Authorization and Waiver Frequently Asked Questions

Similar documents
Module: Research and HIPAA Privacy Protections ( )

SCREENING PROCEDURES: WHAT IS COVERED BY A

HIPAA COMPLIANCE APPLICATION

The Impact of The HIPAA Privacy Rule on Research

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

HIPAA Privacy Regulations Governing Research

Recruiting subjects for clinical research outside the academic setting

The Queen s Medical Center HIPAA Training Packet for Researchers

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

HIPAA & Research Overview for the Privacy Board March 22, UAMS HIPAA Office Vera M. Chenault, JD

UA New Common Rule Implementation

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

Privacy Rule Overview

Changes to the Common Rule

Implementing the Revised Common Rule Exemptions with Limited IRB Review

Consent Form Requirements for Multicenter studies when CHOP Relies on an external IRB

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

Managing Privacy Risk in Your Research and Development Enterprise. Sujata Dayal, Abbott Justin McCarthy, Pfizer

ETHICAL AND REGULATORY CONSIDERATIONS

The HIPAA Privacy Rule and Research: An Overview

INFORMED CONSENT TO PARTICIPATE IN A DIABETES RESEARCH REGISTRY

Privacy Board Standard Operating Procedures

Common Rule Overview (Final Rule)

CINCINNATI CHILDREN S HOSPITAL MEDICAL CENTER CONSENT TO PARTICIPATE IN A RESEARCH STUDY

APPLICATION FOR RESEARCH REQUESTING AN IRB WAIVER OF CONSENT AND HIPAA AUTHORIZATION

The HIPAA privacy rule and long-term care : a quick guide for researchers

eirb Review Checklist

DANA-FARBER / HARVARD CANCER CENTER STANDARD OPERATING PROCEDURES FOR HUMAN SUBJECT RESEARCH

Geisinger IRB Member Orientation Session 2. Debra L. Henninger, MHS RN CCRC Associate Director, Research Compliance

CLINICIAN S GUIDE TO HIPAA PRIVACY

Access to Patient Information for Research Purposes: Demystifying the Process!

INSPIRing Changes to the IRB Process: New templates and more

Human Subjects Research Policy Update. Naomi Coll Director of Research Policy and Compliance

Notice of HIPAA Privacy Practices Updates

Medical Records Ch. 13. Dr. Thorson

Record or Document Type Retention Period Relevant Legal Citation(s) IRB Records: Training Records;

New Study Submissions to the IRB

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

Overview of the Revised Common Rule

TRICARE Management Activity s Human Research Protection Program, Data Sharing Agreement Program, and the TMA Privacy Board

Use And Disclosure Of Protected Health Information (PHI) For Research

REQUEST TO ACCESS EXISTING MEDICAL RECORDS, CHARTS OR DATABASES FOR RESEARCH

Final Rule Material: Overview

The Revised Common Rule

System-wide Policy: Use and Disclosure of Protected Health Information for Research

HIPAA PRIVACY TRAINING

HIPAA in DPH. HIPAA in the Division of Public Health. February 19, February 19, 2003 Division of Public Health 1

MEDICAL POWER OF ATTORNEY DESIGNATION OF HEALTH CARE AGENT.

General Administration GA STANDARD OPERATING PROCEDURE FOR Sponsor Responsibility and Delegation of Responsibility

The SOP applies to all human subject research falling under the purview of the University of Missouri Institutional Review Board.

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

1. Contacts and Title

WHAT IS AN IRB? WHAT IS AN IRB? 3/25/2015. Presentation Outline

Section 11. Recruitment of Study Subjects (Revised 7/1/10)

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

CCSS: HIPAA-Compliant Recruitment. Dennis Deapen, DrPH CCSS Annual Investigators Meeting Memphis, TN October 9-11, 2005

Standard Operating Procedure IRB Review of Research Subject to the Revised Common Rule

REGULATORY AND FUNDING CHANGES FOR HUMAN SUBJECTS RESEARCH

DO I NEED TO SUBMIT FOR THIS?... & OTHER FREQUENTLY ASKED QUESTIONS. March 2015 IRB Forum

Advance Directive Form

LOUIS STOKES CLEVELAND VA MEDICAL CENTER RESEARCH SERVICE Human Subject Protection Standard Operating Procedure (SOP)

MEDICAL POWER OF ATTORNEY

Virginia. Your Medical Record Rights in. (A Guide to Consumer Rights under HIPAA)

Department of Defense Human Research Protection Program DOD INSTITUTIONAL AGREEMENT FOR INSTITUTIONAL REVIEW BOARD (IRB) REVIEW (IAIR)

