HIPAA and RESEARCH 101

1
HIPAA and RESEARCH101
2
What is Protected Health Information (PHI)?

• Name
• Address
• Telephone Number
• Fax Number
• Email Address
• Date of Birth
• Social Security Number
• Medical Record Number
• Account numbers

• Diagnosis
• Test results
• Dates of Treatment
• Vehicle ID numbers
• Device ID numbers
• Biometrics
• Photos

3
HIPAA Research Requirements for Using/Disclosing
PHI

• Specific Authorization
• Signed by patient/patient representative.
• Projects approved after 4/13/03 Authorization to
  be incorporated into the research informed
  consent.
• See Informed Consent Guidelines with HIPAA
  Language.
• Projects approved before 4/13/03 use stand alone
  Authorization.
• See Authorization to Release PHI for Research
  Purposes.
• At Continuing Review revise consent to include
  HIPAA language.
• Researcher must save for 6 years.

• Waiver of Authorization
• PI must submit a Request for Waiver of
  Authorization.
• Waiver must be approved and signed by the IRB.
• PI must save for 6 years.

4
Exceptions to HIPAA Authorization or WaiverIf
the Research falls into one of the following 4
categories, it does not require HIPAAA review by
the IRB, however, it still requires IRB review
and approval

• De-Indentified PHI
• PHI used to develop a research proposal
• PHI of Deceased Individuals
• Limited Data Set

5
1. DE-IDENTIFIED PHI

• Limited identifiers may remain if, even in
  combination, the identifiers could not
  realistically be traced to an individual patient.
• Example zip code and date of admission/service
• Submit proposal for IRB review and approval.

6
2. PHI Used Preparatory to Research

• PHI can not be removed from covered entity
  (Childrens).
• PI must submit a Data Collection for Review
  Preparatory to Research form to the IRB with
  proposal for review and approval.

7
3. PHI of Deceased Individuals

• PI must submit a Research on Decedents
  Information form to the IRB with proposal for
  review and approval.

8
4. Limited Data Set There must be a Data Use
Agreement between Childrens and the recipient
of the Limited Data Set

• A Limited Data Set may include
• Town, city, state and zip code.
• Elements of dates directly related to an
  individual including
• Birth Date
• Admission Date
• Discharge Date
• Date of Death

• A Limited Data Set must exclude
• Direct identifiers of the individual or their
  relatives, employers, or household members.
• Name
• Address (other than town, city, state,zip code)
• Telephone and/or Fax numbers
• Email address
• Social Security Number
• Medical Record Number
• Health Plan numbers
• Account Numbers
• Certificate/Licenses numbers
• Vehicle Identifiers
• Device Identifers
• Biometric Identifiers
• Full face photos
• Any other number, characteristic or code that
  could be used to identify the individual

9
How can you be HIPAA Compliant?

• IRB approval before 4/13/03
• Patients enrolled after 4/13/03 must sign an
  Authorization to Release PHI for Research
  Purposes.
• See Authorization to Release Protected Health
  Information for Research Purposes.
• When annual Continuing Review is due a revised
  informed consent incorporating HIPAA language
  must be reviewed and approved by the IRB.

• IRB approval after 4/13/03
• Informed Consent with HIPAA language must be
  reviewed and approved by the IRB.
• IRB approval after 10/31/03
• Informed Consent and Stand Alone Authorization
  must be reviewed and approved by the IRB.

10
DATA BASES CONTAINING PHI

• For Clinical Purposes only
• No IRB Requirement

• For Research Purposes
• Submit proposal to IRB for review and approval
  with Informed Consent containing HIPAA language
• OR
• Submit proposal to IRB for review and approval
  with Request for Waiver of Authorization and
  waiver of informed consent.