LifeBridge Health HIPAA Policy 4 Uses of Protected Health Information for Research This Policy contains the following Sections: I. Policy II. III. IV. Definitions Applicability Procedures A. Individual Authorization B. Waiver of Authorization with IRB Approval C. Other Uses Without Patient Authorization D. Use of De-identified Information E. Limited Data Sets and Data Use Agreements F. Accounting for Disclosures G. Transition H. Access to Databases created for Non-research Purposes I. Compliance V. Forms - Appendix A. HIPAA Authorization Form Instructions B. Request for Waiver of Authorization C. Request for Access to PHI Preparatory to Research D. Request for Access to PHI of Decedents
I. POLICY LifeBridge Health protects the confidentiality and privacy of protected health information ( PHI ) used in research by following federal regulations, professional ethics, and Institutional Review Board (IRB) policies and procedures. The Federal Privacy Rules (45 CFR 160 and 164) are intended to build on existing Federal regulations that address research, including the Common Rule and Food and Drug Administration (FDA) regulations. The Privacy Rules allow research participants to have more information about how their health information may be used for research than currently allowed by existing laws. The rules apply to any protected health information (PHI) obtained for research purposes and does not make a distinction between research that involves treatment and research that does not involve treatment. II. DEFINITIONS INSTITUTIONAL REVIEW BOARD (IRB): An oversight board appointed by LifeBridge Health to protect the rights and welfare of human subjects who take part in research and to ensure that all research activities are conducted in compliance with federal regulations and organizational policies. PROTECTED HEALTH INFORMATION: Individually identifiable health information transmitted or maintained in any form or medium, including oral, written, and electronic. Individually identifiable health information relates to an individual s health status or condition, furnishing health services to an individual or paying or administering health care benefits to an individual. Information is considered protected health information where there is a reasonable basis to believe the information can be used to identify an individual. THE COMMON RULE: Code of Federal Regulations for Protection of Human Subjects (45 CFR Part 46 Subpart A). III. APPLICABILITY A. Use and Disclosure of Protected Health Information In order to use or disclose individually identifiable information on subjects or prospective subjects in a research study, all researchers who intend to conduct clinical research at or within LifeBridge Health or a LifeBridge Health entity ( LifeBridge Health ) or request access to protected health information held by LifeBridge Health for research purposes, or who use a LifeBridge Health entity to carry out orders for services or procedures that are required under a research protocol, are required to either: 1. Obtain individual authorization for use or disclosure of such PHI (per the provisions of 45 CFR 164.508), or 2
2. Obtain a waiver of authorization granted by the LIFEBRIDGE HEALTH IRB (as provided for in 45 CFR 154.512(i)(1)(i)), or 3. Use de-identified information (as per 45 CFR 164.502(d) or 164.514 (a-c)), or 4. Use information from a limited data set under a data use agreement with LifeBridge Health. IV. PROCEDURES A. Individual Authorization 1. Any researcher who proposes to conduct a clinical research study within LifeBridge Health is required to prepare (and to individualize for the particular study) an Individual Authorization Form (see HIPAA Authorization Form Instructions and accompanying forms on LifeBridge Health HIPAA intranet site, under IRB/ Research Materials) for all prospective research subjects to sign. 2. The Individual Authorization form may be used as a stand-alone form (for example, for a records review study), or as a supplement to the standard patient consent form for participation in the study (for example, for a prospective clinical trial). 3. Obtaining the HIPAA research authorizations shall be in addition to obtaining the written informed consent of research subjects using the IRB-approved informed consent document. 4. The researcher is directly responsible for assuring that the appropriate relevant information is provided to the subjects in his/her study. 5. The LifeBridge Health template form is provided to the Principal Investigator (PI) by the IRB for use in assuring HIPAA compliance. The PI is responsible for customizing this template for the individual study and, just as obtaining informed consent for participation in research is a process, so is obtaining individual authorization for the use or disclosure of PHI. The PI is responsible for explaining the content of the PHI use/disclosure authorization form to all prospective research subjects before or at the time of study enrollment. 6. It is the investigator s responsibility to include in the Authorization Form all elements required by the regulations. The LifeBridge Health IRB will, as a courtesy to investigators, review sample Individual Authorization Forms for each new or ongoing research protocols to check that the elements required by the regulations are included. IRB approval is NOT required before Authorization Forms can be used. 7. The Individual Authorization may be inserted into the informed consent document for participation in the research study, at the investigator or sponsor s 3