EXEMPT RESEARCH. 1. Overview

THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH

OREGON HIPAA NOTICE FORM

Office of Human Research Office of Human Research Policy and Procedure Manual. Version: 4/4/18

Signature Date Date First Effective: Signature Date Revision Date:

Efficacy of Tympanostomy Tubes for Children with Recurrent Acute Otitis Media Randomization Phase

Research Audits PGR. Effective: 12/04/2013 Reviewed: 12/04/2015. Name of Associated Policy: Palmetto Health Administrative Research Review

Medical Power of Attorney Designation of Health Care Agent 2 Witnesses. I, (insert your name) appoint: Name: Address:

(A Guide to Consumer Rights under HIPAA)

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Grambling State University Application for Human Subjects Review IRB Protocol. 1. Principal Investigator [Last Name, First Name, Middle Initial]

1. Applicant Name: (Please check one) [ ]Insured/Patient [ ]Patient s Designee [ ]Provider. 2. Patient Name: 3. Patient Address:

Parental Consent For Minors to Receive Services

HIPAA IMPLICATIONS: Patient Rights Under HIPAA

Karen LeVasseur, LCSW Calm4Kids Therapy Center, LLC 514 Main Street Bradley Beach, NJ

Your Medical Record Rights in Rhode Isl and

Request to Use an External IRB as an IRB of Record

Printed from the Texas Medical Association Web site.

Disclosure Statement for Medical Power of Attorney

Good Documentation Practices. Human Subject Research. for

VCU Clinical Research Quality Assurance Assessment

HIPAA Policies and Procedures Manual

1. Department of Defense (DoD) Human Subjects Protection Regulatory Requirements

UNIVERSITY OF PENNSYLVANIA HEALTH SYSTEM

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

Compliance Policy C-FMS Clinical Research Project Approval Application

Institutional Review Board (previously referred to as Human Participants Research Board) Updated January 2004

Balance Fitness and Nutrition

THIS IS AN IMPORTANT LEGAL DOCUMENT. BEFORE SIGNING THIS DOCUMENT, YOU SHOULD KNOW THESE IMPORTANT FACTS:

Issues of. Informed Consent. Mitchell E. Parrish, JD, RAC, CIP Regulatory Attorney

Dr. Kristin Heins, ND Thrive Natural Family Health 110 Eglinton Avenue East, Suite 502 Toronto, Ontario M4P 2Y1 Telephone: (647)

June%8,%2014. Dear%parent(s)%or%guardian,

Title: Investigator Responsibilities. SOP Number: 1501 Effective Date: June 2, 2017

BANKS ON BANKS. Clinical Research Seminar March 20, 2013 Mary A. Banks Director BUMC IRB

Failure to comply may result in WU being liable for civil and criminal penalties under the HIPAA regulations.

Your Medical Record Rights in New Mexico

Transcription:

Authorization and Waiver Frequently Asked Questions Q. I obtain databases (of blood chemistry levels) from the Monroe County Health Department (MCHD) that I use to identify potential subjects for my studies. Do I need a waiver before I review MCHD records? A. The example demonstrates the difference between internal 'use' and external 'disclosure' - as you have indicated, getting information from MCHD would be a disclosure by them to you. To access this information, you would either need to give MCHD a representation that the activities are preparatory to research. or you would need a waiver from MCHD. So the question becomes how can this take place under HIPAA? Probably the easiest approach would be to go to MCHD write down who is eligible, give it to someone at MCHD who would mail out letters from them inviting participation in your study (no disclosure of PHI takes place in any step). This would be covered under activities Preparatory to Research, so MCHD wouldn't have to do anything for HIPAA and UR would just have to approve the recruitment method per the usual IRB review. You could also have a co-investigator at MCHD who could do this, but then they would need to file the study with the MCHD IRB and get approval (again it would be allowable as Preparatory to Research) Q. For an industry sponsored clinical trial, should the central laboratory that will be used for study specimen analysis and ECG reading (i.e., CRO) be listed specifically in the authorization section of the consent? A. Yes. Knowing that sponsors do change CROs, however, you could say a central laboratory that will be used for study specimen analysis and ECG reading (e.g., CRO Name) that way both the category of persons for disclosures are covered as well as the specifics. Q. I am a resident (fellow) of UR and would like to review medical records at the hospital at which I am assigned. I am not employed by that hospital, so I am not part the hospital s Covered Entity. How can I do this research under HIPAA? A. There are two ways to do the research under HIPAA. If you need identified data to do the research, you would have to apply to the hospital IRB/Privacy Board for a HIPAA waiver. This would require meeting the requirements for a waiver of authorization. If granted, your research review/extraction would be considered a disclosure under HIPAA and the hospital would need to track whose records you accessed (you would have to comply with the hospital s policy on tracking). If, however, you only need de-identified data (data that does not include any of the 18 HIPAA identifiers) to do the research, you would need someone who is a hospital employee to de-identify the data for you (i.e., record the information you need). Release of de-identified data does not require authorization, waiver or tracking. A variation on this is the limited data set which allows dates and city/state to be included. If you need these items of information, you would also have to sign a data use agreement with the hospital before they could release the data. The difficulty, of course, in either of these routes is finding someone at the other facility who can/will

