HIPAA PRIVACY PROCEDURES

              RESEARCH

 

General IRB Policy Regarding HIPAA Privacy Rule

 

 

 

Subject:           INSTITUTIONAL REVIEW BOARD POLICIES AND PROCEDURES FOR COMPLYING WITH PRIVACY LAWS THAT AFFECT USE AND DISCLOSURE OF DATA FOR RESEARCH

These policies and procedures state the HIPAA[1] obligations of the Howard University Institutional Review Board (hereinafter referred to as “IRB”) in its relationship with any Howard University Health Sciences Programs (hereinafter referred to as “Howard University” or University).

POLICY STATEMENT: Research by investigators affiliated with Howard University, and by third party investigators who may be affiliated with the University or a Sponsor, fills an important function for Howard University and for patients who may now or in the future benefit from research insights and therapeutic developments.  Where the Howard University Health Sciences’ Notice of Privacy Practices permits medical records to be used in research, data may be made available for use in research cleared by the IRB in accord with these IRB Policies.  These policies govern the use of data by investigators who are part of the workforce of Howard University or who are clinicians that are members of an Organized Health Care Arrangement with Howard University.  These policies also govern disclosures of data to investigators who are non-clinical personnel affiliated with the University, or who are employees or contractors of entities that sponsor or support research at Howard University (“Sponsors”).

It is the policy of the IRB to facilitate compliance with applicable laws and regulations that govern use or disclosure of health information for research by Howard University affiliated investigators and their Sponsors.  In particular, all research using information created, received or maintained by or on behalf of Howard University regarding its patients shall be conducted in accord with applicable requirements of federal health privacy standards promulgated by the Department of Health and Human Services (HHS) pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (the “Privacy Rule”) and analogous state laws and regulations.[2]

PROCEDURES FOR IMPLEMENTATION:  All investigators whose research proposals are reviewed by the IRB (whether under full or expedited review), as well as those whose exempt research is cleared by the IRB, shall be informed of their obligations to meet the requirements of the HIPAA Privacy Rule where they propose to use records of Howard University, or to enroll research participants and conduct research in facilities of Howard University.  The IRB will provide researchers with forms and suggestions regarding what the researcher needs to do to comply with applicable standards of the Privacy Rule.  These Policies and Procedures supplement, but do not supplant, other University policies and procedures governing IRB review of research protocols (e.g., policies and procedures in compliance with the Common Rule). 

1.            HIPAA Authorization and Informed Consent.  For all research where informed consent will be obtained from research participants who are patients of Howard University, investigators also must obtain authorization to use and disclose protected health information using the HIPAA Research Authorization form attached as Appendix A.  The HIPAA Research Authorization specifies the uses and disclosures of the medical record that Howard University may make in preparing and transmitting data to the Investigator and/or Sponsor, while the informed consent specifies the uses and disclosures that the Investigator and Sponsor may make of the research data set that has been disclosed by Howard University. 

Investigators may not use an authorization form whose content deviates from this form without the prior, express approval of the HIPAA Privacy Officer.  The IRB will not review authorization forms submitted by Investigators or Sponsors.  The HIPAA Research Authorization may not be combined in the same document with the research informed consent approved by the Howard University IRB.

2.            Exempt Research.  For exempt research that is cleared for Howard, the IRB will refer the investigator to the HIPAA Privacy Officer to enter into a Data Use Agreement, unless the IRB grants a Waiver of the HIPAA Research Authorization in accord with the applicable procedure, or determines that the Investigator must obtain each patient’s authorization in accord with paragraph 1, above. 

3.            Medical Records or Tissue Research. 

            (a) For all IRB-approved research where informed consent will be obtained, the IRB will require the investigator to obtain a HIPAA Research Authorization as in paragraph 1, above. 

            (b) If the IRB has waived informed consent, the IRB will refer the investigator to the HIPAA Privacy Officer to enter into a Data Use Agreement unless the IRB grants a Waiver of the HIPAA Research Authorization in accord with the applicable procedure, or determines that a HIPAA Research Authorization must be obtained in accord with paragraph 1, above. 

4.         IRB Waiver (or Partial Waiver) of the HIPAA Authorization.  Follow the applicable procedure and make the finding available to the investigator by completing the document in Appendix B.

5.            Subject Recruiting and Records Review Preparatory to Research.  Follow the applicable procedure.

6.            Transition Rule for Protocols Already in Progress.  Follow the applicable procedure.

 

Appendices

The following appendices are documents to be used in these Policies and Procedures:

·        Appendix A—Authorization to Use and Disclose Protected Health Information for Research Purposes

·        Appendix B—Documentation of Alteration to or Waiver of Authorization to Use or Disclose Protected Health Information for Research Purposes

·        Appendix C—Investigator Certification for Reviews Preparatory to Research

·        Appendix D—Record of Disclosure of Protected Health Information

 

 

HIPAA PRIVACY PROCEDURES

              RESEARCH

 

 

IRB Waiver of the HIPAA Authorization

 

 

SUBJECT:              Waiver of Authorization to Use and Disclose

            Protected Health Information

 

POLICY STATEMENT:  The IRB will consider possible waiver of HIPAA Research Authorization only if (a) the research is exempt research or the IRB already has granted a waiver of informed consent for non-exempt research, and (b) entry into a Data Use Agreement with Howard University is not feasible for conducting the research.  A decision to waive the HIPAA Research Authorization requirement will be made independently and only after the IRB decision has been made regarding waiver of the Common Rule requirement of informed consent to participate in research. 

IRB waivers of HIPAA Research Authorization impose considerably greater record keeping requirements on Howard University than research where the patient signs a HIPAA Research Authorization or research that uses only a Limited Data Set under a Data Use Agreement.  Therefore, when an investigator requests a waiver of HIPAA Research Authorization to conduct research analyzing existing medical records of Howard University, the IRB will consider whether use of a Limited Data Set with a data use agreement may be sufficient for the research purpose.  Even where informed consent will be waived under the Common Rule, a data use agreement is preferable to a waiver of HIPAA Research Authorization for purposes of the Privacy Rule, as the latter is more protective of patient privacy and does not require an accounting of disclosures by Howard University. 

PROCEDURES FOR IMPLEMENTATION:  The IRB will review and approve or disapprove requests for waiver of the HIPAA Research Authorization, in whole or in part, in accord with its regular procedures, which may be under expedited review.  The decision regarding waiver of the HIPAA Research Authorization may be at the same IRB meeting or session where the research risks are reviewed, so long as the HIPAA waiver is considered independently in accord with the applicable criteria, and any deliberation is separately documented in the minutes. 

1.  Is a Limited Data Set Feasible for Conduct of the Research?  

(a) Use of a Limited Data Set under a Data Use Agreement is not appropriate if the researcher requires one or more of the following fields because the rule states that a Limited Data Set may not include any of the following identifiers of a research participant or of a participant’s relatives, household members, or employer(s):

·        names;

·        street address information other than city, state, and zip code;

·        telephone or fax numbers;

·        e-mail, internet, or web addresses;

·        Social Security numbers;

·        medical record or prescription numbers;

·        health plan beneficiary numbers;

·        account numbers;

·        certificate/license numbers;

·        vehicle identifiers or serial numbers;

·        device identifiers[3] or serial numbers;

·        biometric identifiers; or

·        full face photographic or comparable images.