discretion. IRB review and approval IS required prior to use of consent forms containing the Privacy Authorization, as per standard IRB procedures for review of informed consent documents.. 8. If a research subject refuses to sign the Individual Authorization Form for Use or Disclosure of PHI, the individual may not be enrolled in the clinical study. 9 The Individual Authorization form may have an indefinite term, or may expire at termination of the study. 10. The PI must maintain the signed Individual Authorization Form for a period of no less than six years (or longer if required by applicable law or LifeBridge Health policy), and must make a copy available to authorities upon request. B. Waiver of Authorization with IRB Approval 1. In limited circumstances, the LifeBridge Health IRB may grant to the PI a Waiver of Authorization (for example, for a records review study when it is not possible to either obtain individual authorization or to use de-identified information). A PI should submit a Request for Waiver of Authorization form to the LifeBridge Health IRB. For a waiver to be granted, all of the following three criteria must be satisfied: The use or disclosure of the information would pose no more than a minimal risk to the individual s privacy. This requires the PI to provide: o A plan to protect the individuals from improper use or disclosure of the PHI, o A plan to destroy the identifiers at the earliest possible opportunity, and o Written assurance that the PHI will not be reused or disclosed except as required by law, Evidence that the research could not practicably be conducted without the waiver, and Evidence that the research could not practicably be conducted without access to and use of the PHI. 2. The LifeBridge Health IRB approval may be granted through a normal or an expedited review process, and requires the signature of the Chairperson or designee. 3. When a waiver of authorization is granted, the LifeBridge Health IRB will issue a letter describing the specific PHI to be used or disclosed, documenting the date of approval and noting whether an expedited or regular review was performed, and 4
documenting that the above criteria were satisfied, signed by the LifeBridge Health IRB Chairperson or designee. 4. The IRB Approval Letter must be presented to the Medical Records Custodian by the investigator or designee prior to beginning any review of the medical records for the study. C. Other Uses Without Patient Authorization LifeBridge Health may use or disclose PHI for research without authorization of the patient in either of the following circumstances: 1. Preparatory to Research: A LifeBridge Health medical records custodian may grant a researcher access to obtain PHI from medical records that is solely to be used for the purpose of planning a research study, or assessing the feasibility of a research study. Examples would include retrospective reviews of medical records for generation of a hypothesis for a prospective research study, or to evaluate whether a large enough sample of patients with a particular condition are seen in an investigator s practice to warrant a prospective study. A letter (See form Request for Access to PHI Preparatory to Research ) must be submitted to the respective medical records custodian prior to embarking upon activities that are preparatory to research. The letter must include the following elements: a. The purpose of the proposed review of medical records b. The specific PHI that are necessary to be used in performing the records review (i.e. patient names, address or zip code, age, gender, diagnosis, results of diagnostic tests or physical exams, etc.), and c. Each of the following attestations: 1. No PHI shall be recorded for the purpose of research during this preparatory review; 2. No PHI shall be removed from the provider entity (medical records department) 3. The PHI for which access is sought is necessary for the research purpose, (i.e. the research preparation cannot be performed without use of the PHI), and 4. The PHI being reviewed shall be limited to the minimum necessary for the research preparations (i.e. if phone numbers and SSN are not necessary for the research preparations, that information should not be used). 2. Research on Decedents. A LifeBridge Health medical records custodian may grant a researcher access to obtain PHI from medical records that is solely to be used 5
for the purpose of research on the protected health information of decedents. A letter (See form Request for Access to PHI of Decedents ) must be submitted to the respective medical records custodian prior to the review of any medical records for the research. The letter must include the following elements: a Representation that the use or disclosure sought is solely for research on the protected health information of decedents; b. Documentation, if requested, of the death of such individuals; and, c. Representation that the protected health information is necessary for the research purposes. D. Use of De-identified Information 1. For research studies that involve only the collection and analysis of existing PHI held by a LifeBridge Health entity (e.g. retrospective medical records review only), a PI may access such information for research purposes without either the authorization of the patient or a waiver from the IRB if the PHI has been de-identified by the medical records custodian prior to use by the investigator. 2. De-identification (in accord with 45 CFR 164.502(d) and 164.514(a-c) of the Privacy Rule) means that the research subjects cannot be identified (by the researcher or others) directly or indirectly through identifiers linked to the subjects. a. Identifiers that must be removed include: Names; Address, including street address, city, county, zip code; Names of relatives and employers; All element of dates (except year), including date of birth, admission date, discharge date, date of death; and all ages over 89 and all elements of dates including year indicative of such age except that such ages and elements may be aggregated into a single category of age 90 or older; Telephone numbers; Fax numbers; E-mail addresses; Social Security Number (SSN); Medical record number; Health beneficiary plan number; Account numbers; Certificate/License Number; Vehicle identifiers, including license plate numbers; Medical device ID and serial number; 6