do the de-identification or generate the limited data set. (Note: UR review requirements for human subjects research would also need to be satisfied) Q. I'm revising our consent form to include the new HIPAA language. Would the regulations permit revising the second and third paragraphs to eliminate similar statements? Also, the last paragraph is indeed stated in Voluntary Participation. Can it be deleted? A. The authorization wording has been established so investigators don t have to be HIPAA experts to develop a form. The second paragraph states what information you will use; the third paragraph states how you will use it. All statements are required, but the exact details will have to be modified to match the specific study. Q. If HIPAA Authorization is needed for a particular study that has both a consent and assent form, the HIPAA Authorization does not need to be added to the assent form right? A. Correct. Section 164.502(g)(1) and (3) says that the parent is a personal representative and can sign the authorization for the minor. (Note 164.502(g) (5) allows exceptions for abuse and endangerment situations.) Q. How are investigators supposed to verify the representative s authority to sign the authorization / consent? A. This is addressed in URMC/SH HIPAA Policy 0P27. Procedures are not significantly different from what is current common practice. (Note: the study must have IRB approval for the use of a representative.) Q. I have been approved to use verbal consent without documentation of subject signature for my telephone survey on health status. What do I need to do for HIPAA? A. The regulations allow an IRB or Privacy Board to grant a waiver from authorization or an alteration of authorization. Not getting a signature would be an alteration of the core elements of the authorization. Waivers and alterations necessitate meeting the appropriate requirements. In the case of waiver of documentation, the investigator would have to describe how obtaining signatures would not be practicable, and how it would not jeopardize subject privacy rights. Q. The HIPAA Authorization says that, "Other people may need to see the information. While they normally protect the privacy of the information, they may not be required to do so by law." Why wouldn't parties we share information not be required to the same rules of confidentiality?

A. HIPAA applies to health care providers and health plans. Sponsors are usually neither of these, so the privacy protections under HIPAA don t apply to them. Likewise, federal agencies such as FDA don t have to comply. Thus, we cannot promise equivalent protections. Q. The HIPAA Authorization says that, "The information collected during your participation will be kept indefinitely." Isn't there a minimum limit of time when it can then be destroyed? A. If you will destroy records/data at a definite point, you can/should say so, but for FDA studies and other clinical research that time point is hard to fix. If you do put a time in the authorization the data must be destroyed then or you would be in violation of the regulations. Q. In the authorization, do we need to list people or organizations that will look at the subject s data, but will never receive information on the subject's name? In other words, a subject number will be used for certain people or organizations to identify the subject's data, but they will not receive any other identifying information about the subject. Do we need to list people who will not receive identifying information on the subjects? A. If none of the 18 identifiers (note: this includes all dates) specified in the regulation are included in the data, then you would not need to list these people because they would be receiving de-identified data. If any of the 18 identifiers are included, then you will have to list them. Q. We are required to list people or organizations that will look at the subjects data in the authorization section. Would listing Department of Psychiatry, Department of Biostatistics, Laboratory Services, etc. be enough? How specific should it be? A. The federal agencies have not given guidance on the specificity needed. A statement as you suggest would cover the individuals in those departments, but as you indicate, this may be too broad. Saying the 'Department of Psychiatry and similar broad groups may seem intimidating to subjects. It may be more appropriate to say which types of individuals might see the information, e.g., statisticians in the 'Department of Biostatistics, co-investigators in the 'Department of Psychiatry, etc. Q. What do I do about listing the sponsor of the study in the authorization if the study hasn't been funded yet, but the research might eventually be funded by a number of different organizations? Do I list all potential funders? I won't have individual's names for them, so is it okay to list just the organization? And the sponsors could change after the study is begun using other pilot funds. So is there a chance after some subjects have been enrolled to modify the consent form to include new sponsors, and can one in that case keep the original subjects in the study? A. Assuming the study will be started with departmental or pilot funds, you could state future sponsors of the research for example X, Y, Z.

