Q: When do I need a HIPAA research

advertisement
Saint Louis University
HIPAA Research Policies and Procedures Q & A
GENERAL QUESTIONS
Q: What is PHI?
A: PHI = Health Information + Personal Identifiers
Q: What is Health Information?
A: Any information, whether oral or recorded in any form or media, that (1) is created or
received by a health care provider, health plan, public health authority, employer, life insurer,
school or university, or health care clearinghouse; and (2) relates to the past, present, or future
physical or mental health or condition of an individual; the provision of health care to an
individual; or the past, present, or future payment for the provision of health care to an
individual.
Q: What is research?
A: A systematic investigation, including research development, testing, and evaluation, designed
to develop or contribute to generalizable knowledge. This includes the development of research
repositories and databases for research.
Q: What constitutes “Research Records?”
A: Research records constitute more than just Case Report Forms. It contains any PHI in the
research records or notes the investigator collects.
Q: What is a database custodian?
A: A database custodian is an individual who maintains a log of individuals who receive PHI
from the database.
Q: What is a Limited Data Set?
A: Refers to PHI that excludes 16 categories of direct identifiers and may be used or disclosed,
for purposes of research, public health, or health care operations, without obtaining either an
individual’s Authorization or a waiver or an alteration of Authorization for its use and
disclosure, with a data use agreement. Elements of a limited data set include ZIP codes,
geocodes (town, city, state), dates of birth and other dates.
Q: What is a Data Use Agreement?
A: An agreement into which the covered entity enters with the intended recipient of a limited
data set that establishes the ways in which the information in the limited data set may be used
and how it will be protected.
Q: What is a covered entity?
A: Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care
clearinghouses, and (3) health care providers who electronically transmit any health information
in connection with transactions for which HHS has adopted standards. Covered entities can be
Version: 8/1/11
institutions, organizations, or persons. Researchers at SLU are included as part of the SLU
single covered entity.
Q: What is a designated record set?
A: A group of records maintained by or for a covered entity that includes (1) medical and billing
records about individuals maintained by or for a covered health care provider; (2) enrollment,
payment, claims adjudication, and case or medical management record systems maintained by
or for a health plan; or (3) used, in whole or in part, by or for the covered entity to make
decisions about individuals. A record is any item, collection, or grouping of information that
includes PHI and is maintained, collected, used, or disseminated by or for a covered entity. It
can also include research records.
Preparatory to Research
Q: Is there any part of the research data collection process that is not required to be reviewed by
the IRB for privacy review assuming other Common Rule requirements do not require IRB
review?
A: Yes, information that is preparatory to research, decedent research, limited data sets with
data use agreements, and information that comes to the PI de-identified and information stripped
of all 18 identifiers* listed in HIPAA:
*address, account number, any vehicle or device serial number, certificate/license number,
date of birth, e-mail address, fax number, finger or voice prints, health plan, internet
protocol (IP) address number, name, name of employers, photographic images (x-rays),
social security number, telephone number, web universal resource locator (URL).
Q: How can I review medical records of patients with a particular disease to identify participants
for my research study?
A: Apply to the custodian of the records to review the records under Preparatory to Research.
However, recruitment of subjects, other than medical practitioners own patients, must be with
IRB approval.
Submitting to the IRB
Authorizations
Q: When do I need a HIPAA research authorization?
A: When you plan on collecting PHI for research to be used or disclosed.
Q: How do I complete an authorization and what information must be included?
A: The template authorization is linked to the IRB website.
Q: Do I need a HIPAA research authorization for subjects recruited into a previously IRB
approved study?
A: If the consent form was signed before April 14, 2003, no additional form is needed. If you
enroll subjects into a research study April 14, 2003 or later, you will need to have each subject
sign an approved HIPAA Addendum form. If you re-enroll or if the IRB determines that reconsent of subjects is needed you will need a HIPAA Addendum.
Version: 8/1/11
Waivers
Q: When do I seek a waiver of authorization for access to PHI and how do I obtain it?
A: If your study meets the criteria for a waiver, you may request a Waiver of Authorization in the
IRB Application. These criteria are:
1. Protected Health Information (PHI) to be used and/or disclosed is the minimum necessary
information for the study.
2. The use or disclosure of PHI involves no more than minimal risks to the privacy of individuals
based on, at least, the presence of the following three elements:
a. There is an adequate plan to protect the identifiers from improper use and disclosure.
b. There is an adequate plan to destroy the identifiers at the earliest opportunity consistent
with conduct of the research, unless there is a health or research justification for
retaining the identifiers or such retention is otherwise required by law.
c. PHI information will not be reused or disclosed to any other person or entity, except as
required by law for authorized oversight of the research study, or for other research for
which the use or disclosure of PHI would be permitted by HIPAA.