Uniform Resource Locator (URL); Identifier Protocol (IP) addresses; Biometric identifiers (such as fingerprints, retinal scans, etc.); Full face photographic images and other comparable images; Any other unique identifying number characteristic or code. 3. The respective LifeBridge Health medical records custodian shall be responsible for de-identifying PHI, subject to LifeBridge health policies, prior to providing such information to the PI. 4. Use of de-identified information by the PI is not subject to the Privacy Regulations and does not require the approval of the IRB. E. Limited Data Sets and Data Use Agreements LifeBridge Health may use a limited data set of patient health information and enter into a data use agreement with recipients of the limited data set to protect the confidentiality of the individual and to allow LifeBridge Health to use or disclose such information for research, public health, or health care operations without the individual s authorization. Any disclosure or request for a limited data set must adhere to the minimum necessary requirements of the federal privacy regulations. A limited data set may include the following identifiable information: Admission, discharge and service dates; of death; Age (including age 90 or over); Five digit zip code or any other geographic subdivision such as state, county, city, precinct, and their equivalent geocodes; or, of birth. A limited data set must exclude: Names; Postal address information, other than town or city, state and zip code; Telephone numbers; Fax numbers; Electronic mail addresses; Social Security numbers; Medical record numbers; Health plan beneficiary numbers; Account numbers; Certificate/license numbers; Vehicle identifiers and serial numbers, including license plate numbers; Medical device identifiers and serial numbers; 7
Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers; Biometric identifiers, including finger and voice prints; and, Full face photographic images and any comparable images. LifeBridge Health may use or disclose a limited data set only if it obtains satisfactory assurance, in the form of a data use agreement, that the limited data set recipient will only use or disclose the PHI for limited purposes. Those researchers wishing to enter a data use agreement with LifeBridge Health should contact the LifeBridge Health HIPAA Privacy Officer (410-601-9700). The data use agreement will: 1. Establish the permitted uses and disclosures of the information, which may include only research, public health, health care operations, or as otherwise required by law, and does not authorize the limited data set recipient to further disclose the information in a manner that would violate the federal privacy regulations if performed by LifeBridge Health; 2. Provide that the limited data set recipient will: a. Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law; b. Use appropriate safeguards to prevent use of disclosure of the information other than as provided for by the data use agreement; c. Report to LifeBridge Health any use or disclosure of the information not provided for by its data agreement of which it becomes aware; d. Request the minimum amount of information necessary to fulfill the requirement of the request; e. Ensure that any agents, including a subcontractor, to whom it provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and, f. Not identify the information or contact the individuals. F. Accounting for Disclosures When LifeBridge Health releases PHI for research purposes, each patient whose PHI is released has the right to request and receive from LifeBridge Health an accounting of the disclosures made. Such an accounting must include all research-related disclosures, 8
except those instances when the patient authorized the release or the information was provided was either de-identified or in a limited data set. Each LifeBridge Health medical record custodian is responsible for tracking such disclosures on the LifeBridge Health Accounting for Disclosures of PHI form, and for providing the accountings when requested by patients. If research involves more than 50 patients. If, during the period covered by the accounting, LifeBridge Health has made disclosures of PHI for a particular research purpose for 50 or more individuals, the Privacy Rules provide for a simplified accounting. Contact the LifeBridge HIPAA Privacy officer to discuss this further. G. Transition All research that begins after the compliance date, April 14, 2003, is required to obtain Individual Authorization for the Use or Disclosure of PHI from all participants, or to follow one of the other procedures described in this policy, as applicable. Research studies started prior to the compliance date are able to continue after the compliance date, but the investigator is required to obtain Individual Authorization