Q. I intend to get a DHHS certificate of confidentiality for the study. Other than just more language for people to read, are there any implications for the HIPAA authorization process for having that language in there, i.e., does it obviate the need for any of the HIPAA language? A. No. The certificate of confidentiality does not impact HIPAA other than to be able to say places that the data won't go. Q. If the study does not involve any medical treatment, or no drug treatment, does one need to specify the FDA in the authorization? A. No. FDA would only be listed for FDA-regulated studies. Q. What are examples of organizations and/or persons who may need to see the PHI, but are not covered under HIPAA. A. Organizations that don't give health care are not covered for example, pharmaceutical / device companies, statistical centers, FDA, NIH (the funding part - not the clinical center), CROs, research labs, etc. Q. How do the investigator's report DSMBs in the authorization for HIPAA? Do they list the individual people or should they list the individual sites where the members reside? How specific should they be in regards to the DSMB? A. Just listing the title of the DSMB and perhaps what their role is should be adequate listing the names would cause difficulty when/if people changed and does not provide any additional useful information. The DSMB is a agent of the sponsor so the authorization could also say the XYZ company s DSMB. Q. Do we need a waiver to enroll people who cannot give their own consent, for example in the Emergency Room. A. The HIPAA regulations, like the human subject regulations, allow a legally authorized representative (LAR) to sign another person up for research. Both regulations say that the definition of who qualifies as an LAR is up to state law. The NY statutes don t specify who is authorized for research, but they do provide for someone other than the person to sign. The federal regulators for the human research regulations have said that in this case, the institution can define who meets this standard under the state regulations. HIPAA does not change that. So those who have signed in the past should be able to sign in the future. (Of course, using LARs for research requires approval by the IRB and must be allowable under the protocol.) HIPAA does require that the relationship be stated on the consent form in addition to the name and date.

Q. MUST a participant write to study investigator to withdraw authorization? This may not be appropriate/feasible for a resident in a long term care facility? A. The URMC/SH policy does require that the withdrawal of an authorization to be in writing. Someone else could write the withdrawal request and the subject could sign it. Of course, the subject could always withdraw from the study, which would cancel the HIPAA authorization too. Q. What is the Strong Health HIPAA Notice that a participant might ask the investigator for? (Referenced in third paragraph of the authorization wording.) I have never seen one. A. The Notice is shorthand for Notice of Privacy Practices. It is a document that each health care provider/facility must provide that explains the uses and protections of health information and outlines patients rights under the HIPAA regulations. It only needs to be given at the initial contact with the facility; so most times research subjects will already have received one. The URMC/SH Notice is posted on the URMC web page. You can download it from there, and it will be available at patient registration desks as well. Q. The authorization template references Strong Health and URMC. What if I am at the River Campus and am not part of Strong Health? A. As long as you are not getting health information from any URMC/SH facilities or any other HIPAA Covered Entity, you are exempt from HIPAA requirements. Q. I am in a River Campus Department and would like to access identifiable health information from URMC. What do I need to do for HIPAA? A. Under HIPAA this is a disclosure of information from a Covered Entity (URMC) to a noncovered entity (RC). You will be able to access this information only through one of the approved methods (de-identification, Limited data set, representation, waiver, and authorization). You would need to satisfy the HIPAA requirements for the covered entity. Q. We conduct research at several local nursing homes, two of them are part of Strong Health. For the two nursing homes that are part of Strong Health, we see that we need that sentence. But for those nursing homes that are covered by some other entity than Strong Health, can we replace that sentence with this: "If you haven't received a copy of your nursing homes' HIPAA Notice, please ask the investigator for one." A. Yes, if you have non-urmc/sh facilities involved, patients/subjects must receive that facility s Notice of Privacy Practices.

