Saint Louis University HIPAA Research Policies and Procedures Q & A GENERAL QUESTIONS Q: What is PHI? A: PHI = Health Information + Personal Identifiers Q: What is Health Information? A: Any information, whether oral or recorded in any form or media, that (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Q: What is research? A: A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. This includes the development of research repositories and databases for research. Q: What constitutes “Research Records?” A: Research records constitute more than just Case Report Forms. It contains any PHI in the research records or notes the investigator collects. Q: What is a database custodian? A: A database custodian is an individual who maintains a log of individuals who receive PHI from the database. Q: What is a Limited Data Set? A: Refers to PHI that excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual’s Authorization or a waiver or an alteration of Authorization for its use and disclosure, with a data use agreement. Elements of a limited data set include ZIP codes, geocodes (town, city, state), dates of birth and other dates. Q: What is a Data Use Agreement? A: An agreement into which the covered entity enters with the intended recipient of a limited data set that establishes the ways in which the information in the limited data set may be used and how it will be protected. Q: What is a covered entity? A: Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Covered entities can be Version: 8/1/11 institutions, organizations, or persons. Researchers at SLU are included as part of the SLU single covered entity. Q: What is a designated record set? A: A group of records maintained by or for a covered entity that includes (1) medical and billing records about individuals maintained by or for a covered health care provider; (2) enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (3) used, in whole or in part, by or for the covered entity to make decisions about individuals. A record is any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity. It can also include research records. Preparatory to Research Q: Is there any part of the research data collection process that is not required to be reviewed by the IRB for privacy review assuming other Common Rule requirements do not require IRB review? A: Yes, information that is preparatory to research, decedent research, limited data sets with data use agreements, and information that comes to the PI de-identified and information stripped of all 18 identifiers* listed in HIPAA: *address, account number, any vehicle or device serial number, certificate/license number, date of birth, e-mail address, fax number, finger or voice prints, health plan, internet protocol (IP) address number, name, name of employers, photographic images (x-rays), social security number, telephone number, web universal resource locator (URL). Q: How can I review medical records of patients with a particular disease to identify participants for my research study? A: Apply to the custodian of the records to review the records under Preparatory to Research. However, recruitment of subjects, other than medical practitioners own patients, must be with IRB approval. Submitting to the IRB Authorizations Q: When do I need a HIPAA research authorization? A: When you plan on collecting PHI for research to be used or disclosed. Q: How do I complete an authorization and what information must be included? A: The template authorization is linked to the IRB website. Q: Do I need a HIPAA research authorization for subjects recruited into a previously IRB approved study? A: If the consent form was signed before April 14, 2003, no additional form is needed. If you enroll subjects into a research study April 14, 2003 or later, you will need to have each subject sign an approved HIPAA Addendum form. If you re-enroll or if the IRB determines that reconsent of subjects is needed you will need a HIPAA Addendum. Version: 8/1/11 Waivers Q: When do I seek a waiver of authorization for access to PHI and how do I obtain it? A: If your study meets the criteria for a waiver, you may request a Waiver of Authorization in the IRB Application. These criteria are: 1. Protected Health Information (PHI) to be used and/or disclosed is the minimum necessary information for the study. 2. The use or disclosure of PHI involves no more than minimal risks to the privacy of individuals based on, at least, the presence of the following three elements: a. There is an adequate plan to protect the identifiers from improper use and disclosure. b. There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law. c. PHI information will not be reused or disclosed to any other person or entity, except as required by law for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted by HIPAA. 3. The research could not practicably be conducted without the waiver or alteration. 