HIPAA & Research Overview for the Privacy Board March 22, 2011 UAMS HIPAA Office Vera M. Chenault, JD
The Privacy Board - YOU HIPAA Privacy Rule establishes the requirements for membership and role of the Privacy Board A Privacy Board is a review body that acts upon requests for a waiver or an alteration of the Authorization requirement under the Privacy Rule for uses and disclosures of PHI for a particular research study. A Privacy Board may waive or alter all or part of the Authorization requirements for a specified research project or protocol. The UAMS Privacy Board is the UAMS Institutional Review Board
HIPAA and Research Four ways HIPAA allows for use to PHI in research: 1. Patient authorization Must comply with HIPAA requirements or Alteration of HIPAA-compliant form must be approved by Privacy Board 2. Waiver granted by Privacy Board Must be documented prior to the research
3. De-identified data May not include any of 18 identifiers of the individual or of relatives, employers, or household members of the individual 4. Limited data set May not include any of 16 identifiers, including name, SSN, street address May include date of birth, date of service, geographic designation other than street address Must have data use agreement in place
1. Patient Authorization Must obtain authorization for each specific research study Authorization may be, but does not have to be, part of informed consent, as long as all elements are present Authorization does not have to be reviewed or approved by IRB or Privacy Board Authorization may not be for future research
1. Patient Authorization Cont d Requirements Description of the information being used Specific identification of persons authorized to disclose the information Specific identification of the persons to whom the covered entity may disclose the information A description of the purpose must be research study specific An expiration date, event of expiration, or specific statement that there is no expiration date Description of the right to revoke the authorization Statement of whether research-related treatment will be conditioned on signing of the authorization
1. Patient Authorization Cont d Requirements cont d Statement that the information may be further disclosed by the recipient Statement that, if the IRB determines that it is appropriate to suspend the subject s right to access their own PHI during the study, access will be restricted until after completion of study Signature of the individual or personal representative (and authority if personal representative) and date
2. Waiver of Authorization To grant a waiver, the Privacy Board must determine that The PHI use or disclosure involves no more than minimal risk to the privacy of individuals based on at least the presence of (1) an adequate plan presented to the Privacy Board to protect PHI identifiers from improper use and disclosure; (2) an adequate plan to destroy those identifiers at the earliest opportunity, consistent with the research, absent a health or research justification for retaining the identifiers or if retention is otherwise required by law; and (3) adequate written assurances that the PHI will not be reused or disclosed to any other person or entity except (a) as required by law, (b) for authorized oversight of the research study, or (c) for other research for which the use or disclosure of the PHI is permitted by the Privacy Rule; The research could not practicably be conducted without the requested waiver or alteration; and The research could not practicably be conducted without access to and use of the PHI.
2. Waiver of Authorization If IRB is considering waiver of Informed Consent and waiver of HIPAA Authorization, must consider these separately However, if patients are asked to sign Informed Consent, probably don t qualify for waiver of HIPAA Authorization This is not a waiver of other HIPAA requirements, only a waiver of the requirement that an Authorization be obtained.
Other Avenues De-identified data Limited data set Reviews preparatory to research Special rule for decedents information
HIPAA Resources UAMS Research/HIPAA page: http://www.uams.edu/irb/hipaa.asp UAMS HIPAA Homepage: http://hipaa.uams.edu/ Includes forms, policies, and other resources UAMS HIPAA Office Jennifer, Research Privacy Officer: 526-7559 Vera Chenault, HIPAA Campus Coordinator: 603-1379 HIPAA Hotline: 614-2187 HIPAA Email: HIPAA@UAMS.EDU