Q. I do retrospective studies. How does HIPAA affect me? A. The HIPAA privacy regulations do allow for waiver of authorization in certain circumstances. These criteria are essentially the same as the human subject protection criteria, but are focused on privacy protections. When requesting a waiver of consent or an exemption through the RSRB, the additional HIPAA considerations that appear on the application form must be answered. Often, the most difficult question to address is how the research cannot be done without the waiver. If you are conducting the data anonymously and none of the 18 HIPAA identifiers is in your data the research is most likely exempt and HIPAA would not apply. Q. My research has been approved with a waiver of consent and HIPAA authorization. Do I need to track disclosures? A. Yes. Disclosures (release of information outside URMC/SH) of PHI made without authorization require tracking. Tracking is intended to allow patients/subject to obtain an accounting of all disclosures made in the past 6 years. Q. I get consent with authorization from subjects. Do I need to track disclosures? A. No. Only disclosures (release of information outside URMC/SH) made under a waiver or under representations (reviews preparatory to research or decedent research) require tracking. Subjects have given their authorizations for the disclosures in the consent process, so they are already informed about them. Q. We are involved in a multi-institutional study. There are several sites across the country that are involved in this study (we are not the primary site), and even though the principal investigators are identified, and the data manager is identified, how far do I go to ascertain all possible parties that receive information? A. You should be able to get help from the coordinating center regarding what to put in the HIPAA authorization. HIPAA does say that all parties must be listed. Contacting the lead center also allows them to better coordinate what information is presented in consents across the study sites. Q. I'm revising our consent form to include a list of people and organizations that will look at the subjects data. Do all these people/organizations need Business Associate agreements too? Do sponsors need them? A. A Business Associate is an entity/person who obtains PHI while acting on behalf of a covered entity (e.g., URMC/SH) to perform certain services. Most of the entities in a research project do not perform activities that require HIPAA Business Associate Agreements. The following are examples of persons/entities who are not business associates: outside researchers (collaborators);

coordinating centers; statistical centers; and data monitoring committees/boards. The following are examples of persons/entities who are business associates: data storage facilities; third party recruiters providing screening services. When needed, Purchasing takes care of negotiating business associate agreements as part of the contracting process. Likewise, sponsors are not performing as agents of URMC/SH (in fact, the opposite is more the case). The contract between the sponsor and the University generally takes into account HIPAA-related issues (privacy and confidentiality) Q. Before April 14, 2003 my research was approved with a waiver of consent. I know that the waiver approval carries forward for activities after April 14, but do I need to track disclosures? A. Yes. Disclosures (release of information outside URMC/SH) of PHI made without authorization require tracking. Tracking is intended to allow patients/subject to obtain an accounting of all disclosures made after April 14, 2003 (for up to 6 years). Q. I note on the web that the Office of Civil Rights (OCR) has a letter out that says IRBs do not have to review authorizations. Is that correct? A. The policy of the University of Rochester requires all HIPAA authorizations to be reviewed. This is true for both separate forms as well as authorization wording that is incorporated into consent forms. The OCR letter correctly states that the HIPAA Privacy Rule does not specifically require institutional approval of authorizations, however, it is the long-standing policy of the University to require IRB review and approval of any information intended to be given to subjects and potential subjects. This review also helps ensure that authorizations meet all the requirements of the HIPAA Privacy Rule and thus maintain their validity. Q. I went to a conference and it seemed that they were saying that sponsor monitor reviews are to be tracked even if no information is removed: I thought that as long as the patient signed the consent that included the monitor as a covered entity that this was not considered a disclosure. Could you clarify this? A. You are correct that if a subject has signed a consent form with the HIPPA authorization included (or separate authorization form was signed) and the authorization wording indicated that a disclosure to the sponsor/monitor would be made, then tracking is not required because permission has been given. Disclosures without permission do have to be tracked. Waivers and reviews preparatory to research fall into that category. If the sponsor monitor is looking at 'screening logs' that have PHI from persons who are not enrolled in the study, e.g., they did not meet eligibility requirements (sometimes called screening failures ), then tracking would be required. This is because these patients would not have become subjects with signed consent / authorization (and permission for disclosures to monitor) so disclosures of PHI about them - even if the information is not taken by the monitor - would require an accounting. Most site avoid this by only showing the monitor de-identified data.

Q. At the same conference, it was mentioned that the Waiver or review preparatory to research document is considered a disclosure as well. I thought that this would be considered "use" because it was a covered entity. Could you clarify? A. As you indicated, under HIPAA, when PHI is accessed, it falls into one of two categories - 'use' or 'disclosure.' In its simplest description, a use is when the PHI is accessed by someone within the covered entity (Strong Health/URMC); a 'disclosure' is when the PHI is accessed by someone outside the covered entity - that is, not included in the defined parts/organizational structure of the covered entity. Only disclosures that are made without permission are trackable / accountable. Uses of PHI by the covered entity are not required to be tracked for accounting purposes. So if you have a waiver or do a preparatory to research activity and all you do falls under use, no tracking is needed. If, however, you do any disclosure under that waiver or prepatory activity, then that would have to be tracked.

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback