380 likes | 583 Views
The HIPAA Privacy Rule and Research. IRBs and Waiver of Authorization. IRB responsibility under the Privacy Rule includes waiving or altering Authorizations. The Privacy Rule does not require the following from IRBs: Review or approval of Authorization documents
E N D
IRBs and Waiver of Authorization • IRB responsibility under the Privacy Rule includes waiving or altering Authorizations. • The Privacy Rule does not require the following from IRBs: • Review or approval of Authorization documents • Review or approval of recruitment strategy before identifying and/or contacting potential research participants. • Monitoring or follow-up.
Privacy Rule Common Rule/ FDA Regulated Common Rule vs. Privacy Rule Research WITH patient permission Individual authorization IRB review Informed consent
De-identifiedHealth Information • Completely de-identified information (18 elements removed) and no knowledge that remaining information can (alone or in combination with other information) identify the individual. OR • Statistically “de-identified” information where a qualified statistician determines that there is a “very small” risk that the information could be used, alone or in combination with other reasonably available information, to identify the individual and documents the methods and results of the analysis.
Removal of These Identifiers* Makes Information De-identified • Names • Geographic info (including city and ZIP) • Elements of dates (except year), ages over 89 years • Telephone #s • Fax #s • E-mail address • Social Security # • Medical record, prescription #s • Health plan beneficiary #s • Account #s • Certificate/license #s • VIN and Serial #s, license plate #s • Device identifiers, serial #s • Web URLs • IP address #s • Biometric identifiers (finger prints) • Full face, comparable photo images • Unique identifying #s *See 45 CFR 164.514(b)(2)(i) for a complete list. Health information is de-identified if the above identifiers of the individual or of relatives, employers, or household members of the individuals are removed and the covered entity has no actual knowledge that remaining information can be used, alone or in combination with other information, to identify the individual.
De-identificationcont’d • The Privacy Rule's de-identification safe-harbor method is likely more stringent than what has been applied in the past to render information no longer identifiable for research purposes. For example, • Dates • ZIP Codes • Certain “coded” information
Coded Information is Neither PHI nor Private if: Common Rule • The private information or specimens was not collected specifically for the currently proposed research project through an interaction or intervention with living individuals; and • The investigator cannot readily ascertain the identify of the individual(s) because: • The key is destroyed before the research begins; or • An agreement, IRB-approved written policies and procedures, or other legal requirements prohibit release of the key. Privacy Rule • The code is not derived from or related to information about the individual. • The code is not otherwise capable of being translated to identify the individual. • The covered entity does not use or disclose the code for any other purpose, and does not disclose the mechanism for re-identification.
Q&A from Repository/Database Fact Sheet Are an individual's initials considered to be identifiers under the Privacy Rule? Yes, because an individual's name is an identifier and initials are derived from the individual's name, initials are considered identifiers under the Privacy Rule. Thus, for information to be de-identified using the safe harbor method of the Privacy Rule, an individual's initials must be stripped from the information. However, it may be possible for initials to remain as part of de-identified information if the statistical method for de-identification at section 164.514(b)(1) allows it.
Q&A from Repository/Database Fact Sheet A researcher requests data that assigns a code derived from the last four digits of the social security number. This code is necessary to link individual records from different data sources. The data contain none of the other listed HIPAA identifiers at section 164.514(b)(2). Are the data de-identified under the Privacy Rule? No. Under the Privacy Rule, a de-identified data set may not contain unique identifying codes, except for codes that have not been derived from or do not relate to information about the individual and that cannot be translated so as to identify the individual. A code derived from part of a social security number, medical record number, or other identifier would not meet this test.
NEW Guidance on Health ServicesResearch • Key Points • A covered entity's patient list that includes only names and addresses considered is PHIbecause the names are in a context that indicates that the individuals named were patients of the covered entity. • An IRB or Privacy Board may waive the Authorization requirement so that a covered entity may obtain Authorization for research orally.
NEW Guidance on Health ServicesResearch • Key Points • A researcher may access PHI through a remote access connection as a review preparatory to research as long as reasonable and appropriate security safeguards are in place. • If an individual revokes his or her Authorization after PHI is stored in a covered entity's database for a particular research study, a covered entity is permitted to retain and use that individual's PHI for data analysis if necessary to protect the integrity of the research. • See http://privacyruleandresearch.nih.gov/healthservicesprivacy.asp
Enforcement Update As of August 31, 2005 • OCR has received nearly 15,000 complaints • 68% closed; over 230 referred to the Department of Justice • Most frequent complaints concern: • Impermissible use or disclosure; • Lack of adequate safeguards to; • Refusal or failure to provide the individual with access to or a copy of records; • Disclosure of more information than is minimally necessary; • Failure to have the individual’s valid authorization. • Complaints most often filed against: • Private health care practices; • General hospitals; • Pharmacies; • Outpatient facilities; • Outpatient primary care facilities.