for the Use or Disclosure of PHI from all participants enrolled after April 14, 2003. without obtaining additional consent. Specifically, LifeBridge Health may use or disclose protected health information for research that is created or received either before or after the compliance date for the Privacy Rules (April 14, 2003), provided that there is no agreed-to restriction, and the PI obtained, prior to the compliance date, from each participant either: 1. An authorization or other express legal permission from an individual to use or disclose protected health information for the research; 2. The informed consent of the individual to participate in the research; or, 3. An IRB waiver of informed consent for the research in accordance with the Common Rule. H. Access to Databases created for Non-research Purposes LifeBridge health recognizes that there are databases containing PHI that reside on personal computers and servers in the various locations in which PIs and other researchers work and see patients. These database files serve a variety of purposes including pure research, pure treatment, or a mixture of both. Databases that are exclusively used for patient treatment are not covered by the HIPAA regulations that relate to research and/or IRB compliance. The PHI in these databases shall not be used for research purposes unless the use is compliant with all of the HIPAA and IRB requirements as previously stated in this policy. 9
I. Compliance If LifeBridge Health knows of a pattern of activity or practice of PI or other researcher that constitutes a material breach or violation of these policies or of the Privacy Rules under HIPAA, LifeBridge Health must take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps are unsuccessful: 1. Discontinue disclosure of protected health information to the recipient; and, 2. Report the problem to LifeBridge Health s Privacy Officer, who will determine if such offense should be reported to the Secretary of the Department of Health and Human Services. 10
Instructions for Individual Authorization Form for Use or Disclosure of Protected Health Information (PHI) for Research Purposes Instructions to Investigators and staff: To use or disclose protected health information with authorization by the research participant, the investigator must obtain an authorization that satisfies the requirements of 45 CFR 164.50(c)(2). The Privacy Rule includes a general set of authorization requirements that apply to all uses and disclosures, including those for research purposes. Those are listed below. The Authorization may be used as a stand-alone document, or may be inserted into the standard informed consent document for the study. Three templates are provided for your use, as follows: Template for Investigator Sponsored Research: Individual Authorization Form for Use or Disclosure of PHI Template for Outside Sponsored Research: Individual Authorization Form for Use or Disclosure of PHI Authorization Section for Use in Standard Informed Consent Document for Research Studies The LBH IRB must review PHI Authorization sections of standard patient consent forms and approve the changes before use of the revised form can be implemented. Submission of Individual Authorization forms is requested by the IRB, but is not required for Authorization Forms prior to use. Individual Authorization forms will be reviewed by the IRB to insure that all required elements are satisfactorily included.. Instructions on the forms appear in italics, and areas to be completed are highlighted. Electronic copies can be obtained from Patty Lohinski at plohinsk@lifebridgehealth.org. Please remove highlighting and complete the information requested in the blanks as applicable to the study. Required Elements for Individual Authorization and Consent Forms All Individual Authorizations and Consent Form sections for Use or Disclosure of Protected Health Information must include all of the following elements: 1 A description of the personal health information to be collected in the study that is to be used or disclosed. 2 Identification of the individual(s) or organizations involved in the study or in activities related to the study who are authorized to use or disclose the information.
3 Identification of individuals organizations involved in the study or in activities related to the study who may receive the information. 4 Description of each purpose of the requested use or disclosure. 5 Signature of the individual and date, or signature of an authorized personal representative. When a personal representative is to sign, a description of the representative s authorization must be attached. 6 Notice to the individual that authorization to use PHI may be revoked or withdrawn at any time by a request made in writing. 7 The potential for information disclosed pursuant to this authorization to be subject to redisclosure by the recipients and no longer may be protected by the Federal Privacy Act. 8 The authorization must be written in plain language. The following two special provisions also apply to research authorizations, as distinct from authorizations for other purposes: 9 Unlike other authorizations, an authorization for a research purpose may state that the authorization does not expire, that there is no expiration date or event, or that the authorization continues until the end of the research study; and 10 An authorization for the use or disclosure of protected health information for research may be combined with a consent to participate in the research, or with any other legal permission related to the research study.
