Non-Routine
Disclosures
 HIPAA requires accounting for:
 Non-routine disclosures AND
 Disclosures of PHI involving 50 or more subjects on a study.
 The accounting may provide:
 Name of protocol or other research activity;
 Description of research protocol or other research activity, including the purpose of




research and criteria for selecting particular records;
Brief description of type of PHI disclosed;
Date or period of time during which such disclosures occurred, or may have occurred;
Name, address, and phone of research sponsored and of researcher to whom the
information was disclosed; and
Statement that the PHI of the individual may or may not have been disclosed for a
particular protocol or other research activity.
164.528(b)
Recap