4. The research could not practicably be conducted without access to and use of PHI. Q: Who will be doing the review of the research authorizations and waivers? A: The IRB. ONCE RESEARCH IS APPROVED Q: How does the Certificate of Confidentiality relate to the HIPAA changes? A: HIPAA does not affect on the protections provided by a Certificate of Confidentiality. Q: Do my obligations to report serious adverse events or data required by state laws change under HIPAA? A: No Q: How should I store my paper and/or electronic data to be compliant with HIPAA? A: Your electronic and paper copies should be stored in a safe place where the information can be kept confidential. For example, in a locked filing cabinet in a locked office or password protected. Q: How do I dispose of my research data that contains PHI? A: Possible suggestions are to shred the data, clear the hard drive, destroy CDs, strip data of all identifiers, etc. Keep in mind the data retention policies of sponsors (e.g., NIH, NSF, commercial sponsors). Q: How long must signed Authorizations and disclosures of PHI be tracked? A: The signed Authorization and any disclosures made under a HIPAA Waiver must be retained by the covered entity for 6 years from the date of creation or the date it was last in effect, whichever is later. Version: 8/1/11 Q: Who will handle requests for use and disclosure of PHI? A: For research related requests: email the IRB at irb@slu.edu, or phone (314) 977-7744. For all other requests: email the University Privacy Officer, at hipaa@slu.edu, or phone (314) 977-5545. Q: What must I do if a subject revokes authorization to use their PHI for research purposes? A: Send the participant notification in writing that his/her request has been received. Track this information, and count this as a subject withdrawal on your continuing review application. Q: How do I track the research authorizations from each patient and his/her wishes regarding the use of their PHI for research? A: Authorizations should be put in the research file along with the consent. Also keep documentation of: Any requests for revocation of authorization ( kept in the participant’s research file) IRB granted waivers of authorization Q: What information must be conveyed to a research subject if they submit a withdrawal letter from the study? A: The PI or study representative can write on the letter “Receipt of the letter and withdrawal from the study acknowledged.” The PI or study representative should sign and date the acknowledgement and return a copy of the letter to the study subject. Q: Can I expect audits or inspections for HIPAA compliance? A: Yes, the federal government or University Compliance could audit. There are heavy monetary fines for non-compliance. Therefore, internal audits to monitor compliance may take place. Q: What research data may I share with research collaborators who are at another university? A: If the investigator is part of your research team and as long as it is so designated in the authorization, PHI may be shared with the collaborator. Other options include use of a Limited Data Set with a Data Set Agreement. Q: I am performing clinical research that also involves treatment. What steps do I need to take to deal with both the clinical and research issues? A: Either an authorization or a waiver of authorization will cover all aspects of the research study. It is important that your clinical authorization for each participant contains a copy of your research authorization or waiver (if appropriate) to identify the participant as a research participant as well as a clinical patient. All participants undergoing clinical treatment should be given the Notice of Privacy Practices prior to collection of PHI. Q: After the IRB approved HIPAA Authorization form is signed by a subject, along with the IRB approved consent form, allowing investigators to use and disclose PHI for purposes explained in the consent form, how, or is the Disclosure Tracking Log then utilized? A: If you have received authorization to use and disclose PHI, there is no tracking requirement so long as you only disclose to the individual/entity described in the HIPAA Addendum. If you have a Waiver of Authorization, you must track any disclosures. Version: 8/1/11 Q: Are there research studies in which both a Waiver of HIPAA authorization is allowed and a requirement for a HIPAA Authorization needed? A: Yes, as examples, emergency research or a telephone interview that includes potential recruitment may qualify for a Waiver, but a subsequent collection of prospective research information with an encounter with the study subject may require an Authorization. Q: We obtain IRB approved consents from mothers providing tissue for our cord blood collection program. Do we also need a HIPAA authorization? A: Because the Saint Louis Cord Blood Bank is part of the NMDP (National Marrow Donor Program), under HIPAA, there is no requirement to obtain authorization to share cord donor information even though it is considered protected health information. Consents for treatment are not part of the HIPAA authorization requirement; however you indicated an informed consent that mothers sign when donating cords. If it is just consent for treatment, there is no special change that needs to take place for HIPAA. Your reference to IRB approval would seem to imply research. If research is involved a specific authorization or waiver would be required to utilize the protected health information (PHI). Q: I understand that the acknowledgement of NPP signed by the patient goes to Medical Records but we have several patients who are referred for research studies by physicians who never go to the DOB and therefore do not have a medical record. Should the copy of the acknowledgement go in the research chart? A: Yes, the acknowledgement should go into the research chart. You may also wish to indicate, by using a sticker or some other means, that the patient has received a copy of the Privacy Notice and therefore will not need to