Privacy Rule Resources for Researchers NIH Web site http://privacyruleandresearch.nih.gov Office for Civil Rights (OCR) Web site http://www.hhs.gov/hipaaprivacy/research/
Thank You! Lora Kutkat Health Science Policy Analyst National Institutes of Health 301-594-2464 301-402-0280 (fax) KutkatL@od.nih.gov http://privacyruleandresearch.nih.gov http://privacyruleandresearch.nih.gov http://ospp.od.nih.gov/infoquality http://ospp.od.nih.gov/infoquality
Overview • Seeking permission for future unspecified research • Treating collection of PHI for research repositories and access to repositories as separate research activities and combining authorizations for each • Providing genetic samples to researchers
Future unspecified research • HHS has concluded that HIPAA authorization may not seek permission to use or disclose PHI for future unspecified research • HIPAA interpretation conflicts with Common Rule’s permitted scope of informed consent • Suggested solutions to resolve the tug of war with research sponsors on the scope of HIPAA authorizations and informed consent documents
Collection for and use of PHI in repositories • Collection of PHI for inclusion in repository and use of (or disclosure from) the repository are separate research activities that must independently meet HIPAA requirements
Combining authorizations • Generally may use compound authorization, except where one authorization is condition of receiving treatment and one is not • May condition treatment received in clinical trial on signing authorization • NIH concluded that collection of PHI for storage in repository may not be a condition of treatment obtained in a clinical trial • Therefore cannot combine authorization forms for collection and use where treatment provided as part of clinical trial • Suggested solutions?
Providing genetic samples to repositories • Meet HIPAA rules if not de-identified • Genetic samples, tissue and blood not PHI unless accompanied by identifiers • Get IRB approval if “human subject research”– tissues belong to living individuals and: • Tissues collected for purpose of research • Not collected for purposes of the currently proposed research if it is ongoing collection of specimens for a tissue repository not connected to particular protocol • What if know about research in advance, but tissue removed for therapeutic purposes? • or Investigator can ascertain identity of patients (see OHRP guidance on next slide)
OHRP Guidance under Common Rule • Investigator cannot ascertain identity if: • Destroy key to code before research begins; • Investigators and holder of key enter into agreement prohibiting release of key to investigators until individuals are deceased; • Have IRB approve written policies and procedures for a repository or data management center that prohibit the release of the key to investigators until individuals deceased; or • Determine that other legal requirements exist that prohibit release of key to investigators
Before providing tissue without patient consent, don’t forget to consider…. • What do state laws say? • What is agreement with patient? • Does the Conditions of Admission grant the institution the right to determine proper use or disposal of any tissues, parts or fluids, consistent with state and federal law? • Is there potential liability if informed consent not obtained? • Is it ethical? • AMA Code of Ethics: tissue can’t be used for commercial purposes without consent
Thank You! Kristen Rosati Coppersmith Gordon Schermer Owens & Nelson PLC 2800 North Central Avenue, Suite 1000 Phoenix, Arizona 85004 Kristen@cgson.com 602-381-5464
Overview • The use of telephone screening tools prior to authorization and consent • Access to patients from researchers outside the covered entity
Use of Telephone Screening Tools • Potential subjects who respond to advertisements • Researchers want to do extensive screening over the telephone • IRB struggles with sensitive questions and whether or not this meets the “minimal risk to loss of privacy” criterion
Use of Telephone Screening Tools (cont.) • Waivers of consent vs. waiver of authorization • Both standards have to be met • Are we overreacting given the fact that these potential subjects are taking the time and effort to make the call and are willingly sharing information?
Possible Solutions • Use the new guidance from NIH on Health Services Research to implement verbal authorizations and waive written documentation of informed consent • Create guidance documents for telephone screens • Review for minimum necessary requirements
Access to patients outside the researchers covered entity • Researchers don’t have legitimate access to data • Waiver of authorization could be applied but IRB, in deference to the Common Rule, wants to respect privacy such that first contact is from someone known to them • Physicians don’t always have time to facilitate research on another researcher’s behalf
Possible Solutions • Focus on safeguards vs. where the data is located • Document to the IRB the privacy measures being taken even though in the past these may have been taken for granted
Thank You! Shelley Bizila Director, Research Compliance Administration Indiana University-Purdue University, Indianapolis (IUPUI) 620 Union Drive, Room 618 Indianapolis, IN 46202 sbizila@iupui.edu 317-274-8289
AMC Privacy and Security Conference Future of the Common Rule and Its Effect on Privacy and Security
Objectives • To engage you (the audience) in exploring this topic • To learn how your AMC peers see the topic and how their AMCs are handling it • To encourage you to share information about how your AMC is handling the topic
Audience Experience • How is your institution handling the informed consent and HIPAA authorization forms when a sponsor wishes to store tissue or information in a research repository? • Will your IRB approve an informed consent and HIPAA authorization form that are inconsistent on the future use issue?
Audience Experience • Is your institution collecting a completely separate HIPAA authorization for storage of tissue or data in a research repository? • Are clinical research participants being allowed to participate in clinical trials even if they do sign the research repository HIPAA authorization?
Audience Experience • How is your institution handling telephone calls about research prior to any notice of privacy practices being given or prior to authorization and consent? • Is your IRB making use of verbal authorizations?
Instant Poll Rules • Facilitator’s role: • Ask audience members and panelist to shut their eyes (to promote more honest voting) • Ask for a show of hands for each item to be voted on. • Audience role: • Vote as you see fit. • Voting is anonymous. • Follow-up questions may ask voters to describe why they voted as they did, if they are comfortable doing so.
Session Feedback Poll • This session did a good job of engaging the panelists and the audience on the topic. 1 - Strongly Disagree ___ 2 - Disagree ___ 3 - Neither agree not disagree ___ 4 – Agree ____ 5 - Strongly agree ____