Application for Waiver of Individual Authorization for Use or Disclosure of Protected Health Information (PHI) in a Research Study Please complete and submit this form to the IRB office with a summary of your research proposal at least 2 weeks in advance of the date the research is to begin. You may not initiate the research until you receive a signed IRB approval of the waiver request. Study Title and Number: Principal LBH Investigator: Sub-Investigators: Outside Sponsor or Funding Source (if any): Purpose for Which Waiver is Requested: (i.e. screening by study nurse, or records review by PI) of Application: Please include in the research summary: the type and design of the study, the number of subjects to be enrolled or records to be reviewed, the number of sites, list the objectives or endpoints, all methods or procedures to be used, and list all data to be collected in the study. Please document all of the following (remove and replace highlighted text prior to completion): 1. The proposed uses and disclosures of information involve no more than minimal risk to the individual s privacy, based on the following: An adequate plan to protect the individual from improper use and disclosure of PHI; Insert here what methods will be used to safeguard the PHI from unauthorized access or improper use or disclosure. (Files kept under lock/key or in a restricted area, limited access to investigators/study personnel; personnel trained in Privacy practices). An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or retention is otherwise required by law; Insert here how and when all patient identifiers will be destroyed or cite the applicable justification for retention. (Such as removal of identifiers at end of data collection phase or end of study.)
Insert here I certify that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted and cite the applicable provision, if any. 2. The research could not practicably be conducted without the waiver Insert an explanation of why it is not practicable to obtain individual authorization or to use deidentified information or a limited data set for this research. 3. The research could not practicably be conducted without access to and use of the PHI. Insert an explanation of why access to PHI is necessary for this research. 4. Insert here I acknowledge that it is my duty under Maryland State law not to redisclose patient-identifying PHI that is obtained for research without individual consent, and that such PHI will be used only for purposes of research and will be subject to all other applicable requirements of the IRB. PI Signature Attending Signature (if different from PI) Chief of Service Signature
Request for Use or Disclosure of Protected Health Information (PHI) Preparatory to Research Please complete and submit this form to the LifeBridge Health medical records custodian in those cases where you are requesting access to PHI solely for purposes preparatory to research, pursuant to 45 CFR 164.512(I)(1)(ii). This form must be filed with the medical records custodian prior to any PHI being made available to you. Study Title and Number (if known): Principal Investigator: Sub-Investigators: Outside Sponsor or Funding Source (if any): Purpose for Which Access is Requested: (i.e. screening by study nurse, or records review by PI) of Application: Description of Records/ PHI requested: I hereby certify and attest to the following: No PHI shall be recorded for the purpose of research during this preparatory review No PHI shall be removed from the LifeBridge Health entity (medical records department or other physical location of the PHI) The PHI for which access is sought is necessary for the research purpose, (i.e. the research preparation cannot be performed without use of the PHI), and The PHI being reviewed shall be limited to the minimum necessary for the research preparations (i.e. if phone numbers and SSN are not necessary for the research preparations, that information will not be used). I acknowledge that it is my duty under Maryland State law not to re-disclose patient-identifying PHI that is obtained for research without individual consent, and that such PHI will be used only for purposes of research and will be subject to all other applicable requirements of the IRB. I understand that if the PHI accessed under this certification is to be used for other than preparatory to research, the requirements for individual patient authorization, use of de-identified information, a limited data set, or waiver of authorization will apply, as per the LifeBridge Health HIPAA Policies. PI Signature Attending Signature (if different from PI) Chief of Service Signature
Request for Use or Disclosure of Protected Health Information (PHI) of Decedents Please complete and submit this form to the LifeBridge Health medical records custodian in those cases where you are requesting access to PHI solely for research on decedents, pursuant to 45 CFR 164.512(I)(1)(iii). This form must be filed with the medical records custodian prior to any PHI being made available to you. Study Title and Number (if known): Principal Investigator: Sub-Investigators: Outside Sponsor or Funding Source (if any): Purpose for Which Access is Requested: (i.e. screening by study nurse, or records review by PI) of Application: Description of Records/ PHI requested: I hereby certify and attest to the following: The PHI requested by me is solely for the research on the PHI of decedents; The PHI being sought is necessary for the research to be conducted, and At the request of LifeBridge Health, I will provide documentation of the death of the individuals about whom information is being sought. I acknowledge that it is my duty under Maryland State law not to re-disclose patient-identifying PHI that is obtained for research without individual consent, and that such PHI will be used only for purposes of research and will be subject to all other applicable requirements of the IRB. PI Signature Attending Signature (if different from PI) Chief of Service Signature