receive a notice on subsequent visits. Q: When do I need to give a Notice of Privacy Practices to the research subject? A: At the first face to face meeting with the subject, you should give them a copy of the NPP and ask that they sign the receipt acknowledge form. Q: We do not use Study Manager so is it acceptable to track disclosures using an Excel database? A: HIPAA does not specify how we track disclosure. In those situations that we don't have access to more sophisticated means of electronic tracking, an Access database or Excel spreadsheet is acceptable as long as it contains the required elements of information. There is a sample Excel spreadsheet that is available on the IRB-HIPAA Web site. Q: Our department utilizes shadow charts. The Study Unit will copy from the shadow chart to make the research chart for source documentation purposes. Is this still acceptable under HIPAA? A: We do not want to use shadow charts as the documentation source but use Medical Records as the source for disclosure accountability purposes. The expectation is that you will not use Shadow Charts as the source document. Q: Research charts are currently locked at night but not in locked cabinets. Our space is locked at night and the doors into the area itself are locked by security. In essence, our files are doublelocked with limited access. Is that sufficient? A: Absolutely reasonable. Version: 8/1/11 DATABASE RESEARCH Q: Do I need to seek any review and approval before I conduct database research? A: Yes, you should submit an application for a HIPAA Waiver. Q: What do I do if I have a database that is used for clinical purposes? A: Clinical database registration will be handled through the business units. Contact your HIPAA Liaison or Trainer for more information. Q: What should I do if I have an existing research database that contains lots of patient information? A: If you have not already done so, fill out an application to list your database with the IRB so that you will be able to use the database for research purposes. Q: I work with existing or discarded tissue specimens. Am I affected by the new HIPAA rules? A: It depends – if the samples are de-identified (contain no PHI), the research is not affected by HIPAA. If PHI is associated with the tissue sample you should apply for a HIPAA waiver If samples are collected prospectively and consent is sought, HIPAA authorization will be required. Q: Do I have to seek a waiver of authorization or an authorization every time I do a data search in my database? A: No, as long as you are not conducting research, you are allowed to conduct searches on your private databases. Q: Does SLU have a standard Data Use Agreement? A: A standard Data Use Agreement is available on the SLU IRB HIPAA web site. TELEPHONE INTERVIEWS Q: In regard to subjects where we consent them by telephone, do we have to make any changes associated with HIPAA language? A: The researcher should first apply for a HIPAA Waiver. The interviewer should then incorporate HIPAA related privacy information into the telephone script and inform the subject that the Notice of Privacy Practices (NPP) is available via the web or the investigator can send a copy of the NPP if the subject provides a name and mailing address Q: If I am approved by the IRB for a HIPAA Waiver because I am conducting a telephone survey, do I need to collect additional PHI so I can send a Notice of Privacy Practices to the research subject? A: Under a HIPAA waiver there is no need to send NPP but it is suggested that your phone script state that NPP is available via the web or the investigator can send a copy of the NPP if the subject provides a name and mailing address Version: 8/1/11 RECRUITMENT ISSUES Q: Typically, our physicians see patients in clinic and send us a memo asking us to put the patient in our database for potential studies. Is this allowable under HIPAA? A: The patient should sign a letter authorizing permission to keep their name, address, phone number, etc. in a database for purposes of future recruitment for research. The letter must also indicate that the patient has the right to opt out at any time. This authorization should be obtained at the time of treatment. Q: We usually prescreen charts to see if a patient will qualify for a study. Does this require authorization? A: Please see the Preparatory to Research Review Application. Q: Normally, patient information in our database is used at the beginning of a clinical research project to help identify patients with a specific diagnosis who therefore may be a good candidate to include in a study. If I receive a request from a SLU clinician for a list of patients with a particular diagnosis, do I need a waiver? If yes, does the clinician submitting the request to me need to provide the waiver? A: Under HIPAA, access to this information is allowable under the Preparation for Research. Please see the Preparatory to Research Review Application. Q: We do many collaborative projects and receive requests from researchers outside of the SLU community. Do we need any additional releases, waivers? If so, what? A: Collaborative studies involving HIPAA could have any range of requirements, including IRB review, code access agreements and/or if PHI is limited to dates and certain geographic data (a Limited Data Set), a Data Use Agreement may be needed. Contact the IRB to determine how to proceed with the collaboration in a fully compliant manner. Version: 8/1/11