270 likes | 812 Views
Impact of the Privacy Rule. Does not reduce the effect of the Common Rule or FDA regulations.Mandates more protections to ensure privacy of subjects and confidentiality of data.Requires action whenever any PHI is used for research.. Definition of
E N D
1. HIPAA and the Common Rule Christina Solis, JD
Elisa Fallows, MS
UTHSC-H: Legal Affairs and Institutional Compliance
2004 Mini-Ethics Course
3. Definition of “Research” A systematic investigation …designed to develop or contribute to generalizable knowledge.
45 CFF 46.102(d) and 45 CFR 164.501
4. Definition of “Human Subject” A living individual about whom an investigator … conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information.
45 CFR 46.102(f)
5. Definition of “Human Subject” Operational Change due to Privacy Rule A living individual about whom an investigator … conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information
6. Regarding Research, the Privacy Rule Applies to: Ascertainment of Potential Subjects
Recruitment of Subjects
Consent/Authorization Process
Study Amendments
Data Management
Decedent Research
Reuse of data for another study
7. Research Provisions Covered entities may use and disclose PHI for research:
With individual authorization, or
Without individual authorization under limited circumstances
45 CFR § §164.508, 164.512(i)
8. Relationship to other Research Rules The Privacy Rule does not override the Common Rule or FDA’s human subject protection regulations.
9. Ascertainment/Recruitment of Potential Subjects Via Review of PHI
Notification of a Review Preparatory to Research
Description Justifying a Waiver of Authorization
Via Ad
10. If PHI or other identifiable private information is to be recorded during the ascertainment/recruitment process, consent of the potential subject, or IRB approval of a Waiver of Consent, must be obtained.
(DHHS NIH Common Rule Guidance 8/03)
11. Ascertainment/Recruitment – Satisfying Both Rules Via a Review of Preparatory to Research
Do not record PHI, or
Record PHI and obtain Common Rule IRB waiver of consent, or
De-identify PHI, then deal with the Common Rule.
If the data now retains a link to subject identity, the Common Rule still applies.
If the data does not retain any identifying link (data anonymized or unlinked), the Common Rule does not apply.
12. Ascertainment/Recruitment – Satisfying Both Rules Via Waiver of Authorization
Do not record PHI – usually not useful or practical, or
Record PHI and obtain IRB Waiver of Consent
De-identify PHI – usually not useful or practical
13. Exception from Requirement for Informed Consent An IRB may waive consent requirement or alter consent element if it finds and documents that:
(1) Research involves no more than minimal risk;
(2) Rights and welfare of subjects will not be adversely affected;
(3) Research could not be practicably be carried out without waiver or alteration; and
(4) When appropriate, the subjects will be provided pertinent information after participation.
14. Reducing the Impact Ensure that Information Associated with Data/Samples is Modified so it does not relate to a “Human Subject” and either does not involve PHI or is presented as a limited data/sample set.
15. An Activity does not prompt the Common Rule or Privacy Rule Considerations Requiring IRB Review when:
The activity is not research; OR
The research does not involve a human subject AND
The research does not involve PHI.
16. Examples of how can a PI doing research reduce the impact of the Common Rule and the Privacy Rule Modify information associated with the Data/Samples so the information does not relate to a “Human Subject”, and the information does not involve PHI or PHI is presented as a limited data set.
17. How to modify data/samples so the information does not relate to a “human subject” Anonymize (unlink) the data/samples.
Establish conditions whereby subject identity cannot be readily ascertained.
18. Anonymize (unlink) the data/samples Remove all identifiers or codes that directly or indirectly link a particular data point or sample to an identifiable person.
These data/samples then become irreversibly unlinked from any subject identifiers.
19. Modify Information Associated with the Data/Samples so the Information does not relate to a “Human Subject”, and The INFORMATION DOES NOT INVOLVE PHI or PHI is Presented as a Limited Data Set.
20. Modify Information Associated with the Data/Samples so the information does not involve PHI Remove health information
De-identify data/samples
21. Information is health information when it Relates to one’s physical or mental health or condition; or
Related to one’s health care; OR
Relates to one’s payment for health care.
45 CFR160.103
22. Items to Exclude for De-identification 45 CFR 64.514(b)(2) ? Names ? E-mail address
? Addresses ? SS#
? Zip codes ? Medical Record #
? Dates except years ? Health plan beneficiary #s
? Telephone #s ? Account #’s
? Fax #s ? Certificate/license #s
? VIN #’s ? Device ID & serial #’s
? URLs ?Full face photo images
? biometric identifiers ? internet protocol address #s
? any other unique identifying #, characteristic or code
23. Modify information associated with the data/samples so the information does not related to a “human subject”, and the information does not involve PHI or PHI IS PRESENTED AS A LIMITED DATA SET Establish a limited data set with a data/sample use agreement.
Remove direct personal identifiers.
Remove postal address information other than town or city, state or zip code.
Note: Event dates, any age and an identifying code related to the person are permitted.
24. Anonymization vs HIPAA De-identification The only setting where IRB approval of anonymization (unlinking) does not also confer approval of HIPAA de-identification is when the anonymized (unlinked) health information contains an event date more specific than the year, or a geocode more specific than a state or 3 digit zip code, or a subjects specific age is over 89 years (instead state as 90+ years)
25. HIPAA De-identification vs Anonymization The only setting where IRB approval of HIPAA de-identification does not also confer approval of anonymization (unlinking) is when a code with a key linking back to the subject is retained with the de-identified data.
26. Approach to satisfy both Establish conditions so the identity of a research subject cannot readily be ascertained.
Establish a limited data/sample set and a data/sample use agreement.