3. The research could not practicably be conducted without the waiver or alteration.
4. The research could not practicably be conducted without access to and use of PHI.
Q: Who will be doing the review of the research authorizations and waivers?
A: The IRB.
ONCE RESEARCH IS APPROVED
Q: How does the Certificate of Confidentiality relate to the HIPAA changes?
A: HIPAA does not affect on the protections provided by a Certificate of Confidentiality.
Q: Do my obligations to report serious adverse events or data required by state laws change
under HIPAA?
A: No
Q: How should I store my paper and/or electronic data to be compliant with HIPAA?
A: Your electronic and paper copies should be stored in a safe place where the information can be
kept confidential. For example, in a locked filing cabinet in a locked office or password protected.
Q: How do I dispose of my research data that contains PHI?
A: Possible suggestions are to shred the data, clear the hard drive, destroy CDs, strip data of all
identifiers, etc. Keep in mind the data retention policies of sponsors (e.g., NIH, NSF, commercial
sponsors).
Q: How long must signed Authorizations and disclosures of PHI be tracked?
A: The signed Authorization and any disclosures made under a HIPAA Waiver must be retained
by the covered entity for 6 years from the date of creation or the date it was last in effect,
whichever is later.
Version: 8/1/11
Q: Who will handle requests for use and disclosure of PHI?
A: For research related requests: email the IRB at irb@slu.edu, or phone (314) 977-7744. For all
other requests: email the University Privacy Officer, at hipaa@slu.edu, or phone (314) 977-5545.
Q: What must I do if a subject revokes authorization to use their PHI for research purposes?
A: Send the participant notification in writing that his/her request has been received. Track this
information, and count this as a subject withdrawal on your continuing review application.
Q: How do I track the research authorizations from each patient and his/her wishes regarding the
use of their PHI for research?
A: Authorizations should be put in the research file along with the consent. Also keep
documentation of:
 Any requests for revocation of authorization ( kept in the participant’s research file)
 IRB granted waivers of authorization
Q: What information must be conveyed to a research subject if they submit a withdrawal letter
from the study?
A: The PI or study representative can write on the letter “Receipt of the letter and withdrawal
from the study acknowledged.” The PI or study representative should sign and date the
acknowledgement and return a copy of the letter to the study subject.
Q: Can I expect audits or inspections for HIPAA compliance?
A: Yes, the federal government or University Compliance could audit. There are heavy
monetary fines for non-compliance. Therefore, internal audits to monitor compliance may take
place.
Q: What research data may I share with research collaborators who are at another university?
A: If the investigator is part of your research team and as long as it is so designated in the
authorization, PHI may be shared with the collaborator. Other options include use of a Limited
Data Set with a Data Set Agreement.
Q: I am performing clinical research that also involves treatment. What steps do I need to take to
deal with both the clinical and research issues?
A: Either an authorization or a waiver of authorization will cover all aspects of the research
study. It is important that your clinical authorization for each participant contains a copy of your
research authorization or waiver (if appropriate) to identify the participant as a research
participant as well as a clinical patient. All participants undergoing clinical treatment should be
given the Notice of Privacy Practices prior to collection of PHI.
Q: After the IRB approved HIPAA Authorization form is signed by a subject, along with the IRB
approved consent form, allowing investigators to use and disclose PHI for purposes explained in
the consent form, how, or is the Disclosure Tracking Log then utilized?
A: If you have received authorization to use and disclose PHI, there is no tracking requirement
so long as you only disclose to the individual/entity described in the HIPAA Addendum. If you
have a Waiver of Authorization, you must track any disclosures.
Version: 8/1/11
Q: Are there research studies in which both a Waiver of HIPAA authorization is allowed and a
requirement for a HIPAA Authorization needed?
A: Yes, as examples, emergency research or a telephone interview that includes potential
recruitment may qualify for a Waiver, but a subsequent collection of prospective research
information with an encounter with the study subject may require an Authorization.
Q: We obtain IRB approved consents from mothers providing tissue for our cord blood
collection program. Do we also need a HIPAA authorization?
A: Because the Saint Louis Cord Blood Bank is part of the NMDP (National Marrow Donor
Program), under HIPAA, there is no requirement to obtain authorization to share cord donor
information even though it is considered protected health information. Consents for treatment
are not part of the HIPAA authorization requirement; however you indicated an informed
consent that mothers sign when donating cords. If it is just consent for treatment, there is no
special change that needs to take place for HIPAA. Your reference to IRB approval would seem
to imply research. If research is involved a specific authorization or waiver would be required
to utilize the protected health information (PHI).
Q: I understand that the acknowledgement of NPP signed by the patient goes to Medical Records
but we have several patients who are referred for research studies by physicians who never go to
the DOB and therefore do not have a medical record. Should the copy of the acknowledgement
go in the research chart?
