1 / 26

HIPAA and Research

HIPAA and Research. Basics for IRB Tim Atkinson Director, Research and Sponsored Programs Director, Institutional Review Board Research Privacy Officer. HIPAA and Research. Historically, the protection of human subjects in research has been presented as the responsibility of . . . PI

Download Presentation

HIPAA and Research

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HIPAA and Research Basics for IRB Tim Atkinson Director, Research and Sponsored Programs Director, Institutional Review Board Research Privacy Officer

  2. HIPAA and Research Historically, the protection of human subjects in research has been presented as the responsibility of . . . PI Institution IRB

  3. HIPAA and Research Also know as the . . . TRIPOD … of human subjects protection. Kick one leg out, the whole thing falls down.

  4. HIPAA and Research And OHRP shows up and makes us fix the leg to prop it back up . . .

  5. HIPAA and Research Or they make us get a new stool entirely . . .

  6. HIPAA and Research And informed consent has been somewhat taken for granted….

  7. HIPAA and Research . . . as the subject layer of protection.

  8. HIPAA and Research The subject is responsible for his or her own protection by means of effective informed consent. We reveal what will happen, and the subject decides yes or no to participate.

  9. HIPAA and Research And now, introducing . . . SUBJECT AUTHORIZATION Yet another opportunity for us to respect the subjects rights when we use their information for research.

  10. HIPAA and Research • RESEARCH ON THE DECEASED: • It is the policy of UAMS that investigators must certify in writing the following three elements when seeking information from RECORDS about the deceased: • (1) Seeks use and disclosure of PHI from RECORDS just for research on deceased individuals • (2) Will provide proof of death if RECORDS requests it, and • (3) That the PHI sought from RECORDS is solely for research and nothing else. For these purposes, PIs will sign a form with these certifications on it.

  11. HIPAA and Research • Reviews Prepatory to Resarch : Investigators must certify in writing the following three elements • (1) The PI seeks use and disclosure of PHI from RECORDS solely to review such information as necessary to prepare a research protocol or similar purposes prepatory to research • (2) PI shall not remove any PHI from RECORDS in the course of review (and will only collect de-identified data), and • (3) the PHI from RECORDS is necessary for research purposes. For these purposes, PI’s must fill out FORM E, as attached, and submit it to UAMS Medical Records before UAMS Medical Records can release the PHI to the ust ainvestigator. RECORDS mccount for these disclosures.

  12. HIPAA and Research • HIPAA Research Authorization Vs. Informed Consent for Research • After April 14, 2003, all research projects that use or create PHI will require subjects to sign the usual IRB approved informed consent to participate in a research project form AND an patient authorization. The IRB will look for the usual informed consent AND the additional HIPAA Research Authorization as criteria for granting final approval for a research project. After April 14, 2003, if authorization is not included on projects using or creating PHI, then the IRB will cite this as a minor revision prior to granting final approval.

  13. HIPAA and Research • Grandfathering HIPAA Research Authorization • Subjects consented prior to April 14, 2003 under projects already approved by the IRB do NOT have to sign authorization.

  14. HIPAA and Research To Request a waiver of authorization from the IRB the PI MUST: (1) Provide a brief description of the PHI. (2) Use the following methods to ensure minimal risk to privacy of individuals: (a) Describe an adequate plan to protect the identifiers from improper use or disclosure. (b) Describe an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of research, unless there is a health or research justification for retaining the identifiers or retentions is required by law. (c) Assure the IRB in writing that the PHI will not be re-used or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research as permitted by the HIPAA regulations.

  15. HIPAA and Research If the IRB grants the waiver the letter must state: • Name of the IRB and the FWA assurance number. • Date of action • A statement that the IRB determined that the waiver satisfies all the criteria listed above. • A brief description of the PHI for which use and disclosure has been determined to be necessary for research by the IRB. (Provided by the PI above). • The type of review administered under the common rule (expedited, full) • Signature of the chair or designee.

  16. HIPAA and Research HIPAA Research Authorization NOT required when data set is de-identified Refer to UAMS De-Identification Policy to determine proper de-identification methods. Properly de-identified data would fall outside this policy.

  17. HIPAA and Research HIPAA Research Authorization is NOT required if the PI or PD uses a Limited Data Set and Signs a Limited Data Set Agreement. The limited data set shall exclude the following identifiers: • Name • Street address • Telephone and fax numbers • Email addresses • Social Security number • Certifcate/License number • URLS and IP addresses • Full face photos and comparable images

  18. HIPAA and Research Limited Data set CAN have: • Admission date • Discharge date • Service dates • Date of death • Age (including 90 or over) • Five digit zip code

  19. HIPAA and Research Research on existing databases • Existing research databases must already have IRB approval. All new uses of existing databases, not yet approved by the IRB, must be submitted to the IRB for approval before the new use is started. The PI should approach the research using any of the above methods described under the previously described procedures.

  20. HIPAA and Research Collecting PHI for the sole purpose of creating a research database. • In order to collect PHI from RECORDS to create a database or to create a database using PHI during the course of treatment for the purpose of research, the PI must seek patient authorizations or seek a waiver of authorization from the IRB as previously described.

  21. HIPAA and Research Recruitment for Research under HIPAA. What’s been said: • Researchers, physicians and investigators may not retrieve names from RECORDS to contact subjects without subject authorization or waiver of authorization as described.

  22. HIPAA and Research Important NOTES: • PI is responsible for research records (use and disclosure) where no medical record exists. • ORSP will be responsible for limited data set agreements in conjunction with UA legal.

  23. HIPAA and Research (1)Are you using protected health information defined by HIPAA? No. HIPAA satisfied. Yes. Goto Next Slide

  24. HIPAA and Research (2)Are you using de-identified subject data? Yes: HIPAA satisfied No: Goto Next Slide

  25. HIPAA and Research (3) Are you using a limited data set as defined by HIPAA? Yes: A limited data set agreement is required prior to final IRB approval. If the limited data set agreement is not attached to the IRB submission, the IRB will cite you one minor revision. HIPAA Satisfied No: Goto Next Slide

  26. HIPAA and Research (4) Additional HIPAA Subject Authorization Required. Please attach it in the documents section. The IRB will cite you one minor revision this form is not included during IRB review. HIPAA satisfied.

More Related