A: Yes, the acknowledgement should go into the research chart. You may also wish to indicate,
by using a sticker or some other means, that the patient has received a copy of the Privacy
Notice and therefore will not need to receive a notice on subsequent visits.
Q: When do I need to give a Notice of Privacy Practices to the research subject?
A: At the first face to face meeting with the subject, you should give them a copy of the NPP and
ask that they sign the receipt acknowledge form.
Q: We do not use Study Manager so is it acceptable to track disclosures using an Excel database?
A: HIPAA does not specify how we track disclosure. In those situations that we don't have
access to more sophisticated means of electronic tracking, an Access database or Excel
spreadsheet is acceptable as long as it contains the required elements of information. There is a
sample Excel spreadsheet that is available on the IRB-HIPAA Web site.
Q: Our department utilizes shadow charts. The Study Unit will copy from the shadow chart to
make the research chart for source documentation purposes. Is this still acceptable under
HIPAA?
A: We do not want to use shadow charts as the documentation source but use Medical Records
as the source for disclosure accountability purposes. The expectation is that you will not use
Shadow Charts as the source document.
Q: Research charts are currently locked at night but not in locked cabinets. Our space is locked at
night and the doors into the area itself are locked by security. In essence, our files are doublelocked with limited access. Is that sufficient?
A: Absolutely reasonable.
Version: 8/1/11
DATABASE RESEARCH
Q: Do I need to seek any review and approval before I conduct database research?
A: Yes, you should submit an application for a HIPAA Waiver.
Q: What do I do if I have a database that is used for clinical purposes?
A: Clinical database registration will be handled through the business units. Contact your
HIPAA Liaison or Trainer for more information.
Q: What should I do if I have an existing research database that contains lots of patient
information?
A: If you have not already done so, fill out an application to list your database with the IRB so
that you will be able to use the database for research purposes.
Q: I work with existing or discarded tissue specimens. Am I affected by the new HIPAA rules?
A: It depends – if the samples are de-identified (contain no PHI), the research is not affected by
HIPAA. If PHI is associated with the tissue sample you should apply for a HIPAA waiver If
samples are collected prospectively and consent is sought, HIPAA authorization will be
required.
Q: Do I have to seek a waiver of authorization or an authorization every time I do a data search
in my database?
A: No, as long as you are not conducting research, you are allowed to conduct searches on your
private databases.
Q: Does SLU have a standard Data Use Agreement?
A: A standard Data Use Agreement is available on the SLU IRB HIPAA web site.
TELEPHONE INTERVIEWS
Q: In regard to subjects where we consent them by telephone, do we have to make any changes
associated with HIPAA language?
A: The researcher should first apply for a HIPAA Waiver. The interviewer should then
incorporate HIPAA related privacy information into the telephone script and inform the subject
that the Notice of Privacy Practices (NPP) is available via the web or the investigator can send a
copy of the NPP if the subject provides a name and mailing address
Q: If I am approved by the IRB for a HIPAA Waiver because I am conducting a telephone
survey, do I need to collect additional PHI so I can send a Notice of Privacy Practices to the
research subject?
A: Under a HIPAA waiver there is no need to send NPP but it is suggested that your phone
script state that NPP is available via the web or the investigator can send a copy of the NPP if
the subject provides a name and mailing address
Version: 8/1/11
RECRUITMENT ISSUES
Q: Typically, our physicians see patients in clinic and send us a memo asking us to put the
patient in our database for potential studies. Is this allowable under HIPAA?
A: The patient should sign a letter authorizing permission to keep their name, address, phone
number, etc. in a database for purposes of future recruitment for research. The letter must also
indicate that the patient has the right to opt out at any time. This authorization should be
obtained at the time of treatment.
Q: We usually prescreen charts to see if a patient will qualify for a study. Does this require
authorization?
A: Please see the Preparatory to Research Review Application.
Q: Normally, patient information in our database is used at the beginning of a clinical research
project to help identify patients with a specific diagnosis who therefore may be a good candidate
to include in a study. If I receive a request from a SLU clinician for a list of patients with a
particular diagnosis, do I need a waiver? If yes, does the clinician submitting the request to me
need to provide the waiver?
A: Under HIPAA, access to this information is allowable under the Preparation for Research.
Please see the Preparatory to Research Review Application.
Q: We do many collaborative projects and receive requests from researchers outside of the SLU
community. Do we need any additional releases, waivers? If so, what?
A: Collaborative studies involving HIPAA could have any range of requirements, including IRB
review, code access agreements and/or if PHI is limited to dates and certain geographic data (a
Limited Data Set), a Data Use Agreement may be needed. Contact the IRB to determine how to
proceed with the collaboration in a fully compliant manner.
Version: 8/1/11
Download